1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Vista help w/Bing zugo thing!

Discussion in 'Malware and Virus Removal Archive' started by Blue Star, 2010/03/26.

Page 5 of 8
  1. 2010/04/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    What programs?
    What happened to your AV program?
    I don't see any running.

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #81
  2. 2010/04/15
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    I have Microsoft Security Essentials running....

    block startups are:
    Synaptics pointing device driver
    Adobe Acrobat
    Adobe Reader and Mgr
    Malwarebytes Anti-Malware

    doing the Combofix now...
     
    Blue Star,
    #82


  3. to hide this advert.

  4. 2010/04/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok......
     
    broni,
    #83
  5. 2010/04/15
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    combofix..

    ComboFix 10-04-14.04 - Owner 04/16/2010 0:25.4.2 - x86
    Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.1917.1268 [GMT -4:00]
    Running from: c:\users\Owner\Desktop\ComboFix.exe
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
    .

    2010-04-16 02:58 . 2010-04-16 02:58 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-04-14 04:21 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-04-14 04:21 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-04-14 04:21 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-04-14 04:21 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-04-14 04:20 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-04-14 04:20 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-04-14 04:20 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
    2010-04-14 04:19 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-04-14 04:19 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-04-14 04:19 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-04-14 04:19 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
    2010-04-06 02:34 . 2010-04-06 02:34 -------- d-----w- c:\programdata\Alwil Software
    2010-04-06 02:34 . 2010-04-06 02:34 -------- d-----w- c:\program files\Alwil Software
    2010-04-01 15:53 . 2010-04-01 16:54 -------- d-----w- c:\users\Owner\DoctorWeb
    2010-03-30 17:42 . 2010-03-30 17:42 -------- d-----w- c:\program files\Common Files\Java
    2010-03-28 17:02 . 2010-03-28 17:02 -------- d-----w- c:\program files\ESET
    2010-03-28 01:02 . 2010-03-28 01:02 -------- d-----w- c:\windows\BDOSCAN8
    2010-03-27 01:22 . 2010-03-27 01:22 -------- d-----w- C:\_OTL
    2010-03-26 19:52 . 2010-03-26 19:52 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
    2010-03-26 19:52 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-26 19:52 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-26 19:52 . 2010-03-26 19:52 -------- d-----w- c:\programdata\Malwarebytes
    2010-03-26 19:52 . 2010-04-16 02:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-22 20:04 . 2010-03-22 20:04 255472 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-16 01:29 . 2009-11-19 06:03 -------- d-----w- c:\program files\Tutorial
    2010-04-14 11:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-04-06 02:53 . 2009-11-18 18:30 -------- d-----w- c:\program files\Java
    2010-03-26 23:59 . 2010-03-26 21:03 888 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-03-17 07:34 . 2009-11-18 18:20 -------- d-----w- c:\programdata\NOS
    2010-03-09 22:23 . 2009-11-18 20:26 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-03-09 08:28 . 2009-11-18 18:30 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-03-04 06:45 . 2009-11-20 05:12 -------- d-----w- c:\program files\Google
    2010-02-25 02:01 . 2010-02-25 02:01 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb3834.tmp.exe
    2010-02-25 00:22 . 2009-11-18 13:53 49168 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-24 14:16 . 2009-11-18 15:04 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-23 06:39 . 2010-03-31 15:23 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-23 06:33 . 2010-03-31 15:23 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-02-23 06:33 . 2010-03-31 15:23 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-02-23 04:55 . 2010-03-31 15:23 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-02-23 00:59 . 2010-02-23 00:59 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-02-22 14:13 . 2009-11-18 18:22 -------- d-----w- c:\program files\Common Files\Adobe
    2010-02-20 23:06 . 2010-03-10 02:37 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:05 . 2010-03-10 02:37 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-02-20 20:53 . 2010-03-10 02:37 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2010-01-25 12:00 . 2010-02-24 03:41 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00 . 2010-02-24 03:41 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00 . 2010-02-24 03:41 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00 . 2010-02-24 03:41 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58 . 2010-02-24 03:41 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21 . 2010-02-24 03:41 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21 . 2010-02-24 03:41 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21 . 2010-02-24 03:41 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21 . 2010-02-24 03:41 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-23 09:26 . 2010-02-24 03:41 2048 ----a-w- c:\windows\system32\tzres.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2 "=hex(b):17,1b,e5,60,58,6c,ca,01

    R2 gupdate1ca69a01600bf40;Google Update Service (gupdate1ca69a01600bf40);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 133104]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - kglcapow

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 05:12]

    2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 05:12]

    2010-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2975667946-567017948-1869616947-1000Core.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-16 05:27]

    2010-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2975667946-567017948-1869616947-1000UA.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-16 05:27]

    2010-04-16 c:\windows\Tasks\User_Feed_Synchronization-{A1E0E7D0-0604-42BB-9493-4287CCC2E5E2}.job
    - c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://yahoo.com/
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-16 00:31
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    "MSCurrentCountry "=dword:000000b5
    .
    Completion time: 2010-04-16 00:33:57
    ComboFix-quarantined-files.txt 2010-04-16 04:33
    ComboFix2.txt 2010-03-31 03:59

    Pre-Run: 180,173,049,856 bytes free
    Post-Run: 180,273,942,528 bytes free

    - - End Of File - - BF89EF71E93DFE1C4EBC6A83FEF0FE00
     
    Blue Star,
    #84
  6. 2010/04/15
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    hjt....

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:35:51 AM, on 4/16/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18904)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Windows\Explorer.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Owner\Desktop\WinBBS\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate1ca69a01600bf40) (gupdate1ca69a01600bf40) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

    --
    End of file - 2784 bytes
     
    Blue Star,
    #85
  7. 2010/04/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Combofix log looks perfectly clean.

    From your HJT log, I don't see Microsoft Security Essentials running.

    Please, describe the above little bit better.
     
    broni,
    #86
  8. 2010/04/15
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    I get a warning popup that my computer may be infected with viruses. When I close the popup, a window which mimics a browser window opens and starts counting infections.
     
    Blue Star,
    #87
  9. 2010/04/15
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    new hjt.... MIcro Sec Ess... I believe it's listed here

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:52:59 AM, on 4/16/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18904)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Windows\Explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
    C:\Users\Owner\Desktop\WinBBS\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate1ca69a01600bf40) (gupdate1ca69a01600bf40) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

    --
    End of file - 2893 bytes
     
    Blue Star,
    #88
  10. 2010/04/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Computer crashes, when you try to download GMER, or run it?
    Define "crash ", please.
     
    broni,
    #89
  11. 2010/04/16
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    GMER crashes the comp when I try to run them.

    Crash: Actually shuts down my machine, reboots and gives me a message which states windows has recovered from an unexpected shut-down. All messages appear to be authentic windows
     
    Blue Star,
    #90
  12. 2010/04/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK. Restart computer in Safe Mode, start GMER, but before you run it, UN-check "Devices" in right pane.
     
    broni,
    #91
  13. 2010/04/16
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    here we go... gmer and hjt....

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-16 19:11:00
    Windows 6.0.6002 Service Pack 2
    Running: gmer.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kglcapow.sys


    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [743B7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7440A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [743BBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [743AF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [743B75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [743AE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [743E8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [743BDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [743AFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [743AFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743A71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7443CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [743DC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [743AD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [743A6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [743A687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [743B2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----



    hjt.......

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:45:36 PM, on 4/16/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18904)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Users\Owner\Desktop\WinBBS\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate1ca69a01600bf40) (gupdate1ca69a01600bf40) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

    --
    End of file - 2737 bytes
     
    Blue Star,
    #92
  14. 2010/04/16
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    MSE is in place and running as well
     
    Blue Star,
    #93
  15. 2010/04/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hmmm....I see nothing malicious....

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
    broni,
    #94
  16. 2010/04/16
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    thanks, Broni... will post reports asap.... :)
     
    Blue Star,
    #95
  17. 2010/04/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok.....
     
    broni,
    #96
  18. 2010/04/17
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    kaspersky ...

    Saturday, April 17, 2010
    Operating system: Microsoft Windows Vista Enterprise Edition, 32-bit Service Pack 2 (build 6002)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Friday, April 16, 2010 21:19:19
    Records in database: 3948999


    Scan settings
    scan using the following database extended
    Scan archives yes
    Scan e-mail databases yes

    Scan area My Computer
    C:\
    D:\

    Scan statistics
    Objects scanned 158731
    Threats found 0
    Infected objects found 0
    Suspicious objects found 0
    Scan duration 02:24:04

    No threats found. Scanned area is clean.
    Selected area has been scanned.



    hjt...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:54:43 PM, on 4/17/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18904)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Owner\Desktop\WinBBS\HiJackThis.exe
    C:\Windows\system32\DllHost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate1ca69a01600bf40) (gupdate1ca69a01600bf40) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

    --
    End of file - 3100 bytes
     
    Blue Star,
    #97
  19. 2010/04/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How is the computer doing?
     
    broni,
    #98
  20. 2010/04/17
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    Computer seems to be ok, but I still get the popup.

    And my drawing program saved files were corrupted... I tried to open one after restart, but it would not open...
     
    Blue Star,
    #99
  21. 2010/04/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK, tell me more about that pop-up.
    Can you upload a screenshot?

    Upload the file(s) here: http://uploadmb.com/
    Post download link (Direct Link).
     
    broni,
    #100
Page 5 of 8

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...