1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Browser Hijack/Unable to Use SKYPE other functions

Discussion in 'Malware and Virus Removal Archive' started by hlbull, 2011/07/20.

Page 2 of 6
  1. 2011/07/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #21
  2. 2011/07/20
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    There are two running processes related to security that i did not find on the linked list:
    1) MsMpEng.exe -- antimalware service executable
    -I tried ending the process tree from the task manager on this process but it restart itself.
    2) lsass.exe -- Local Security Authority Process

    Should these be disabled before running the suggested program? If so how?

    Also, the option to right click and run as administrator is unavailable in safe mode for me.
     
    hlbull,
    #22


  3. to hide this advert.

  4. 2011/07/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No.

    Run it normally then.
     
    broni,
    #23
  5. 2011/07/20
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    we have finished the runs of both rkill and combofix and have both log files now.
    I am now unable to launch any browser to post them. the error message given is:
    illegal operation on registry key marked for deletion.

    I have not seen a message that it is ok to reboot.

    I'm making this post from a phone, how can I post the log files?
     
    hlbull,
    #24
  6. 2011/07/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You have to restart computer and the error will go away.
     
    broni,
    #25
  7. 2011/07/20
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    Here are the error logs for rkill and ComboFix:

    -----------------------
    rkill
    -----------------------
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 07/20/2011 at 21:29:28.
    Operating System: Windows Vista (TM) Home Premium


    Processes terminated by Rkill or while it was running:

    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe


    Rkill completed on 07/20/2011 at 21:29:31.



    ---------------------------
    ComboFix
    ---------------------------
    ComboFix 11-07-20.05 - Hannah-Leigh Bull 07/20/2011 21:34:43.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3069.2490 [GMT -6:00]
    Running from: c:\users\Hannah-Leigh Bull\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Hannah-Leigh Bull\AppData\Roaming\AD ON Multimedia
    c:\users\Hannah-Leigh Bull\g2mdlhlpx.exe
    c:\users\Hannah-Leigh Bull\GoToAssistDownloadHelper.exe
    c:\windows\system32\spool\prtprocs\w32x86\ppbiPr.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-21 to 2011-07-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-21 03:40 . 2011-07-21 03:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-07-21 02:06 . 2011-07-21 02:22 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
    2011-07-20 22:46 . 2011-06-07 14:55 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2153AD0F-F995-47B0-92F5-C60996FA3DD2}\mpengine.dll
    2011-07-20 21:06 . 2011-07-20 21:06 -------- d-----w- c:\users\Hannah-Leigh Bull\AppData\Local\Microsoft Corporation
    2011-07-20 21:04 . 2011-07-20 21:05 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
    2011-07-20 20:02 . 2011-07-20 20:02 -------- d-----w- c:\program files\CCleaner
    2011-07-19 19:53 . 2011-07-19 19:53 -------- d-----r- c:\program files\Skype
    2011-07-16 23:31 . 2011-06-07 14:55 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-07-16 20:40 . 2011-05-04 10:52 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-07-16 15:01 . 2011-07-16 15:01 -------- d-----w- c:\users\Hannah-Leigh Bull\AppData\Roaming\Malwarebytes
    2011-07-16 15:01 . 2011-07-07 01:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-16 15:01 . 2011-07-16 15:01 -------- d-----w- c:\programdata\Malwarebytes
    2011-07-16 15:01 . 2011-07-16 15:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-16 15:01 . 2011-07-07 01:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-15 22:11 . 2010-11-30 17:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C2B6AD1E-4795-49E4-A5E3-28A342193D2C}\gapaengine.dll
    2011-07-15 22:03 . 2011-07-15 22:03 -------- d-----w- c:\program files\Microsoft Security Client
    2011-07-15 12:52 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EA7445AC-AF90-4759-9E93-FD4180057ED4}\mpengine.dll
    2011-07-14 01:33 . 2007-03-23 10:05 29272 ----a-r- c:\windows\system32\AdobePDF.dll
    2011-07-14 01:32 . 2008-10-15 03:33 95600 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-07-09 21:53 . 2011-07-09 21:53 -------- d-----w- c:\program files\Apple Software Update
    2011-07-09 21:50 . 2011-07-09 21:50 -------- d-----w- c:\program files\iPod
    2011-07-09 21:50 . 2011-07-09 21:51 -------- d-----w- c:\program files\iTunes
    2011-06-22 00:35 . 2011-06-22 00:35 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-06-22 00:35 . 2011-06-22 00:35 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-04 10:52 . 2010-05-14 20:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2007-07-16 17:19 . 2007-07-16 17:19 4964360 ----a-w- c:\program files\temp.000
    2007-07-16 17:19 . 2005-03-17 18:02 4964360 ----a-w- c:\program files\SOLFIRE.EXE
    2007-04-23 23:13 . 2005-01-23 01:27 1204224 ----a-w- c:\program files\SOLARMAP.EXE
    2007-02-23 17:43 . 2005-01-14 05:03 601088 ----a-w- c:\program files\ETCONV.EXE
    2006-11-27 18:45 . 2000-03-01 11:30 26890 ----a-w- c:\program files\TZTABLE.BIN
    2005-06-23 14:06 . 2005-06-23 14:06 106496 ----a-w- c:\program files\FINDCITY.DLL
    2005-03-16 18:01 . 2005-03-16 18:01 81920 ----a-w- c:\program files\PARTEDIT.EXE
    2005-01-23 03:56 . 2005-01-23 03:56 36864 ----a-w- c:\program files\MNUEDIT.exe
    2005-01-23 03:53 . 2005-01-23 03:53 57344 ----a-w- c:\program files\RULREDIT.exe
    2005-01-23 03:49 . 2005-01-23 03:49 184320 ----a-w- c:\program files\PLNTRIUM.exe
    2005-01-23 03:26 . 2005-01-23 03:26 151552 ----a-w- c:\program files\SFINTERP.exe
    2005-01-23 02:56 . 2005-01-23 02:56 188416 ----a-w- c:\program files\DESIGNER.exe
    2005-01-23 02:38 . 2005-01-23 02:38 212992 ----a-w- c:\program files\PGDESIGN.exe
    2005-01-23 02:22 . 2005-01-23 02:22 139264 ----a-w- c:\program files\STAREDIT.exe
    2005-01-23 02:16 . 2005-01-23 02:16 106496 ----a-w- c:\program files\Almutens.exe
    2004-08-27 02:20 . 2004-08-27 02:20 24576 ----a-w- c:\program files\FILEFIND.exe
    1998-12-08 01:41 . 1998-12-08 01:41 442208 ----a-w- c:\program files\LECLIPSE.BIN
    1998-12-08 01:40 . 1998-12-08 01:40 321246 ----a-w- c:\program files\SECLIPSE.BIN
    2011-06-22 00:35 . 2011-05-06 13:50 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype "= "c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint "= "c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
    "SigmatelSysTrayApp "= "c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
    "ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
    "PCMService "= "c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
    "SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
    "PaperPort PTD "= "c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
    "IndexSearch "= "c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
    "ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10-03 221184]
    "NvSvc "= "c:\windows\system32\nvsvc.dll" [2007-10-05 86016]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-10-05 8497696]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]
    "NVHotkey "= "c:\windows\system32\nvHotkey.dll" [2007-10-05 86016]
    "Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 8\Acrobat\Acrotray.exe" [2008-10-15 623992]
    "Adobe Acrobat Speed Launcher "= "c:\program files\Adobe\Acrobat 8\Acrobat\Acrobat_sl.exe" [2008-10-15 45936]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "MSC "= "c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "Malwarebytes' Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv "= "grpconv -o" [X]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-31 50688]
    QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]
    VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-6-5 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=acaptuser32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @= "Driver "
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2008-10-15 03:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8\Acrobat\Acrotray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2011-06-15 21:02 15141768 ----a-r- c:\program files\Skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride "=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4225951657-1860771598-1606342484-1000]
    "EnableNotificationsRef "=dword:00000001
    .
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-01-02 73728]
    R2 RSO3MiddleTierService;RSO3 MiddleTier Service;c:\program files\Adobe\Adobe RoboSource Control 3.1\RSO3MiddleTierService.exe [2007-09-21 28672]
    R2 RSO3Server;RSO3 Server Service;c:\program files\Adobe\Adobe RoboSource Control 3.1\RSO3Server.exe [2007-09-21 507904]
    R2 WebDriveFSD;WebDrive Filesystem Driver;c:\program files\WebDrive\wdfsd.sys [2006-11-11 166912]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ECACHE
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.dell.com
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: intuit.com
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 192.168.100.1
    FF - ProfilePath - c:\users\Hannah-Leigh Bull\AppData\Roaming\Mozilla\Firefox\Profiles\z6p98krh.default\
    FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-BDAgent - c:\program files\Softwin\BitDefender10\bdagent.exe
    MSConfigStartUp-BDMCon - c:\program files\Softwin\BitDefender10\bdmcon.exe
    MSConfigStartUp-SFcPBiwGDh - c:\programdata\SFcPBiwGDh.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-20 21:41
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath "= "%systemroot%\system32\msiexec /V "
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    Completion time: 2011-07-20 21:43:36
    ComboFix-quarantined-files.txt 2011-07-21 03:43
    .
    Pre-Run: 99,895,742,464 bytes free
    Post-Run: 99,992,633,344 bytes free
    .
    - - End Of File - - 4F55925FE6C1DB8A620E160733BA8531
     
    hlbull,
    #26
  8. 2011/07/20
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    P.S.
    While running rkill.exe a message popped up saying something similar to:
    Access Denied. Requires Administrator privileges...

    This message occurred three times during the run of rkill.exe although not noted in the log.txt.
     
    hlbull,
    #27
  9. 2011/07/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Are you still unable to boot to normal mode?

    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

      [​IMG]
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.
     
    broni,
    #28
  10. 2011/07/20
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    Still not able to run the computer in normal mode, so will proceed in safe mode.
     
    hlbull,
    #29
  11. 2011/07/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok...
     
    broni,
    #30
  12. 2011/07/21
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    Broni, here is the GMER.log file. It ran about two hrs. Only surmised it was finished because of hard disk activity. Log seems small.
    -----------
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-07-20 23:37:33
    Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0
    Running: ciq7gx6g.exe; Driver: C:\Users\HANNAH~1\AppData\Local\Temp\afxyipow.sys


    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\fastfat \Fat A26119F6

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Control@SystemStartOptions /NOEXECUTE=OPTIN IN/MINT
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 708
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management@ExistingPageFiles \??\C:\pagefile.sys?
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 279
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 325091761
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@VideoInitTime 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID ab4c0a5e-05a4-47f1-8fd5-ed2d4f4
    Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@LastBootStatus 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@ReadyBootPlanUsage 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 7732
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2CAFB406-C261-4023-BEC7-97CC25B23C03}@LeaseObtainedTime 1311201252
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2CAFB406-C261-4023-BEC7-97CC25B23C03}@T1 1311244452
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2CAFB406-C261-4023-BEC7-97CC25B23C03}@T2 1311276852
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2CAFB406-C261-4023-BEC7-97CC25B23C03}@LeaseTerminatesTime 1311287652
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 5322
    Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 5323
    Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 5128 5134 5146 5156 5166 5186 5230 5240 5278 5284 5300 5308
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA3301004F7716000000000030\Usage@AcrobatElements 1056178724
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Counter 5322
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Help 5323
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4225951657-1860771598-1606342484-1000@State 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4225951657-1860771598-1606342484-1000@RefCount 0

    ---- EOF - GMER 1.0.15 ----
     
    hlbull,
    #31
  13. 2011/07/21
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    Hijacked Browser: GMER.log

    Not sure whether I posted this at the right spot, Broni. A bit groggy now.

    Broni, here is the GMER.log file. It ran about two hrs. Only surmised it was finished because of hard disk activity. Log seems small.
    -----------
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-07-20 23:37:33
    Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0
    Running: ciq7gx6g.exe; Driver: C:\Users\HANNAH~1\AppData\Local\Temp\afxyipow.sys


    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\fastfat \Fat A26119F6

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Control@SystemStartOptions /NOEXECUTE=OPTIN IN/MINT
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 708
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management@ExistingPageFiles \??\C:\pagefile.sys?
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 279
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 325091761
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@VideoInitTime 0
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID ab4c0a5e-05a4-47f1-8fd5-ed2d4f4
    Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCoun ter 3
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@LastBootStatus 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@ReadyBootPlanUsage 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 7732
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2CAFB40 6-C261-4023-BEC7-97CC25B23C03}@LeaseObtainedTime 1311201252
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2CAFB40 6-C261-4023-BEC7-97CC25B23C03}@T1 1311244452
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2CAFB40 6-C261-4023-BEC7-97CC25B23C03}@T2 1311276852
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2CAFB40 6-C261-4023-BEC7-97CC25B23C03}@LeaseTerminatesTime 1311287652
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadO nStop 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 5322
    Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 5323
    Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 5128 5134 5146 5156 5166 5186 5230 5240 5278 5284 5300 5308
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA3301004F7716000000000030\Usage@AcrobatElements 1056178724
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Counter 5322
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Help 5323
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4225951657-1860771598-1606342484-1000@State 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4225951657-1860771598-1606342484-1000@RefCount 0

    ---- EOF - GMER 1.0.15 ----
    hlbull is online now Add to hlbull's Reputation Report Post Edit Message
     
    hlbull,
    #32
  14. 2011/07/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That looks good.

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log ", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
    broni,
    #33
  15. 2011/07/21
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    Hijacked Browser: Asked to download Avast

    Hi, Broni!

    aswMBR asks me to download Avast!. Should I download the Avast! anti-virus definitions?

    Also, using Safe Mode for work today, computer ran very hot.

    Thx so much for your help!
     
    hlbull,
    #34
  16. 2011/07/21
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    Installed the virus definitions. Here is the log:

    aswMBR version 0.9.8.945 Copyright(c) 2011 AVAST Software
    Run date: 2011-07-21 18:37:54
    -----------------------------
    18:37:54.120 OS Version: Windows 6.0.6000
    18:37:54.120 Number of processors: 2 586 0xF0D
    18:37:54.121 ComputerName: HANNAH-LEIGH-PC UserName:
    18:37:55.149 Initialize success
    18:58:58.942 AVAST engine defs: 11072101
    18:59:23.821 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    18:59:23.823 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 3
    18:59:23.834 Disk 0 MBR read successfully
    18:59:23.835 Disk 0 MBR scan
    18:59:23.838 Disk 0 unknown MBR code
    18:59:23.842 Disk 0 scanning sectors +488394752
    18:59:23.928 Disk 0 scanning C:\Windows\system32\drivers
    18:59:32.488 Service scanning
    18:59:33.904 Modules scanning
    18:59:40.104 Disk 0 trace - called modules:
    18:59:40.122 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    18:59:40.124 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85349600]
    18:59:40.127 3 ntkrnlpa.exe[820b07e2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8532a030]
    18:59:41.430 AVAST engine scan C:\Windows
    18:59:45.670 AVAST engine scan C:\Windows\system32
    19:01:42.394 AVAST engine scan C:\Windows\system32\drivers
    19:01:52.452 AVAST engine scan C:\Users\Hannah-Leigh Bull
    19:03:54.445 Disk 0 MBR has been saved successfully to "C:\Users\Hannah-Leigh Bull\Desktop\MBR.dat "
    19:03:54.587 The log file has been saved successfully to "C:\Users\Hannah-Leigh Bull\Desktop\aswMBR.txt "
     
    hlbull,
    #35
  17. 2011/07/21
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    Looks as if it is still scanning. Sorry. The Scan button was greyed out and the hard disk inactive. So I thought it was finished. Hard disk is active and Avast! is supplying progress reports.

    How long should I anticipate for this scan?
     
    hlbull,
    #36
  18. 2011/07/21
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    Here's the completed Avast! scan log:

    aswMBR version 0.9.8.945 Copyright(c) 2011 AVAST Software
    Run date: 2011-07-21 18:37:54
    -----------------------------
    18:37:54.120 OS Version: Windows 6.0.6000
    18:37:54.120 Number of processors: 2 586 0xF0D
    18:37:54.121 ComputerName: HANNAH-LEIGH-PC UserName:
    18:37:55.149 Initialize success
    18:58:58.942 AVAST engine defs: 11072101
    18:59:23.821 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    18:59:23.823 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 3
    18:59:23.834 Disk 0 MBR read successfully
    18:59:23.835 Disk 0 MBR scan
    18:59:23.838 Disk 0 unknown MBR code
    18:59:23.842 Disk 0 scanning sectors +488394752
    18:59:23.928 Disk 0 scanning C:\Windows\system32\drivers
    18:59:32.488 Service scanning
    18:59:33.904 Modules scanning
    18:59:40.104 Disk 0 trace - called modules:
    18:59:40.122 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    18:59:40.124 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85349600]
    18:59:40.127 3 ntkrnlpa.exe[820b07e2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8532a030]
    18:59:41.430 AVAST engine scan C:\Windows
    18:59:45.670 AVAST engine scan C:\Windows\system32
    19:01:42.394 AVAST engine scan C:\Windows\system32\drivers
    19:01:52.452 AVAST engine scan C:\Users\Hannah-Leigh Bull
    19:03:54.445 Disk 0 MBR has been saved successfully to "C:\Users\Hannah-Leigh Bull\Desktop\MBR.dat "
    19:03:54.587 The log file has been saved successfully to "C:\Users\Hannah-Leigh Bull\Desktop\aswMBR.txt "


    aswMBR version 0.9.8.945 Copyright(c) 2011 AVAST Software
    Run date: 2011-07-21 18:37:54
    -----------------------------
    18:37:54.120 OS Version: Windows 6.0.6000
    18:37:54.120 Number of processors: 2 586 0xF0D
    18:37:54.121 ComputerName: HANNAH-LEIGH-PC UserName:
    18:37:55.149 Initialize success
    18:58:58.942 AVAST engine defs: 11072101
    18:59:23.821 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    18:59:23.823 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 3
    18:59:23.834 Disk 0 MBR read successfully
    18:59:23.835 Disk 0 MBR scan
    18:59:23.838 Disk 0 unknown MBR code
    18:59:23.842 Disk 0 scanning sectors +488394752
    18:59:23.928 Disk 0 scanning C:\Windows\system32\drivers
    18:59:32.488 Service scanning
    18:59:33.904 Modules scanning
    18:59:40.104 Disk 0 trace - called modules:
    18:59:40.122 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    18:59:40.124 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85349600]
    18:59:40.127 3 ntkrnlpa.exe[820b07e2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8532a030]
    18:59:41.430 AVAST engine scan C:\Windows
    18:59:45.670 AVAST engine scan C:\Windows\system32
    19:01:42.394 AVAST engine scan C:\Windows\system32\drivers
    19:01:52.452 AVAST engine scan C:\Users\Hannah-Leigh Bull
    19:03:54.445 Disk 0 MBR has been saved successfully to "C:\Users\Hannah-Leigh Bull\Desktop\MBR.dat "
    19:03:54.587 The log file has been saved successfully to "C:\Users\Hannah-Leigh Bull\Desktop\aswMBR.txt "
    19:11:18.062 AVAST engine scan C:\ProgramData
    19:13:38.351 Scan finished successfully
    19:14:00.672 Disk 0 MBR has been saved successfully to "C:\Users\Hannah-Leigh Bull\Desktop\MBR.dat "
    19:14:00.676 The log file has been saved successfully to "C:\Users\Hannah-Leigh Bull\Desktop\aswMBR.txt "
     
    hlbull,
    #37
  19. 2011/07/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    If you have Vista/7 DVD...

    start with step 2

    If you don't have Vista/7 DVD...

    1. Create Vista/7 Recovery Disc.

    Option 1 :
    Vista: http://www.vistax64.com/tutorials/141820-create-recovery-disc.html (Option Two)
    Windows 7: http://www.guidingtech.com/3816/system-repair-recovery-disc-windows-7/

    Option 2:
    Download Vista Recovery Disc iso image: http://digiex.net/downloads/downloa...6-windows-vista-32-bit-x86-recovery-disc.html
    Download Windows 7 Recovery Disc iso image: http://digiex.net/downloads/downloa.../2659-windows-7-32-bit-x86-recovery-disc.html
    Burn it to CD, or DVD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

    2. Boot from created disk. You may need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)

    Vista users. At first screen click on Repair your computer:
    [​IMG]

    Windows 7 users. At first screen click on Install now:
    [​IMG]
    Select your language and click next:
    [​IMG]
    Click the button for "Use recovery tools ":
    [​IMG]

    The following applies to both, Vista and Windows 7 users.

    This will bring you to a new screen where the repair process will look for all Windows Vista/7 installations on your computer. When done you will be presented with the System Recovery Options dialog box:
    [​IMG]
    After this, it will present you with a list of options including startup repair, system restore and command prompt:
    [​IMG]
    Select Command Prompt

    Type in:
    bootrec /fixmbr (<--- there is a "space" after "bootrec ")
    and then press Enter

    Once completed then type Exit, press Enter and restart computer.

    Post fresh aswMBR log.
     
    broni,
    #38
  20. 2011/07/21
    hlbull

    hlbull Inactive Thread Starter

    Joined:
    2011/07/20
    Messages:
    62
    Likes Received:
    0
    I followed the above instructions and have restarted my computer but I can't find the fresh aswMBR log. I ran two searches in explorer for "aswMBR" with no luck.
    Where was the log saved?
    P.S. The search did turn up results for the run I ran 2 hours ago (as shown in the date modified property of the file), but not the most recent one.
     
    hlbull,
    #39
  21. 2011/07/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You ran aswMBR today.
    Just re-run it (my reply #33).

    Still no boot to normal mode?
     
    broni,
    #40
Page 2 of 6

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...