TechSpot

Cannot run Rkill, Malwarebytes, or GMER

By Landulph
Sep 20, 2011
  1. This morning, Panda blocked TEN Katushas on a Yahoo web page (after my browser locked up for ~30 sec). To be on the safe side, I decided to run an MBAM scan, only to find this program crashed/vanished about 16 sec in, before it had a chance to actually begin scanning any files. Tried to run rkill MANY times (in normal AND safe modes) only to find the DOS screen crashing after a couple of seconds. Now, as luck would have it, I also noticed a brand spanking new process in Task Manager that had never, EVER been there before this Katusha trouble, something called "2330312413:574691957.exe". And huh--there is a key/entry in my registry (type REG/SZ) called "\systemroot\2330312413:574691957.exe". (I didn't want to start deleting registry entries willy-nilly, though). There are also two instances of a file named "2330312413" one in the Windows directory, the other in "Windows/Prefetch" and BOTH of them created at 11:27 AM this morning, just when my trouble began. "Also, now whenever I start up, Panda quickly blocks exactly three Katushas, and it takes far longer to acquire an IP address (the "little yellow ball spinning around a computer") than before. The internet is also much flakier than before.

    And there is one other hangup: I cannot finish a GMER scan. The program crashes with no "rootkit activity" warning (I've tried it multiple times in normal mode) as soon as it displays a red Module entry (the very first red one for the scan) at section "/cdfs" (I think). Should I run GMER in safe mode?

    In any case, here is the DDS log:


    DDS (Ver_10-10-05.01) - NTFSx86
    Run by Landulph at 13:17:03.75 on Tue 09/20/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    AV: Panda Antivirus Pro 2011 *On-access scanning enabled* (Updated) {EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A}
    FW: Panda Personal Firewall 2011 *enabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

    ============== Running Processes ===============


    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = <local>
    uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [APVXDWIN] "c:\program files\panda security\panda antivirus pro 2011\APVXDWIN.EXE" /s
    mRun: [SCANINICIO] "c:\program files\panda security\panda antivirus pro 2011\Inicio.exe"
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\landulph\startm~1\programs\startup\websho~1.lnk - c:\program files\webshots daily features\Webshots Daily Features.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292289024562
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: avldr - avldr.dll
    Notify: igfxcui - igfxdev.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Notification Packages = :\windows\system32\srr

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\landulph\applic~1\mozilla\firefox\profiles\c4e97zyq.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\landulph\application data\move networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npaudio.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npavi32.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\NPOFFICE.DLL
    FF - plugin: c:\program files\netscape\communicator\program\plugins\NPOFFICE.DLL
    FF - plugin: c:\program files\netscape\communicator\program\plugins\nppl3260.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\nprfxins.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\nprjplug.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\nprjplug.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\nprpjplug.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\NPSWF32.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {A23D0200-5A95-4E18-83EC-7F58F9DB5C09} - c:\documents and settings\landulph\local settings\application data\{A23D0200-5A95-4E18-83EC-7F58F9DB5C09}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.il", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lv", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.ua", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--wgbh1c", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgba3a4f16a", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgba3a4fra", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fzc2c9e2c", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--xkc2al3hye2a", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--wgbl6a", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--ogbpf8fl", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.asia", true);

    ============= SERVICES / DRIVERS ===============


    ============== File Associations ===============

    JSEFile=c:\progra~1\pandas~1\pandaa~1\PAVSCRIP.EXE "%1" %*
    VBEFile=c:\progra~1\pandas~1\pandaa~1\PAVSCRIP.EXE "%1" %*
    VBSFile=c:\progra~1\pandas~1\pandaa~1\PAVSCRIP.EXE "%1" %*

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2011-09-20 16:45:10 1253376 ----a-w- c:\windows\system32\BCMWLTRY.EXE
    2011-09-20 15:47:50 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-09-20 15:34:53 20480 ----a-w- c:\windows\system32\WLTRYSVC.EXE
    2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

    ============= FINISH: 13:18:52.42 ===============

    And now the Attach one:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-05.01)


    ==== Disk Partitions =========================


    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    µTorrent
    AAC Decoder
    ABC Amber Sony Converter
    AC3Filter (remove only)
    Acrobat.com
    Adobe AIR
    Adobe Digital Editions
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.2.0
    ALPS Touch Pad Driver
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AutoUpdate
    Binverse
    biogems2006 Screen Saver
    Bonjour
    Broadcom 440x 10/100 Integrated Controller
    calibre
    Conexant HDA D110 MDC V.92 Modem
    Dell Resource CD
    Dell Wireless WLAN Card
    DirectVobSub (remove only)
    DivX Codec
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    doPDF 7.2 printer
    eMule
    ESET Online Scanner v3
    ffdshow [rev 3097] [2009-10-08]
    Google Video Player
    H.264 Decoder
    High Definition Audio Driver Package - KB835221
    HiJackThis
    Homey
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless Software
    InterActual Player
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    Japanese Fonts Support For Adobe Reader 8
    Java Auto Updater
    Java(TM) 6 Update 24
    Magic ISO Maker v5.5 (build 0281)
    Malwarebytes' Anti-Malware version 1.51.2.1300
    mCore
    mDriver
    mDrWiFi
    mHlpDell
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Small Business Edition 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ Run Time Lib Setup
    mIRC
    mIWA
    MKV Splitter
    mLogView
    mMHouse
    Modem Helper
    Move Media Player
    Mozilla Firefox (3.6.22)
    mPfMgr
    mPfWiz
    mProSafe
    mSSO
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    MultipleIEs
    MUSICMATCH® Jukebox
    mWlsSafe
    mWMI
    mXML
    mZConfig
    Netscape Navigator 4.08
    OGA Notifier 2.0.0048.0
    OZ776 SCR CardBus V1.1.3.6
    OZ776 SCR CardBus Windows Driver
    Panda Antivirus Pro 2011
    Panda Secure Vault 5
    Pando Media Booster
    PDFCreator
    PowerDVD
    Premier Forever - British Columbia Demo v. 1.00.6
    President Forever 2008 + Primaries Demo - v. 1.6.0.7
    Prime Minister Forever - Canada 2008 Demo - v. 1.1.0.6
    PrimoPDF -- brought to you by Nitro PDF Software
    QuickSet
    QuickTime
    RAR Password Cracker 4.12
    RealPlayer
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Shakespeare Picture Book Screen Saver
    SigmaTel Audio
    Subtitle Workshop 2.51
    SUPERAntiSpyware
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    VC80CRTRedist - 8.0.50727.4053
    VLC media player 0.9.6
    VobSub v2.23 (Remove Only)
    Vuze
    WAV MP3 Converter v4.1 build 1218
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows Media Format SDK Hotfix - KB898549
    Windows Media Player 10
    Windows XP Service Pack 3
    WinRAR archiver
    XChat 2 (remove only)
    Xvid 1.2.2 final uninstall

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I notice you also posted this same information here: http://www.bleepingcomputer.com/forums/topic419757.html

    Please decide which forum you want to stay with and post on the other forum to close the thread as you as getting help elsewhere.

    Let me know one way or the other please.
     
  3. Landulph

    Landulph TS Rookie Topic Starter

    Hi, Bobbeye! I think I will go with Techspot--Bleepingcomputer are excellent, but they seem to have a massive backlog right now, and I would rather not wait 7 days plus. I'll close the thread over there right now. Many thanks for the prompt response.

    Also, I have found two more glitches--I appear to be infected with the "wickedsearchsystem" redirect, for computer-related sites only, and the malware seems to have disable my copy of Interactual DVD Player in much the same way it did Malwarebytes--upon launching it I got an error, and it now shows on my desktop/start menu as the "blank white windows screen" icon, and I now get a "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" error upon trying to launch it.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We all get backed up at times> That's one reason we ask that you only have one forum and helper for the same problem. I have a lot of question to ask, but I'd like to get you started.

    Let GMER go for now. Let's work on Mbam:

    Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

    Once done, try running a scan again
    ================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    What is a Katushas Other than a Russian Cycling Team?
     
  5. Landulph

    Landulph TS Rookie Topic Starter

    I ran randmbam.exe. It says it created a shortcut on my desktop, but no such icon is showing when I go to check it. What should I do?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Try running the Mbam scan and continue on.
     
  7. Landulph

    Landulph TS Rookie Topic Starter

    Still getting, "cannot access the specified path or file--you may not have access privilages" message. Again, it doesn't seem like the utility actually created a new shortcut for MBAM on my desktop even though it said it did. Should I just try to run combofix now?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please go ahead with Combofix.
     
  9. Landulph

    Landulph TS Rookie Topic Starter

    Ran Combofix. As I feared, it detected the Zero.Access Rootkit in my TCP/IP stack. Combofix restarted the system, and continued, only to abruptly shut down with a message simply saying "error". Xp now takes much longer starting up, and doesn't seem to boot in safe mode. I think I am just going to reformat, as I know Zero.Access is a nasty infection. I just have three questions:

    1. Could this particular rootkit still be lodged in my HD boot sector (ie, will a reformat fix the problem, or should I just get a new HD from the manufacturer--it's still under warranty.)

    2. I backed up my Documents and Settings folder when this infection began last week. Am I safe restoring it to the new installation?

    3. I have a lot of files/documents/icons on an external HD within a given folder organized in a very specific order, and I'd really rather not take the time rearranging them after an XP reinstall if I don't have to. Is there a specific Windows file(s) I could back up/transfer to the new install to avoid this?

    Thanks for all your efforts, Bobbye--I know this was a bad infection, and you did your best.

    Landulph
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Can I see the Combofix log please?
     
  11. Landulph

    Landulph TS Rookie Topic Starter

    Combofix shut down before generating a log, that's the problem. Should I try running it again? (It think it shut down at "Stage 3", if that makes any difference).
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Still want to know this:
    =================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ======================================
    Follow with download Of maxhandle.exe by noahdfear to your desktop.
    • Double click maxhandle.exeand run the application
    • An active internet connection is required so that maxhandle.exe may download a tool from SysInternals
    • If Max++ is present the log will open automatically.
    • If Max++ is not found Nothing found! is echoed to the screen - no log is produced.
    • Log is saved to c:\maxhandle.txt

    Please post both of the logs in your next reply. I will give you the next step after I see the logs.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...