TechSpot

Unknown rogue malware

Resolved
By Bokkan
Feb 3, 2012
Topic Status:
Not open for further replies.
  1. So, I'm noticing that everyone seems to have this system check thing, Must be really frustrating, but it doesn't seem like any of the conventional tools can remove it. In retrospect, that's kinda why I'm here, My friend's box got infected with system check about a month ago, and I've been doing my damnedest to clean it. Reading guides, doing my typical system removal procedures, but I've met my match and I'm just unable to compete with this malware, And after reading some of these boards, i realize that I'm pretty much a dunce when it comes to this stuff, So my hat's off to the experts before i post this.

    That being said, I do have to warn anyone who wishes to take the task of helping me on that I have already done several steps to the computer, so that might affect the process. I've already gotten the computer to be able to boot without the system check virus taking over (sometimes) and know how to get it to boot afterwards. (I rename the files and then reboot, super savvy right?) anyway, I've tried running Mbam.exe several times, and even Tdsskill, but i just cant seem to get rid of it. On top of that, this box seems to be infected with much more than just System check, as there are signs of other less volatile malware all over.

    Anyway, That being said, I do have to point out that I was completely unable to dds.src to produce any logs, The first time it froze the computer after about 10 minutes. Had to power cycle the box, the second time I tried it i let it run for 2 hours just to be sure, same result tho.

    As for Gmer, I did load it as suggested, and nothing happened. No initial scan like the guide said. So i hit Scan.. 6 hours later and it finished scanning. Not sure if this is the log you wanted, but i'll post it anyway just in case. To follow are the Mbam log and the Gmer.log.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot!

    Yes, I'm tired of it! Mostly because there are several rogue malware programs very active now that produce some of the same symptoms.Members are assuming that they all have the System Check malware. Not necessarily so. But the problem is that they are giving a diagnosis, but no symptoms.

    The bottom line is that I have to fire back questions to ask them what's happening. So I changed your Subject so I won't get yet another feedback email named "System Check."

    So> I'd like you to undo whatever you did to the .exe files to make them load. Uninstall any of the programs you used in an attempt to fix the problem.

    Tell me what symptoms you are having and what messages you get when you try to run a scan.

    Then I can determine what malware you most likely have and the best way to fix it.
    =====================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.

    If I haven't replied back to you within 48 hours, you can send a PMwith your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
    Threads are closed after 5 days if there is no reply.
  3. Bokkan

    Bokkan TS Rookie Topic Starter

    Well, I didnt realize there was an acceptance policy for forum topics, but I probably should have considered that, As such, this is my first opportunity to post the Mbam and Gmer logs, But in trying to follow your directions, I'll answer your questions first, IF you would like the logs please let me know as I have them available.

    As for symptoms, Initially, when I received the box all the files were "gone" and the desktop was bare. Additionally the settings were in such a way that the box was set up to have 2 monitors, and was recognizing a second monitor attached(tho none was) so that the primary monitor only showed the very top left corner of the desktop (IE could not see or interact with the task bar or start menu in any way. I didn't know this, nor had i gotten familiar with the system check virus (as i now believe it is) at the time, so i operated under the impression that this was all part of the Mal-ware, for all i know my friend did something to set it up this way.

    In addition, a non-closeable window with "System Check" at the top was prominent and it said "scan PC for errors" i'm not sure how you feel about posting links to images but I found several very similar replicas when doing a google image search for "system check virus" right in the first 5 images.

    I have uninstalled every cleaner I have tried to use as asked, tho I did that prior to following the directions listed under the Sticky in this forum. The only file i did not uninstall is Malwarebytes (tho i did do a wipe and fresh install before starting that guide) as it's part of the guide. And Tdsskill wasnt ever actually installed parse, but i can delete the executable from the machine if you wish.

    What I did do is have to open a new task in task manager, cmd, and from there I unhid all the files, using a command that i cant remember as it was a while ago, but i want to say it was /attrib -h /s /d. I also changed the file names on the files related to what i believe is the SC virus so that i could reboot without it taking over my computer again. Finally, I transferred over a notepad document with a .exe registry editor fix for Win XP.

    That's about all I can think of for what I've done, And most of those things i cant really undo unfortunately.

    Some additional symptoms i'm noticing now that the box isnt being hijacked upon login every time (tho occasionally it does completely get hijacked all over again and i have to repeat the previous steps, obviously i wont do that without you asking from this point forward should it happen again..) is that i'm getting google redirects for every clicked upon link. I'm getting random redirects for multiple pages on firefox. and I'm getting constant iexplorer panes attempting to load according to the task manager, each taking up an average of 30,000k mem usage with no apparent source, only to 'fail' and have a windows error report window pop up for them about 10 minutes after they each show up in the task manager. Generally there's anywhere from 5-15 of them at a time. And once, I had a slew of "Windows Help" windows open up overnight, at least 50, that i had to close individually. Only happened once, and hasn't happened again.


    Further instructions? would you like the Mbam/Gmer logs?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please post the logs. I will then compare what I see to what you describe.

    I'm not sure what you mean about 'acceptance'. The original subject you gave was born out of your frustration. The reply I gave was born out of mine. It's simply that everyone who has any similar problems proceeds to name the malware but tell us nothing about it's effects on the system.

    I just changed your subject to less frustration and more to the point. Okay?

    Ignore any 'critical' messages and 'alerts' that you get. Do not click on any of them. As soon as I see the logs, I will follow with the appropriate directions.
  5. Bokkan

    Bokkan TS Rookie Topic Starter

    By acceptance i mean nothing in regards to you specifically, I totally understand why you changed the title. Just another meaning lost in text i suppose. I meant the that the threads have to be approved by a moderator before they are allowed to be shown at all on the boards. which also totally makes sense. I just didn't realize that so, my plan to post the logs in subsequent posts for organization methods was foiled as my thread didn't exist after my initial 'post.' I was simply trying to explain why i didn't just post the logs from the beginning like i was supposed to. Then was confused if I should post them after it was approved or follow your directions first is all. Here I am trying to show I'm following directions, and instead i make it look like I'm being snippy at you, i apologize, I don't care what the title says lol :_)


    Malwarebytes log:


    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.02.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Hoot Bear :: GAMER-DA6024286 [administrator]

    2/2/2012 6:03:55 PM
    mbam-log-2012-02-02 (18-03-55).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 263840
    Time elapsed: 36 minute(s), 33 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 1
    C:\WINDOWS\system32\mtxocci.dll (Trojan.BHO.H) -> Delete on reboot.

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 1
    C:\EX0FE7~1.CLE (Trojan.SpyEyes) -> Quarantined and deleted successfully.

    Files Detected: 1
    C:\WINDOWS\system32\mtxocci.dll (Trojan.BHO.H) -> Delete on reboot.

    (end)




    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-03 06:36:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c ST380020A rev.5.46
    Running: 8xnjf8rt.exe; Driver: C:\DOCUME~1\HOOTBE~1\LOCALS~1\Temp\kwddrfod.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? tfvaq.sys The system cannot find the file specified. !
    ? C:\WINDOWS\system32\DRIVERS\cdrom.sys suspicious PE modification
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5B473A0, 0x83C195, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00154878
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ws2_32.dll!send 71AB4C27 5 Bytes JMP 7FF91AD9
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 7FF91A15
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ws2_32.dll!recv 71AB676F 5 Bytes JMP 7FF9196B
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 7FF91B07
    .text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00634850
    .text C:\WINDOWS\System32\svchost.exe[1000] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F3000A
    .text C:\WINDOWS\System32\svchost.exe[1000] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F4000A
    .text C:\WINDOWS\System32\svchost.exe[1000] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F2000C
    .text C:\WINDOWS\Explorer.EXE[1248] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B44850
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00154878
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] ws2_32.dll!send 71AB4C27 5 Bytes JMP 7FF91AD9
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 7FF91A15
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] ws2_32.dll!recv 71AB676F 5 Bytes JMP 7FF9196B
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 7FF91B07
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00154878
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] ws2_32.dll!send 71AB4C27 5 Bytes JMP 7FF91AD9
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 7FF91A15
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] ws2_32.dll!recv 71AB676F 5 Bytes JMP 7FF9196B
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2252] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 7FF91B07
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00154878
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] ws2_32.dll!send 71AB4C27 5 Bytes JMP 7FF91AD9
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 7FF91A15
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] ws2_32.dll!recv 71AB676F 5 Bytes JMP 7FF9196B
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 7FF91B07
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00154878
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] ws2_32.dll!send 71AB4C27 5 Bytes JMP 7FF91AD9
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 7FF91A15
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] ws2_32.dll!recv 71AB676F 5 Bytes JMP 7FF9196B
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 7FF91B07
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00154878
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] ws2_32.dll!send 71AB4C27 5 Bytes JMP 7FF91AD9
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 7FF91A15
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] ws2_32.dll!recv 71AB676F 5 Bytes JMP 7FF9196B
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 7FF91B07

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2036] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[7420] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[7748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[8088] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) B6871000-B688B000 (106496 bytes)

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\All Users\Application Data\jbamaaa.tmp 0 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030 0 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\bckfg.tmp 854 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\cfg.ini 237 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\keywords 0 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\kwrd.dll 223744 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\L\ighokgwu 62976 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\lsflt7.ver 5176 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\U\00000001.@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\U\00000002.@ 224768 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\U\00000004.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\U\80000000.@ 11264 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\U\80000004.@ 12800 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\U\80000032.@ 73216 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\3939797030\version 858 bytes
    File C:\WINDOWS\$NtUninstallKB25330$\487665194 0 bytes

    ---- EOF - GMER 1.0.15 ----
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The forums are monitored and occasionally some threads are picked up and help as Moderated. We try to check them and release so the members can go ahead with the logs. It can be confusing but it isn't something we have any control over. I just tried to explained that and hoped I didn't come over at finding fault.

    These rogue programs are doing number on all of us! There are 5 or 6 rogue malware programs very active now that have some similar symptoms, but have different fixes.

    I'm not sure if you're following this: Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ---------------------------
    So you need to go ahead with the DDS scan and leave the 2 logs.

    After you finish with DDS, you can go ahead and run the following:

    Please advise me if you have AVG on the system before you run Combofix.

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please leave the 2 logs from DDS and Combofix in your next reply.
  7. Bokkan

    Bokkan TS Rookie Topic Starter

    So DDS always freezes the box, I tried originally as it says in the first post only to result in freezing and having to power cycle. So I wiped the old copy of DDS, and tried one more time let it run for 6 hours but in the end, it froze again, and I had to power cycle. But now when i rebooted, it now is stuck on a boot loop at verifying DMI pool data.

    Not sure what to do at this time, I'm thinking i might just have to nuke it ><
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please note: I will be Offline on Wednesday, 2/8 and Thursday, 2/9. When I return on Friday, 2/10, I will pick up the oldest threads first.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you for your patience. Let's tackle this again:

    A note: One of the malwares you had was (Trojan.SpyEyes). This is a trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". Trojan:Win32/Spyeye sends captured data to a remote attacker, may download updates and has a rootkit component to hide its malicious activity.

    Even though some entries can be removed, I cannot guarantee that the system hasn't been compromised. To that end. please change all of your passwords and closely monitor any internet financial transactions for suspicious activity.
    ==========================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ==========================================
    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:
    If you do not have AVG, you can skip the AppRemover section and go on to Combofix.
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:>> Use only of you removed AVG and do not have a functioning, up to date AV.[/b]
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =============================================
    DDS won't run .scr:
    Please download this file: xp_scr_fix

    Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

    You should then be able to run DDS.scr. It's the .scr file extension causing the problem.
    ========================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    Please leave the 2 DDS logs, Combofix report and Eset log in next reply.
  10. Bokkan

    Bokkan TS Rookie Topic Starter

    I'd like to try all that stuff, But as it stands now, From the last time I tried to run DDS, the computer wont start now. It gets stuck on a boot loop at verifying DMI pool data. I tried disconnecting the CD drive and moving the HD's position on the IDE cable (and tried jumping the HD at Cable Select (it's original setting) to hard coding it to Master or Slave depending on which position it was on on the IDE cable. All to no change. It just starts to load, and reboots. Kinda unsure what to do at this point.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please refer to the information in this link: Computer stops at verifying dmi pool data

    It has a list of causes and solution. See if you can work through this to restore the system to stability. It is well laid out- follow carefully..
     
  12. Bokkan

    Bokkan TS Rookie Topic Starter

    OK, ty, I'll look over this info and give it a shot, but it might take some time as I have a busy week with the holiday and work requirements on my time. I'll post back when i'm done, but it will take a few days at least.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Writing myself a note to keep thread open.
  14. Bokkan

    Bokkan TS Rookie Topic Starter

    Hi there Bobbye, I finally got around to trying every last one of the steps you had me try, and no dice. honestly ( i dont have a floppy so i was unable to try that one) Honestly i'm ready to throw in the towel for now, and just use a backup harddrive and install a copy of windows on it. I know you guys dont like not finishing a project. but would you mind if we scrap this one?
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It is your system- if you want to stop and do the reformat/reinstall, it's your decision. But I'd like to recap briefly:

    1. The monitor problem you described early on sounds more like a display/graphics card problem rather than malware.
    2. The DDS scan doesn't change/delete/'quarantine' anything. So the problem you noted after running it wasn't caused by DDS.
    3. I can give you help that should allow the scans to run. But right now, I don't have much to go on.

    Your call. Stop or try again. Let me know.
  16. Bokkan

    Bokkan TS Rookie Topic Starter

    sorry i haven't replied to this in a while, I just haven't had the time. I think i'd rather opt to just to just do my backup plan. At the moment my job is stressing me way out and I barely have time for myself. I really appreciate all the work you've helped me out so far,
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay ,whatever works best for you.

    I know this well! Best of luck.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.