Cannot run gmer

[mehouse]

Cannot run gmer *logs attached*

Hello,
I'm trying to run the 8 step process, but I cannot run GMER. I keep getting a windows error that says this program needs to close. I cannot uncheck the devices box, as I get an hour glass as soon as the program opens.
I have disabled the internet, adaware, and spybot and then closed the programs as well.
I even tried running gmer in safe mode, but I get the same windows error. I have tried running it over 30 times, sometimes it won't even start at all, other times, it will run for about 10-15 seconds, then I get the error.
I'm running Windows XP Pro and my computer has become infected with malware.
Please help!

 

[Bobbye]

Seems to be a big problem with GMER today! And you've already tried both of the way I'd suggest. Go ahead and run the other programs and we'll work around GMER or find another program if needed.

 

[mehouse]

I wasn't able to get GMER to work, so I've attached my logs for the other programs. Thanks in advance for all your help!

 

[Bobbye]

Sorry for the delay. I'm catching up now. As for this:

I'm running Windows XP Pro and my computer has become infected with malware.

Problems:
This doesn't tell us anything about what problems you're having that brings you to this conclusion. Often, the description helps us to know the best course to follow. There are several different malware infections showing in Mbam. Now we have to follow up and make sure all the entries get removed.

Multiple antivirus programs:You have both Avast and Symantec antivirus programs running. Also some indication of AVG. Please decided which you want to keep and remove the other. Multiple AV programs make the system more vulnerable. Tools to helpNorton Removal Tool
Avast Removal
Only download the tool for the program you don't want to keep. Please reboot when finished.

The Restore points indicate this:
RP610: 6/18/2010 10:38:10 AM - Removed AVG 9.0
RP611: 6/18/2010 10:40:51 AM - Installed AVG 9.0
RP612: 6/18/2010 10:44:56 AM - avast! Free Antivirus Setup

Did you actually install Avast or just download it?

Run these programs:
After you have handled the multiple antivirus programs go ahead and run the following while I finsh checking the logs. I will need to write some script but you need to run Combofix first:
=================================
Please download ComboFix from Here[/b] and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
==========================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Questions:
1. Is this your ISP?
IP 213.39.234.155:80
netname: ENERGY-NET
descr: Jazz Welle Plus Hamburg GmbH
descr: Winterhuder Markt 6 - 7
descr: D-22299 Hamburg
descr: Germany
country: DE
You have this set as the Internet Settings,ProxyServer = 213.39.234.155:80
But you also have an override to: Internet Settings,ProxyOverride = *.local

2. Did you set the Search in Firefox for MyStart Search? This is bundled with Incredimail. I would suggest you use a more reliable and clean search engine. I can set that up in Firefox using the script if you want.

3. Old Drivers: There are drivers and Services from 2000, 2001 and 2004. Have you ever gone through the system and uninstall programs you no longer use?

 

[mehouse]

Okay, I will try to address your questions.

I had Norton installed on the computer when I first got it, I thought I had removed that when I opted to go with AVG. Now that I have all these problems, I found that you recommended AVAST, so I just put Avast on my system this week and uninstalled AVG.
I used the Norton Removal Tool you posted. So hopefully the only antivirus program I have running now is Avast. I also have Adaware and Spybot running.
None of these programs picked up on the malware that has affected my system.

I ran Combofix and it found a rootkit (log attached).
I also ran the online scanner and attached that log. It did find 4 infected files and was able to clean them.

The ISP you posted is not mine, so I went into my Internet Explorer internet options and removed it as well as the proxy override settings. However, I have automatically detect settings checked.

I don't use Firefox (I only have it as a backup browser), but I did change the homepage.

I have not uninstalled old programs or drivers, as you can see I tend to just leave everything the way it is!

Let me know what else I should do. Thank you very much for your help!

 

[Bobbye]

Regarding this"

I found that you recommended AVAST

We suggest Avira or Avast as free, good antivirus programs IF there is no antivirus program on the system. That is not meant to indicate that you should uninstall a current, updating antivirus program.

Please read through the directions given with any program I ask you to run. The Eset scan says :Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked.

I ask questions to clarify any point or get more information. It's better if you just give me the answer and wait for me to tell you the best way to proceed. I did not expect you to do anything about the IP, nor the startup page in Firefox. I anticipated the answers to both and had written script to handle them.

I can write script to handle any of the following. I want you to be aware of these matters because they all threaten the security of your system. You do not need to do anything- just read and decide:

• All accounts on the system have a firewall port open for BitTorrent
• The following programs have shared access through the firewall:
  [o]BitTornado, the BitTorrent Download Manager
  [o]Azureus
  [o]Serv-U
  [o]WS_FTP Pro
  [o]InterVideo

#1 & #2 are file sharing programs, putting your system at risk for malware
#3 & #4 are File Transfer Protocol programs for advanced users.
#5 is for various aspects of multimedia.
The malware has set: Internet Settings,ProxyServer = 213.39.234.155:80
And you have likely set:Internet Settings,ProxyOverride = *.local
==================================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\viewpoint\common\ViewpointService.exe 
c:\windows\system32\drivers\nsdriver.sys
c:\windows\system32\drivers\awrtpd.sys
c:\windows\system32\drivers\AWRTPD.sys
Folder::c:\documents and settings\Meghan.MEGHANSCOMPUTER\Application Data\Azureus
c:\program files\Azureus
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

DDS::
uInternet Settings,ProxyServer = 213.39.234.155:80
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxp://qp.wnyric.org/qp2.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"= -

Driver::
Viewpoint Manager Service
F-Secure Standalone Minifilter
Ad-Watch Connect Filter
Ad-Watch Real-Time Scanner
Ad-Watch Registry Filter

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================

 

[mehouse]

Here's the new log.

 

[Bobbye]

You have still not told me what problems you were having that you suspected malware. How am I going to know they have been resolved if I don't know what they were?! You also didn't address the programs I listed as being threats to your security.

MBR Rootkit Detector

Please download MBR Rootkit Detector and save it on your desktop.

• Pause/Stop all antivirus/spyware active protection.
• Then double click on mbr.exe to run it.
• Select Run when you receive a Security Warning
• The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
• A log file will the be created on your desktop where you ran mbr.exe
• Copy and paste the contents of mbr.log on your next reply.

============================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please include the following with your next reply:
MBR Rootkit log
Eset log
Description of malware related problems you are having.
Decision on whether you want me to remove the programs that are security risks as in the first part of my Reply #6

 

[mehouse]

Here's the mbr log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 8 !

I've attached the ESET log.

The only problem I noticed with my PC was that it was running slower than normal. So I came to this forum and read what programs you recommended to check your PC for malware,spyware, viruses, etc. I ran the malwarebytes and realized my PC was infected.

You told me above I don't need to do anything with the programs you listed. I still use those programs, so I don't want them deleted. I did not know you were going to delete Azureus. I know my PC didn't get infected through those programs.

 

[Bobbye]

Eset log only shows malware in System Volume> these are the restore points. They are not active in the system and are removed when the system is clean:

You told me above I don't need to do anything with the programs you listed. I still use those programs, so I don't want them deleted. I did not know you were going to delete Azureus. I know my PC didn't get infected through those programs.

No, you don't know the PC didn't get infected from file sharing. When I find a system heavily infected, I remove those entries that are threats. But I should have asked about Azureus first and will attempt to 'quarantine' the as indicated. And if you want to keep and use all the other file sharing programs, you can do that. Understand that they will remain a security threat to the system and you will get malware using them> for the following reasons.

P2P or 'file sharing Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall all file sharing programs for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

I'll try to restore Azureus entries: Please find log named :\Qoobox\Combofix-quarantined-files.txt
Copy the Azureus files and folders and paste them in your next reply.

 

[mehouse]

Don't worry about restoring Azureus. Thanks for your help.

 

[Bobbye]

You're welcome.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you need more help.

 

[mehouse]

Okay all set with the malware. Thanks again for your help.

One last question, when I run Spybot, I always get all these tracking cookies (BlueStreak, BurstMedia, DoubleClick, FastClick, ..., Zedo- there's 12 of them). Anything I can do to get rid of these?

 

[Bobbye]

You can reset the Cookies:

Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)