Help for a girl who's not really computer savvy please.

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Solved Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 2:18 am

Help please. I've been infected with Spyware Guard 2008. I can't get rid of it.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 2:38 am

I've tried to remove it numerous times with the links the Dr posted but evertime I clicked on them I was kicked off the internet back to my desktop screen. I then tried googling the link and it kicked me off also. How do I remove this without being kicked off.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Doctor Inferno on Tue Jan 20, 2009 8:25 am

Welcome to GeekPolice!

Please read [You must be registered and logged in to see this link.] and post a HijackThis log here.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 1:46 pm

I could not download the latest version of Java. Everytime I tried it failed because it said it could not be verified.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Doctor Inferno on Tue Jan 20, 2009 1:48 pm

Okay, never mind. Skip to the HijackThis part and post the log here.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 2:30 pm

Everytime I clink on the link to download Hijack this it kicks me off and back to my desktop.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 2:31 pm

Okay, we'll try DDS.
There are 3 links here, so if one doesn't work, try another.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 2:44 pm

DDS (Ver_09-01-18.01) - NTFSx86
Run by Compaq_Owner at 9:41:53.12 on Tue 01/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.103 [GMT -5:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\winscenter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\2ER1GNU7\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DDSMEkl: {2502bbd0-d73b-11dd-b4ec-cebf56d89593} - c:\windows\system32\vumer.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\webhelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Aim6]
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [SSP Notifier] c:\program files\fisher-price\fp3 player\sspnotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [spywareguard] c:\program files\spyware guard 2008\spywareguard.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\documents and settings\compaq_owner\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\trueas~1.lnk - c:\program files\trueassistant\TrueAssistant.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\usb f5d7050\wireless utility\Belkinwcui.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: &Search - [You must be registered and logged in to see this link.]
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - [You must be registered and logged in to see this link.] files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - [You must be registered and logged in to see this link.] files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - [You must be registered and logged in to see this link.] files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - [You must be registered and logged in to see this link.] files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Notify: baadebfeadbf - c:\windows\system32\baadebfeadbf.dll
SSODL: ieModule - {E4038A67-1701-4E51-8F79-3E7B4E8062B0} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ieModule.dll
SSODL: InternetConnection - {663717CA-0617-4CCA-895D-FC542C113E56} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\qxsylblocg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\ie02gf6z.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2006-8-17 99176]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060817.032\NAVENG.Sys [2006-8-17 79240]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060817.032\NavEx15.Sys [2006-8-17 828872]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-16 192160]
R4 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-16 202400]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-16 169632]
R4 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2005-10-6 139936]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-22 1247600]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-15 24652]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-10 33752]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2009-01-20 08:27 --d----- c:\program files\Spyware Doctor
2009-01-20 08:13 --d----- c:\documents and settings\compaq_owner\.SunDownloadManager
2009-01-14 08:27 384,000 a------- c:\windows\system32\winscenter.exe
2009-01-14 08:26 1,003,957 a------- c:\windows\sysexplorer.exe
2009-01-14 08:26 134,149 a------- c:\windows\reged.exe
2009-01-14 08:26 51,197 a------- c:\windows\spoolsystem.exe
2009-01-14 08:26 50,620 a------- c:\windows\sys.com
2009-01-14 08:26 47,872 a------- c:\windows\syscert.exe
2009-01-14 08:26 18,941 a------- c:\windows\vmreg.dll
2009-01-14 08:26 --d----- c:\program files\Spyware Guard 2008
2008-12-25 22:14 --d----- c:\program files\Bonjour

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-10-13 22:55 1,776 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2006-06-22 09:47 774,144 ac------ c:\program files\RngInterstitial.dll
2007-06-16 17:58 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-26 12:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092620080927\index.dat

============= FINISH: 9:42:16.00 ===========

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 2:54 pm

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
c:\windows\system32\vumer.dll
c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ieModule.dll
c:\windows\system32\baadebfeadbf.dll
c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\qxsylblocg.dll
c:\windows\system32\winscenter.exe
c:\windows\sysexplorer.exe
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\vmreg.dll

Folders to delete:
c:\program files\spyware guard 2008

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 3:23 pm

I downloaded Avenger to my desktop and followed all of the instructions. But when I click on the Avenger icon a quick icon box appears and disappears before I can even read what it says and Avenger never opens.
I downloaded it from both links and the same thing happened both times.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 3:37 pm

Can you boot to safe mode and try to use the avenger there?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 3:42 pm

Sorry how do I do that.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 3:55 pm

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.


Then once in safe mode, try running the avenger.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 4:21 pm

I tried to run Avenger in safe mode and it still didn't work.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 4:23 pm

Lets see if we can use this.

Please run a GMER Rootkit scan:

Download GMER's application from here:
[You must be registered and logged in to see this link.]

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.

If the log is huge, please let me know and upload it somewhere for me.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 4:47 pm

That worked. I believe it is big so where do you want me to upload it?

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 4:52 pm

Rapidshare please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 4:59 pm

GMER 1.0.14.14536 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-20 11:44:16
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 84994128 ZwAlertResumeThread
SSDT 84986858 ZwAlertThread
SSDT 84987698 ZwAllocateVirtualMemory
SSDT 849991A8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF3A28A20]
SSDT 849B4CC8 ZwCreateMutant
SSDT 84990870 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF3A28C90]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF3A29350]
SSDT 8499D3E8 ZwFreeVirtualMemory
SSDT 849AE600 ZwImpersonateAnonymousToken
SSDT 849A2BD0 ZwImpersonateThread
SSDT 8498C3D8 ZwMapViewOfSection
SSDT 84986890 ZwOpenEvent
SSDT 8499D420 ZwOpenProcessToken
SSDT 849A13E0 ZwOpenThreadToken
SSDT 84A15EF8 ZwQueryValueKey
SSDT 8499D858 ZwResumeThread
SSDT 84991EA0 ZwSetContextThread
SSDT 84980CC8 ZwSetInformationProcess
SSDT 84991E30 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF3A29580]
SSDT 849C1A28 ZwSuspendProcess
SSDT 84991E68 ZwSuspendThread
SSDT 8499CA28 ZwTerminateProcess
SSDT 84993D40 ZwTerminateThread
SSDT 8499C9F0 ZwUnmapViewOfSection
SSDT 8498A728 ZwWriteVirtualMemory

Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwCreateKey [0xF766FC8E]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwEnumerateKey [0xF766FD13]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwOpenKey [0xF766FC10]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF766F999]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) IoCreateFile
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) NtQueryDirectoryFile

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\fd5c49aced94763cd8b4c7ddb71bf468.sys (*** hidden *** ) [BOOT] fd5c49aced94763cd8b4c7ddb71bf468 <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fd5c49aced94763cd8b4c7ddb71bf468&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=fd5c49aced94763cd8b4c7ddb71bf468&path=system32\fd5c49aced94763cd8b4c7ddb71bf468.sys&wmid=Dkh10219&idate=2009-01-14 08:34:47:250&last_download_time=2009-1-14 8:38:22.859&first_skip=1
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Tag 5
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@ImagePath system32\fd5c49aced94763cd8b4c7ddb71bf468.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@DisplayName fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Group System Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fd5c49aced94763cd8b4c7ddb71bf468&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=fd5c49aced94763cd8b4c7ddb71bf468&path=system32\fd5c49aced94763cd8b4c7ddb71bf468.sys&wmid=Dkh10219&idate=2009-01-14 08:34:47:250&last_download_time=2009-1-14 8:38:22.859&first_skip=1
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Tag 5
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@ImagePath system32\fd5c49aced94763cd8b4c7ddb71bf468.sys
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@DisplayName fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\fd5c49aced94763cd8b4c7ddb71bf468.sys 39936 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 5:00 pm

Looks like it wasn't so big afterall. The rapidshare would not work.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 6:47 pm

Hello.
Ha, that found the little bugger.
Run the GMER tool again, but follow these instructions this time.

Select the ">>>>>" tab
Click the CMD tab
In the top box paste the following.
gmer -del service fd5c49aced94763cd8b4c7ddb71bf468
Click Run
Let it finish.

When done, Copy and paste the results back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 8:31 pm

Ok so I did the above. When it came time to paste the above line it wouldn't let me so I manually typed it in and this is the message that showed up in the lower box:
'gmer-del' is not recognized as an internal or external command,
operable program or batch file.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 8:51 pm

Hello.
Because there is a space between gmer and -

gmerSPACE-del


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 9:05 pm

Command was successfully execute
This is all it copied. Was it not finished?

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 9:33 pm

I need the new log now to see if the rootkit is gone.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 9:38 pm

Hello.
Nevermind about the new log, I think it's gone now, but see if the avenger will run now and execute the script given.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 10:00 pm

GMER 1.0.14.14536 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-20 16:59:31
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 84994128 ZwAlertResumeThread
SSDT 84986858 ZwAlertThread
SSDT 84987698 ZwAllocateVirtualMemory
SSDT 849991A8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF3A28A20] <-- ROOTKIT !!!
SSDT 849B4CC8 ZwCreateMutant
SSDT 84990870 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF3A28C90] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF3A29350] <-- ROOTKIT !!!
SSDT 8499D3E8 ZwFreeVirtualMemory
SSDT 849AE600 ZwImpersonateAnonymousToken
SSDT 849A2BD0 ZwImpersonateThread
SSDT 8498C3D8 ZwMapViewOfSection
SSDT 84986890 ZwOpenEvent
SSDT 8499D420 ZwOpenProcessToken
SSDT 849A13E0 ZwOpenThreadToken
SSDT 84A15EF8 ZwQueryValueKey
SSDT 8499D858 ZwResumeThread
SSDT 84991EA0 ZwSetContextThread
SSDT 84980CC8 ZwSetInformationProcess
SSDT 84991E30 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF3A29580] <-- ROOTKIT !!!
SSDT 849C1A28 ZwSuspendProcess
SSDT 84991E68 ZwSuspendThread
SSDT 8499CA28 ZwTerminateProcess
SSDT 84993D40 ZwTerminateThread
SSDT 8499C9F0 ZwUnmapViewOfSection
SSDT 8498A728 ZwWriteVirtualMemory

Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwCreateKey [0xF766FC8E]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwEnumerateKey [0xF766FD13]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwOpenKey [0xF766FC10]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF766F999]
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) IoCreateFile
Code fd5c49aced94763cd8b4c7ddb71bf468.sys (ckmd/Noves Inc) NtQueryDirectoryFile

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\fd5c49aced94763cd8b4c7ddb71bf468.sys (*** hidden *** ) [BOOT] fd5c49aced94763cd8b4c7ddb71bf468 <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fd5c49aced94763cd8b4c7ddb71bf468&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=fd5c49aced94763cd8b4c7ddb71bf468&path=system32\fd5c49aced94763cd8b4c7ddb71bf468.sys&wmid=Dkh10219&idate=2009-01-14 08:34:47:250&last_download_time=2009-1-14 8:38:22.859&first_skip=1
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Tag 5
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@ImagePath system32\fd5c49aced94763cd8b4c7ddb71bf468.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@DisplayName fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468@Group System Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fd5c49aced94763cd8b4c7ddb71bf468&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=fd5c49aced94763cd8b4c7ddb71bf468&path=system32\fd5c49aced94763cd8b4c7ddb71bf468.sys&wmid=Dkh10219&idate=2009-01-14 08:34:47:250&last_download_time=2009-1-14 8:38:22.859&first_skip=1
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Tag 5
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@ImagePath system32\fd5c49aced94763cd8b4c7ddb71bf468.sys
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@DisplayName fd5c49aced94763cd8b4c7ddb71bf468
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security
Reg HKLM\SYSTEM\ControlSet002\Services\fd5c49aced94763cd8b4c7ddb71bf468\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\fd5c49aced94763cd8b4c7ddb71bf468.sys 39936 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 10:04 pm

Hmm, I think the rootkit may have returned.
Please run the gmer command again.

Then try the avenger using this script.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 10:09 pm

Command was successfully execute

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 10:13 pm

Avenger still didn't work.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 10:22 pm

Now when I click on Avenger a black dialog box pops up but for only a second. This is different than earlier.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 11:05 pm

Does it still block the avenger if you rename it?
Try that please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 11:17 pm

Hello.
Please disable Symantec, I think that is what is preventing the revomal as GMER is flagging part of Symantec as a rootkit.

If that fail, we can try to disable the rootkit.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 11:35 pm

How do I go about disabling it? Should I remove anything with Symantec in it or remove anything with Norton in it? I went into my programs and didn't find one that was just named Symantic. Maybe I'm looking in the wrong place.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 11:37 pm

Right click the Norton/Symantec icon in the tray in the corner and exit it so they are not active.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 11:39 pm

Ok I figured it out. Now I'll try the Avenger again.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 11:41 pm

I doubt the avenger will run while this rootkit is active.
Once Symantec is disabled, do the gmer command again.

If it's still there, open the "Services" tab in GMER and see if that random named rootkit server is there. If so, right click it > Disable.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Tue Jan 20, 2009 11:48 pm

Would it be the one in red text?

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Tue Jan 20, 2009 11:51 pm

No.
Like you did with the CMD tab when you press the >>>> button, this time open the "Services" tab, and look for that random named rootkit we are trying to kill.
If we can disable it, we can delete it because once it's disabled, all it's effects should be temporarily stopped.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 12:10 am

I'm not sure what I should be looking for as in the name. I didn't see any that caught my eye except the one in red text.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 12:13 am

Look for this:
fd5c49aced94763cd8b4c7ddb71bf468


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 12:20 am

Well it was the red one. When I tried to disable it nothing happened. It says boot beside it and it is checked in when I right click on it. I scroll down to disable and it still says boot.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 12:26 am

Lets see if we can run Combofix.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Please rename Combofix.exe to Com-bo-fix.exe before we do anything.
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 12:32 am

I was able to disable it from the first page of gmer where is shows you the problems. It says it was disabled successfully. Then I was told to reboot my computer. I restarted it. Is this the same as rebooting it?

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 12:34 am

Yes.
Reboot it and let me know if the avenger will stay open.
DO NOT use the avenger yet, I am going to make a custom script to remove this rootkit.
Just let me know if it will stay open.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 12:42 am

I rebooted and checked gmer and it is definitely disabled. However the Avenger still won't stay open.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 12:44 am

Probably the other infection too.
Please try to run Combofix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 1:27 am

I'm done with the Combofix and I have the post but it is too big for here and rapidshare still didn't work for me.

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Belahzur on Wed Jan 21, 2009 1:29 am

Break it up into parts.

Header and other deletions.
Files created within 30 days timedate.
Find3m
Reg loading points
Anything that's left.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 3:10 am

ComboFix 09-01-19.05 - Compaq_Owner 2009-01-20 20:03:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.115 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Com-bo-fix.exe
AV: Norton Internet Security 2006 *On-access scanning disabled* (Outdated)
FW: Norton Internet Security 2006 *enabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\documents and settings\All Users\Application Data\Microsoft\Protect\svhost.exe
c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\temp.cab
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\recycler\ADAPT_Installer.exe

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Solved Re: Help for a girl who's not really computer savvy please.

Post by Laurensum on Wed Jan 21, 2009 3:11 am

By the way Spyware Guard 2008 hasn't shown back up yet. I think it's gone. Hopefully

Laurensum
Intermediate
Intermediate

Status :
Online
Offline

Posts : 103
Joined : 2009-01-20
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum