-
It looks like we need another option. The same thing happened. GMER appears to have run successfully, and promptly rebooted the system when it appeared to be done. (I was watching, and it really looked like it went through everything.) I did a windows search for ark.txt in case there was a log written to some random place on the harddrive, but no dice. No log to be found anyway.
No alerts about rootkit activity at any point while it ran.
Should I run defogger to enable those drivers I disabled earlier?
What next?
-
Let SuperAntiSpyware remove these
-Adware.TrackingCookie [ 14 items ]
-Adware.Vundo/Variant-EC [ 1 items ]
-Adware.Vundo/Variant-Senorita [ 1 items ]
-Adware.Vundo/Variant-Variant-Yx [ 3 items ]
Go to MSCONFIG and re enable your updates
Yes, go ahead and re enable your CD drivers
If GMER wont run it wont run :red: Have you tried running it in Safemode
To Enter Safemode
- Go to Start> Shut off your Computer> Restart
- As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu. - Use the Up and Down Arrow Keys to scroll up to Safemode
- Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
You can try this other one but it may not give me the info I am looking for
Please download RootRepeal from one of these locations and save it to your desktop
Here
Here
Here
-
Which entries in MSConfig were you referring to? You mean the Spybot TeaTimer? Or Windows Updates?
I have run defogger and reenabled the cd emulators successfully.
I've tried GMER in safemode. It won't fit on the screen! I can't even see the scan button when the GMER window is maximized. Is it possible to run this tool via commandline? I'd be happy to try that in safemode.
Here's the log from RootRepeal:
----
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/04/17 10:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB97AF000 Size: 49152 File Visible: No Signed: -
Status: -
==EOF==
-
Well, it looks like with what you can and cannot run on this system that this is about as far as we can go. How are things running now ?
-
Well, as the saying goes, where there's a will, there's a way. And I found the way around the resolution problem in safe mode with GMER. The scan has been running for the last 3 and a half hours, so clearly it wasn't finished all those times when it rebooted. I hope to have a GMER log for you by this evening. Once it's done and I've posted it, I'll report back on the current state of the system.
-
-
Well, it ran to completion in safe mode, and I'm a little disappointed with what I'm seeing in the log that it saved. Is this all I should have expected to see? I had to step out for a while this evening, so I wasn't here when it completed. Hopefully no news is good news. (See below.)
One thing I have noticed when I boot up in normal mode is I see a couple of RUN DLL Error Messages at start up:
"Error loading c:\windows\system32\gobiheyi.dll"
"Error loading c:\windows\system32\fimuwaho.dll"
and another error about ctmbha.dll, something about a dll initialization routine failing. Is this related to the vundo stuff I had SUPERAntiSpyware remove? Perhaps it forgot to remove those entries from the registry some place?
Surprisingly short GMER Log:
----
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-18 00:10:22
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Brian\LOCALS~1\Temp\ufddaaog.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \FileSystem\Fastfat \Fat B9C83D20
---- EOF - GMER 1.0.15 ----
-
Another thing. I just noticed a log file called hs_err_pid318784.log on my desktop (my desktop is cluttered, it was easy to overlook), with a modification date from around the time of my PC's infection. Looking at it in notepad, the header information says "An unexpected error has been detected by Java Runtime Environment: EXCEPTION_ACCESS_VIOLATION (0Xc0000005) ..." Would you be interested in looking at this?
Testing SpyBot to see if it was working, it reported a couple of registry entries under Virtumonde.prx, and another under Virtumonde.sdn. I selected some reported tracking cookies to fix, and Spybot crashed again, as it did before.
-
Morning,
hs_err_pid318784.log <--I have no idea what this is, it wont even Google, you can post it if you wish.
GMER looks ok.
Run RSIT and lets see if we can find the reg entries that need to be removed to stop those errors
Random System Information Tool
- Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
- Double click on RSIT.exe to run RSIT.
- Click Continue at the disclaimer screen.
- Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
-
ctmbha.dll <--This is related to your soundcard drivers and looks like other people are fixing it by reinstalling the software for this
Creative/SoundBlaster Software and Drivers
In lew of RSIT, run this quick scan
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
Code:
:reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt