Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: safer-networking.org doesn't show up at all

  1. #1
    Junior Member
    Join Date
    Aug 2009
    Posts
    7

    Default safer-networking.org doesn't show up at all

    Recently I've been getting some signs of malware on my PC. my suspicions were confirmed when Google started redirecting me. I went to download Spybot, and it showed up that safer-networking.org simply won't load. After trying 50 different links to the site and refreshing multiple times, it won't load. I tried on my laptop and other PC, and it works perfectly fine.

    I'm in a bit of a predicament because I'm not sure if Hijack This will pick up on what's going on because it's not downloading or installing anything, and I can't download Spybot to find and or get rid of the thing at all.

    I've even put the Spybot program on an external hard-drive (Downloaded from my other PC), brought it over to this one, and no luck.

    I'm completley lost.

    Never mind, I had a stupid moment and didn't read at all what HJT does. Here'e the log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:15:59 PM, on 8/4/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\UMonit2K.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\PixArt\PAC7302\Monitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smashfan.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;*.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-21-3172048194-4239167596-3374511373-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Jean-Marie Steele')
    O4 - HKUS\S-1-5-21-3172048194-4239167596-3374511373-1008\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User 'Jean-Marie Steele')
    O4 - HKUS\S-1-5-21-3172048194-4239167596-3374511373-1008\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Jean-Marie Steele')
    O4 - HKUS\S-1-5-21-3172048194-4239167596-3374511373-1008\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Jean-Marie Steele')
    O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
    O4 - S-1-5-21-3172048194-4239167596-3374511373-1008 Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Jean-Marie Steele')
    O4 - S-1-5-21-3172048194-4239167596-3374511373-1008 User Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Jean-Marie Steele')
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133540938156
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.197.197.250/activex/AxisCamControl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpf...qdiagh.cab?326
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.co...x/HMAtchmt.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3FAA2960-2AF2-4B6B-87EB-1716B8DD261C}: NameServer = 85.255.112.107,85.255.112.226
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FEC50229-E70A-4BB6-BE09-EE2DACD2F08B}: NameServer = 85.255.112.107,85.255.112.226
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3FAA2960-2AF2-4B6B-87EB-1716B8DD261C}: NameServer = 85.255.112.107,85.255.112.226
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3FAA2960-2AF2-4B6B-87EB-1716B8DD261C}: NameServer = 85.255.112.107,85.255.112.226
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
    O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 13621 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    You must have read and followed the "Before you Post" instructions.

    At the least you are hacked by criminals form the Ukraine:
    http://whois.domaintools.com/85.255.112.107

    These infections can be tough to remove, so do not expect fast or easy. If that works for you we will start like this.

    1) Please do not enable TeaTimer while we work together.

    2) Download Malwarebytes' Anti-Malware to your Desktop
    http://www.malwarebytes.org/

    http://www.besttechie.net/mbam/mbam-setup.exe <<< download

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform FULL SCAN, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    * Please post contents of that file & a new HJT log in your next reply.

    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

    Tutorial if needed:
    http://thespykiller.co.uk/index.php/topic,5946.0.html

    3) Post also an uninstall list: Open Hijackthis.
    Click the "Open the Misc Tools" section Button.
    Click the "Open Uninstall Manager" Button.
    Click the "Save list..." Button.
    Save it to your desktop. Copy and paste the contents into your reply.
    Image: http://img.bleepingcomputer.com/tuto...nstall-man.jpg

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Aug 2009
    Posts
    7

    Default

    Malwarebytes.org has also been blocked.

    Both links show up as broken pages, where as on my other PC, they work fine.

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Use the link to the download I provided. "Save this file now"

    Save it to the Desktop and before you save it change the file name to manofsteele.exe Then run it as instructed.

    If you can't do that, download it to a clean computer and bring it to the infected one. Install on the Desktop and rename if necessary.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  5. #5
    Junior Member
    Join Date
    Aug 2009
    Posts
    7

    Default

    Unfortunately, Malwarebytes itself will not run. I went to another PC, brought the re-named installer over to my desktop, installed it, and it will not launch at all.

  6. #6
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    You understand it is the junk the hacker put on the computer that is stopping the tool from running. Did you try renaming the installer as I suggested? You can also try booting to safe mode and running it there.

    http://spyware-free.us/tutorials/safemode/

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  7. #7
    Junior Member
    Join Date
    Aug 2009
    Posts
    7

    Default

    Sorry for the delay.

    Even with the re-named installer (manofsteele.exe as you suggested) in safe mode, Malwarebytes will not run.

    I tried running it while in safe mode, but it would not run. I uninstalled it, and re-installed it while in safe mode, and it would still not run.

  8. #8
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    1) This tool will look for a Rootkit infection.
    Download it to your Desktop
    ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
    Double click the fsbl.exe and accept the agreement
    Click NEXT...then Scan
    BlackLight will Scan for hidden items
    If anything is found save the report and post it.
    Items found may be valid so do not remove anything.

    2) Download the GMER Rootkit Scanner. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any
    "<--- ROOKIT" entries unless advised!

    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
    • Click NO
    • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
    • Now click the Scan button.
      Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
    • Save it where you can easily find it, such as your Desktop.

    Post the contents of GMER.txt in your next reply.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  9. #9
    Junior Member
    Join Date
    Aug 2009
    Posts
    7

    Default

    Nothing was found in the FSBL program, but I saved the log just in case you need it later.

    Here's the GMER Log:

    GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net
    Rootkit scan 2009-08-10 20:12:57
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    Code 8304CD60 ZwEnumerateKey
    Code 8303F3E0 ZwFlushInstructionCache
    Code 83020246 IofCallDriver
    Code 8301F276 IofCompleteRequest

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 8302024B
    .text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 8301F27B
    PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 8304CD64
    PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 8303F3E4

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    Device \FileSystem\Fastfat \Fat EE2FAD20
    Device \FileSystem\Fastfat \Fat EE3018C1

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcasrmyejuhtxxyakxnalenpsditeucauo.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@start 1
    Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@type 1
    Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@group file system
    Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcasrmyejuhtxxyakxnalenpsditeucauo.dll

    ---- Files - GMER 1.0.15 ----

    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\addressBook 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\addressBookApp 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\addressBookPrint 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\aimToolkit 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\bfts 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\boxelyrenderer 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\boxelyToolkit 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\compression 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\htmlRenderer 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\http 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\imApp 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\localStorage 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\miniXML 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\notification 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\os 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\osInfo 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\preferences 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\security 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\softwareUpdate 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\sync 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\toaster 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\urlData 0 bytes
    File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\urlDispatcher 0 bytes

    ---- EOF - GMER 1.0.15 ----

  10. #10
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed

    Please continue as follows:

    Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    http://www.bleepingcomputer.com/forums/topic114351.html
    Remember to re-enable them afterwards.

    Click Yes to allow ComboFix to continue scanning for malware.

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    When the tool is finished, it will produce a report for you. Post that report and a new HJT log

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •