Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: tymeris on August 08, 2012, 03:14:54 PM
-
Hey, about a week ago i noticed my videos skipping which they never did before. At the same time, my google chrome home page went to this gadgetbox search engine, which i'm somewhat sure it is some type of malware, spyware, virus, etc. I'm thinking it is all related and have been trying to get rid of it, but having difficulties. Went through your removal steps and the logs are attached. I appreciate you taken the time to look over this for me.
thanks
[year+ old attachment deleted by admin]
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)
Update Your Java (JRE)
Old versions of Java have vulnerabilities that malware can use to infect your system.
First Verify your Java Version (http://www.java.com/en/download/installed.jsp)
If there are any other version(s) installed then update now.
Get the new version (if needed)
If your version is out of date install the newest version of the Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html).
Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Be sure to close ALL open web browsers before starting the installation.
Remove any old versions
1. Download JavaRa (http://raproducts.org/click/click.php?id=1) and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
Additional Note: The Java Quick Starter (JQS.exe) (http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
************************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***************************************************
Please download aswMBR.exe (http://public.avast.com/%7Egmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_Scan.jpg)
Click the "Scan" button to start scan
Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives
(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_SaveLog.png)
On completion of the scan click save log, save it to your desktop and post in your next reply .
-
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-08 18:38:15
-----------------------------
18:38:15.078 OS Version: Windows 5.1.2600 Service Pack 2
18:38:15.078 Number of processors: 2 586 0x401
18:38:15.093 ComputerName: JOSTENS-3752BD5 UserName: Greg
18:38:16.687 Initialize success
18:39:43.015 AVAST engine defs: 12080801
18:39:49.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
18:39:49.437 Disk 0 Vendor: Maxtor_6L080M0 BANC1G10 Size: 76293MB BusType: 3
18:39:49.468 Disk 0 MBR read successfully
18:39:49.468 Disk 0 MBR scan
18:39:49.625 Disk 0 Windows XP default MBR code
18:39:49.640 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76285 MB offset 63
18:39:49.656 Disk 0 scanning sectors +156232125
18:39:49.765 Disk 0 scanning C:\WINDOWS\system32\drivers
18:40:01.796 Service scanning
18:40:19.843 Service WRkrn C:\WINDOWS\System32\drivers\WRkrn.sys **LOCKED** 32
18:40:21.640 Modules scanning
18:40:38.031 Disk 0 trace - called modules:
18:40:38.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
18:40:38.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865e2ab8]
18:40:38.093 3 CLASSPNP.SYS[f767305b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86548d98]
18:40:38.421 AVAST engine scan C:\WINDOWS
18:40:40.468 AVAST engine scan C:\WINDOWS\system32
18:42:35.656 AVAST engine scan C:\WINDOWS\system32\drivers
18:42:46.265 AVAST engine scan C:\Documents and Settings\Greg
18:43:13.859 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Greg\Desktop\MBR.dat"
18:43:13.859 The log file has been saved successfully to "C:\Documents and Settings\Greg\Desktop\aswMBR.txt"
Results of screen317's Security Check version 0.99.43
Windows XP Service Pack 2 x86
Out of date service pack!! (http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3)
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Enabled!
Webroot SecureAnywhere
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````[/u]
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
Java(TM) 6 Update 33
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
````````Process Check: objlist.exe by Laurent````````[/u]
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C:: 8%
````````````````````End of Log``````````````````````[/u]
-
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates including SP3.
Update Your Java (JRE)
Old versions of Java have vulnerabilities that malware can use to infect your system.
First Verify your Java Version (http://www.java.com/en/download/installed.jsp)
If there are any other version(s) installed then update now.
Get the new version (if needed)
If your version is out of date install the newest version of the Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html).
Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Be sure to close ALL open web browsers before starting the installation.
Remove any old versions
1. Download JavaRa (http://raproducts.org/click/click.php?id=1) and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
Additional Note: The Java Quick Starter (JQS.exe) (http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
********************************************************
Update your Adobe Reader. get.adobe.com/reader (http://get.adobe.com/reader/).
Be sure to uncheck the Free McAfee Security Scan so it isn't installed.
***********************************************************
Download Combofix from any of the links below, and save it to your DESKTOP.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
To prevent your anti-virus application interfering with ComboFix we need to disable it. See here (http://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications-4.html) for a tutorial regarding how to do so if you are unsure.
- Close any open windows and double click ComboFix.exe to run it.
You will see the following image:
(http://i424.photobucket.com/albums/pp322/digistar/NSIS_disclaimer_ENG.png)
Click I Agree to start the program.
ComboFix will then extract the necessary files and you will see this:
(http://i424.photobucket.com/albums/pp322/digistar/NSIS_extraction.png)
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.
(http://i424.photobucket.com/albums/pp322/digistar/RcAuto1.gif)
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://i424.photobucket.com/albums/pp322/digistar/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
-
Computer and internet runs better, but gadget box search comes up for my homepage instead of google chrome.
ComboFix 12-08-09.01 - Greg 08/09/2012 18:25:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.441 [GMT -7:00]
Running from: c:\documents and settings\Greg\My Documents\Downloads\ComboFix.exe
AV: Webroot SecureAnywhere *Enabled/Updated* {D486329C-1488-4CEB-9CC8-D662B732D904}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\drvrtmp
c:\windows\system32\SET86A.tmp
c:\windows\system32\SET86E.tmp
c:\windows\system32\SET86F.tmp
c:\windows\system32\SET876.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-07-10 to 2012-08-10 )))))))))))))))))))))))))))))))
.
.
2012-08-09 22:05 . 2012-07-06 05:07 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-09 22:01 . 2012-08-09 22:01 -------- d-----w- c:\program files\Common Files\Java
2012-08-09 21:59 . 2012-08-09 21:59 -------- d-----w- c:\program files\Oracle
2012-08-09 21:58 . 2012-08-09 21:58 -------- d-----w- c:\documents and settings\Greg\Application Data\Oracle
2012-08-09 02:03 . 2012-08-09 02:03 -------- d-----w- c:\windows\Sun
2012-08-08 22:30 . 2012-07-06 05:06 772544 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-08 22:30 . 2012-07-06 05:06 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-08 22:29 . 2012-08-09 22:06 -------- d-----w- c:\program files\Java
2012-08-08 22:19 . 2012-08-08 22:19 -------- d-----w- c:\documents and settings\Greg\Application Data\Malwarebytes
2012-08-08 22:19 . 2012-08-08 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-08 22:19 . 2012-08-08 22:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-08 22:19 . 2012-07-03 20:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-08 21:19 . 2012-08-08 21:19 -------- d-----w- c:\documents and settings\Greg\Application Data\SUPERAntiSpyware.com
2012-08-08 21:19 . 2012-08-08 21:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-08-08 21:19 . 2012-08-08 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-08-08 19:45 . 2012-08-08 19:45 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-08 19:43 . 2012-08-08 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\{C243CCC8-5474-45FC-A546-7FBC284A692E}
2012-08-08 19:43 . 2012-08-08 19:43 -------- d-----w- c:\program files\PokerStars
2012-08-08 19:43 . 2012-08-08 19:43 -------- d-----w- c:\program files\Full Tilt Poker
2012-08-08 19:17 . 2012-08-08 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-08-08 19:14 . 2012-08-08 19:14 -------- d-----w- c:\documents and settings\Greg\Local Settings\Application Data\Mozilla
2012-08-08 19:14 . 2012-08-08 19:43 -------- d-----w- c:\program files\Mozilla Firefox(2)
2012-08-04 22:54 . 2012-08-08 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Codecv
2012-08-04 22:53 . 2012-08-08 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-07-31 01:11 . 2012-08-08 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2012-07-31 00:52 . 2012-08-08 19:44 -------- d-----w- c:\program files\Windows Media Connect 2
2012-07-31 00:50 . 2012-08-08 19:44 -------- d-----w- c:\windows\system32\drivers\UMDF
2012-07-26 20:34 . 2012-07-26 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2012-07-26 20:32 . 2012-07-26 20:32 -------- d-----w- c:\documents and settings\Greg\Local Settings\Application Data\LogiShrd
2012-07-26 19:51 . 2012-07-26 19:51 -------- d-----w- c:\documents and settings\Greg\Application Data\Leadertech
2012-07-26 19:49 . 2012-07-26 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2012-07-26 19:49 . 2012-07-26 19:49 -------- d-----w- c:\program files\Common Files\LWS
2012-07-26 19:48 . 2012-08-08 19:45 -------- d-----w- c:\program files\Common Files\LogiShrd
2012-07-26 19:48 . 2012-08-08 19:45 -------- d-----w- c:\program files\Logitech
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-20 03:19 . 2011-12-31 01:05 111632 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2012-10-20 03:19 . 2011-12-31 01:05 148664 ----a-w- c:\windows\system32\WRusr.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleChromeAutoLaunch_36A077139B0C249A 1D0302CB4777E5A0"="c:\documents and settings\Greg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012-08-07 1229848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-25 339968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2012-07-07 688360]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [12/30/2011 6:05 PM 111632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/8/2012 3:19 PM 655944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/8/2012 3:19 PM 22344]
S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe [12/30/2011 6:05 PM 688360]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1770027372-682003330-1003Core.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-08 19:55]
.
2012-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1770027372-682003330-1003UA.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-08 19:55]
.
2012-08-09 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task a7bdb93d-80e0-4164-a618-c70a8b0ffdac.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-08-09 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task eb5ec252-fc1b-42cf-93ce-dd8192c608dc.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
.
.
------- File Associations -------
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-09 18:28
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,5d,7b,c1,93,0f,c4,4a,af,69,55,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,5d,7b,c1,93,0f,c4,4a,af,69,55,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-08-09 18:30:23
ComboFix-quarantined-files.txt 2012-08-10 01:30
.
Pre-Run: 63,127,326,720 bytes free
Post-Run: 63,090,126,848 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 5720FBBBD1130975F49B13C43763530B
-
but gadget box search comes up for my homepage instead of google chrome.
Do you mean that your homepage has been changed to something else?
Could you give me a screenprint of the gadget box?
How to post screenshots or images (http://www.computerhope.com/forum/index.php/topic,61232.0.html)
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
-
The first thing that comes up when I click on my google chrome shortcut is my homepage as this gadgetbox search engine. Another problem im having is when watching videos, they are fine in normal screen, but when I expand them they become distorted and begin to skip? What brought me to computer hope in the first place, but after chat with someone on this site came to conclusion it most likely was all related.
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EDD7A000
Module End: EDD92000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7B32000
Module End: F7B34000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAllocateVirtualMemory
Address: F741DBA0
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwAssignProcessToJobObject
Address: F741DD50
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwCreateThread
Address: F741DDD0
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwDebugActiveProcess
Address: F741DC50
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwDeleteKey
Address: F741E470
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwDeleteValueKey
Address: F741E570
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwDuplicateObject
Address: F741D9B0
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwOpenProcess
Address: F741E190
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwOpenSection
Address: F741E2A0
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwOpenThread
Address: F741E060
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwProtectVirtualMemory
Address: F741DE60
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwSetContextThread
Address: F741DCD0
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwSetValueKey
Address: F741E690
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwSystemDebugControl
Address: F741E410
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwTerminateProcess
Address: F741DFE0
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwTerminateThread
Address: F741DEE0
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
Function Name: ZwWriteVirtualMemory
Address: F741DF60
Driver Base: F740E000
Driver End: F742C000
Driver Name: WRkrn.sys
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied
[year+ old attachment deleted by admin]
-
The first thing that comes up when I click on my google chrome shortcut is my homepage as this gadgetbox search engine.
If your homepage has been changed you can change it back to whatever you prefer. In your browser select Tools, Internet options and you can change your home page there. Just browse to the homepage you want and do the above.
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
I got the gadget box search engine off by doing what you said. My concern is how it became my homepage in the first place, but if that is all i needed to do then thank you. Now if you could help me with my video problem it would be greatly appreciated.
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=53a6dad5b864f143a427c44c0bb79dd9
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-11 01:22:45
# local_time=2012-08-10 06:22:45 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=37781
# found=10
# cleaned=10
# scan_time=2312
C:\Documents and Settings\Greg\My Documents\Downloads\Setup.exe a variant of Win32/Adware.iBryte.C application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Greg\My Documents\Downloads\vlcmediaplayer-setup.exe Win32/DownloadAdmin.A.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP592\A0036836.dll Win32/GenUpdater application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP592\A0036838.dll Win32/GenUpdater application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP593\A0036842.dll Win32/GenUpdater application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP594\A0036844.dll Win32/GenUpdater application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP594\A0036854.exe Win32/Adware.MultiPlug.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP596\A0037104.dll Win32/GenUpdater application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP596\A0037105.dll Win32/GenUpdater application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP596\A0037114.dll Win32/Adware.MultiPlug application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Greg\My Documents\Downloads\Setup.exe a variant of Win32/Adware.iBryte.C application cleaned by deleting - quarantined
C:\Documents and Settings\Greg\My Documents\Downloads\vlcmediaplayer-setup.exe Win32/DownloadAdmin.A.Gen application cleaned by deleting - quarantined
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP592\A0036836.dll Win32/GenUpdater application cleaned by deleting - quarantined
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP592\A0036838.dll Win32/GenUpdater application cleaned by deleting - quarantined
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP593\A0036842.dll Win32/GenUpdater application cleaned by deleting - quarantined
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP594\A0036844.dll Win32/GenUpdater application cleaned by deleting - quarantined
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP594\A0036854.exe Win32/Adware.MultiPlug.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP596\A0037104.dll Win32/GenUpdater application cleaned by deleting - quarantined
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP596\A0037105.dll Win32/GenUpdater application cleaned by deleting - quarantined
C:\System Volume Information\_restore{AD49AEA9-7ABD-41D3-B299-1A321790F84D}\RP596\A0037114.dll Win32/Adware.MultiPlug application cleaned by deleting - quarantined
-
My concern is how it became my homepage in the first place, but if that is all i needed to do then thank you.
Every site wants to be your homepage. I could have been an infection or just something that you downloaded. A lot of "free stuff" is not really free if they hijack your homepage or want to install their toolbar. You have to be wary of that.
Now if you could help me with my video problem it would be greatly appreciated.
How much free space do you have on your harddrive? Click on "my Computer, right-click on the C drive and select Properties" and you should see the free space listed there. Also, please tell me the capacity of the harddrive.
-
57.9 GB free space, and 74.4 GB capacity
-
I would say that your computer is clean but I really can't figure out why you're having problems with the videos. Let's take a look at what's running.
Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.