Completely lost!!!! - Page 4

rebsfan4 · #46 November 10th, 2009, 12:09 PM

Ok it ran so long last night that I couldn't stay awake any lomger waiting on it. This is what it said this morning. Hope it is right this time.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-10 06:02:26
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\BRYANW~1\LOCALS~1\Temp\kxtdqpow.sys

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

**AnnMarie** · #47 November 10th, 2009, 09:05 PM

Yes that looks very good. We have removed the rootkit.

Download Malwarebytes' Anti-Malware from here or here.

Doubleclick on mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware then click Finish. If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan" then click Scan. The scan may take some time to finish so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. Please do so. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Please copy and paste the entire report in your next reply.

Before I forget, this computer has been infected with the Sony Rootkit. See here and here for more information. I do not help with this issue however. It is between you and Sony. Please defer any action until we have finished here.

rebsfan4 · #48 November 10th, 2009, 10:32 PM

Malwarebytes' Anti-Malware 1.41
Database version: 3142
Windows 5.1.2600 Service Pack 2

11/10/2009 4:08:49 PM
mbam-log-2009-11-10 (16-08-49).txt

Scan type: Quick Scan
Objects scanned: 104409
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{4cbcc4e2-073c-4109-a719-458d8cf9900e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Error Nuker (Rogue.ErrorNuker) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Installer\Folders\c:\program files\registrysmart\(default) (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Installer\Folders\c:\program files\registrysmart\microsoft.vc80.mfc\(default) (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Installer\Folders\c:\program files\registrysmart\microsoft.vc80.crt\(default) (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Bryan Wesley\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bryan Wesley\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bryan Wesley\Application Data\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.CRT (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.MFC (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Bryan Wesley\Application Data\RegistrySmart\Log\2007 Aug 28 - 07_20_41 PM_839.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bryan Wesley\Application Data\RegistrySmart\Log\2007 Aug 28 - 07_20_43 PM_691.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bryan Wesley\Application Data\RegistrySmart\Log\2007 Aug 29 - 04_45_01 PM_950.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bryan Wesley\Application Data\RegistrySmart\Log\2007 Aug 29 - 04_45_08 PM_259.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bryan Wesley\Application Data\RegistrySmart\Registry Backups\2007-08-28_19-23-59.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

I noticed alot of stuff dealing with the registry in this log. I have the Registry Mechanic Version 5.1 on the PC. Is there a paoblem with this software? Should I scan it with the MBAM?

**AnnMarie** · #49 November 11th, 2009, 12:36 AM

Quote:

I have the Registry Mechanic Version 5.1 on the PC. Is there a paoblem with this software? Should I scan it with the MBAM?

No MBAM has already scanned it. Registry Mechanic is legitimate software however I dont recommend the use of Registry Cleaners unless there is clear evidence of registry corruption AND the user has considerable expertise and understands exactly what the cleaner is doing. Contrary to popular belief, Registry cleaners will not speed up your operating system. I have seen too many examples of people trashing their operating systems using this type of software.

One last check for any malware that might be lurking and if all is good, you can try to reinstall Kaspersky again but please wait until I have seen the results and commented on them.

Go here and download ATF cleaner. Use it to remove all Temp Files, Cookies and Temp Internet Files, Java Cache and any others that you would like to remove. If you also use Opera or Firefox, also click on the cleaning options for each browser.

Next, disable your antivirus program and go here -> http://www.eset.com/onlinescan and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications

Click Start. This scan may take a while, so please be patient. Go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt. Click Edit - Select All then copy/paste that log back here. Also tell me if you still have any issues such as redirects etc.

rebsfan4 · #50 November 11th, 2009, 02:54 AM

Having trouble with this part...............Go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt. Click Edit - Select All then copy/paste that log back here. Also tell me if you still have any issues such as redirects etc.

**AnnMarie** · #51 November 11th, 2009, 03:21 AM

Ok, open My Computer and doubleclick on the C icon. Next doubleclick on Program Files and again on the EsetOnlineScanner directory. You should find a log inside it. Copy and paste the contents in this topic.

Also tell me how your computer is running. Does everything seem quite normal?

rebsfan4 · #52 November 11th, 2009, 03:31 AM

Ok I think this is it.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2c70c59144ad0848b4d3e8108259833c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-11 02:40:42
# local_time=2009-11-10 08:40:42 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=102529
# found=20
# cleaned=20
# scan_time=2987
C:\Program Files\Netscape\Netscape 6\Plugins\npwthost.dll probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Microsoft AData\sysinet.dll.vir a variant of Win32/Kryptik.BAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Smart Protector\smrtprt.exe.vir a variant of Win32/Kryptik.BAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Smart Protector\uninstalls.exe.vir a variant of Win32/Kryptik.BAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\lastmon.dl l.vir probably a variant of Win32/BHO.NKS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\winsc.exe. vir a variant of Win32/Kryptik.BAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP10\A0003964.dll probably a variant of Win32/BHO.NKS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP10\A0004119.dll probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP5\A0001048.exe a variant of Win32/Kryptik.BAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP5\A0001049.exe a variant of Win32/Kryptik.BAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP5\A0001050.dll a variant of Win32/Kryptik.BAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP9\A0002125.dll Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP9\A0002126.exe Win32/Adware.SpyProtector.N application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP9\A0002127.exe Win32/Adware.SpyProtector.N application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP9\A0003570.dll a variant of Win32/Kryptik.BAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP9\A0003572.exe a variant of Win32/Kryptik.BAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP9\A0003573.exe a variant of Win32/Kryptik.BAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP9\A0003579.exe a variant of Win32/Kryptik.BAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer .exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\$sys$filesystem\crater.sys probably a variant of Win32/DNSChanger trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Computer seems to running fine to me.

**AnnMarie** · #53 November 11th, 2009, 03:39 AM

Ok, that's fine. Try reinstalling Kaspersky now. If you get any error messages, make sure you write them down and post them here. Let me know how you get on.

rebsfan4 · #54 November 11th, 2009, 04:37 AM

Kaspersky loaded just fine. Is it safe to do Windows updates? I also have the little yellow shield at the bottom righthand corner saying that updates are ready for my computer. Is it safe to do that? Also I have the older version of Internet Explorer. Would it be safe to upgrade to Internet Explorer 8?

**AnnMarie** · #55 November 11th, 2009, 04:45 AM

Yep, that's fine rebsfan4 and you are good to go now.

You can uninstall ComboFix, it's done it's job. To do this, go to Start > Run and type:

combofix /uninstall

and hit Enter. DDS and Gmer can just be deleted providing you have rebooted since you last ran Gmer. You might as well keep MBAM, just remember to update it before you run it again.

Click on the link in my signature ("How to help prevent re-infection") for some suggestions on avoiding future problems of this nature.

rebsfan4 · #56 November 11th, 2009, 04:56 AM

OK. I don't know how to thank you for all the help you have so patiently provided me with. You are one fantastic person. I will be getting a subscription very soon with you all. It's the very least I can do. The small amount of money is nothing in comparison to what you have done for me!!!!!! I have told everybody I work with what you have been doing for me. I will continue to tell as many people as I can about this website and the amazing people who help run it!!!! If you weren't so far away, I would give you a huge hug!!!! Thank you so very, very, very much once again!!!

**AnnMarie** · #57 November 11th, 2009, 04:59 AM

It was my pleasure rebsfan4 and we certainly appreciate support for our site.

rebsfan4 · #58 November 11th, 2009, 11:32 PM

Just a few more questions. I did the upgrade to IE8. Was wonder if this update automatically replaces the older IE in the downloaded programs, cause I dont see the older version on the compiled list it pulls up. Also when I was looking I saw where ETES online scanner was downloaded. Was wondering if I should remove it from the downloaded programs?

**AnnMarie** · #59 November 12th, 2009, 12:14 AM

If you are runniing short of disk space, by all means uninstall Eset however there is no need to otherwise. You may wish to use it again sometime.

Quote:

Was wonder if this update automatically replaces the older IE in the downloaded programs, cause I dont see the older version on the compiled list it pulls up.

In a manner of speaking it does. If you were to uninstall IE8, IE would revert back to the earlier version.

**AnnMarie** · #60 November 12th, 2009, 04:32 AM

Hi rebsfan4. This thread is resolved so I moved your last post to it's own topic in the XP Forum. See here.