Help!

Weird things happen !

  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> General Discussions RSS
Next:  Host resolution priority -> vulnerable to malw..  
Author Message
pg
External


Since: Dec 14, 2009
Posts: 6
PostPosted: Mon Dec 14, 2009 1:30 am    Post subject: Weird things happen !
Archived from groups: microsoft>public>security>virus, others (more info?)
Last nite everything was fine.

This morning all my browsers except Google Chrome are dead.

The dead browsers are Microsoft IE, Firefox 3.5.5 and Opera 10.10

After clicking them, nothing

Check under task manager, they are there, and taking a lot of CPU
resources, but stay behind

Killed those browsers and re-install, still the same.

So I download the MBAM (Malyware Bytes Anti-Malware) and scan

After a scan, MBAM reported that there were 5 trojans, and I deleted
all 5 of them.

Reboot the computer, and still the browsers (except Google Chrome)
refused to work.

Run MBAM again, 3 more data entries in the Registry were found. Delete
them again (report at the end of message)

Reboot.

Still the browsers can't run.

Download Avast and Norton.

Norton won't run without downloading their virus definition, but
something is blocking Norton from downloading their virus
definition !!

Now Avast is downloading its virus definition, VERY SLOW !

My 2mbps line is downloading at less than 2kbps speed !!

I will run Avast after it finishes with the update.

BTW, is there any other package that I should run to check what
actually has happened to my computer?

Please help !

Attached: Report from MBAM

= = ==================================================

Malwarebytes' Anti-Malware 1.42
Database version: 3357
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/7/2009 12:58:27 PM
mbam-log-2009-12-07 (12-58-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 145847
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good:
(0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0)
-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -
> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

= = ===========================================================
Back to top
ASCII
External


Since: Mar 01, 2009
Posts: 35
PostPosted: Mon Dec 14, 2009 2:28 am    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Imported from groups: alt>comp>anti-virus (more info?)
This message is not archived
Back to top
ASCII
External


Since: Mar 01, 2009
Posts: 35
PostPosted: Mon Dec 14, 2009 2:35 am    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Imported from groups: per prev. post (more info?)
This message is not archived
Back to top
pg
External


Since: Dec 14, 2009
Posts: 6
PostPosted: Mon Dec 14, 2009 4:37 am    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: microsoft>public>security>virus, others (more info?)
Okay, thanks !!

On Dec 13, 11:47 pm, "David H. Lipman"
wrote:
> From: "David H. Lipman"
>
> ADDENDUM:
>
> In addition, don't install BOTH Avast and Norton.  It is one or the other, and Avast is
> preferred, as it is contrindicated to install more than one fully installed AV application
> performing both "On Demand" and "On Acess" scanning on any singular PC.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp
Back to top
David H. Lipman
External


Since: Jul 04, 2003
Posts: 2245
PostPosted: Mon Dec 14, 2009 6:32 am    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
From: "pg"

| Last nite everything was fine.

| This morning all my browsers except Google Chrome are dead.

| The dead browsers are Microsoft IE, Firefox 3.5.5 and Opera 10.10

Kill all software on PC and perform a scan using Gmer.

http://www.gmer.net/#files


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Back to top
David H. Lipman
External


Since: Jul 04, 2003
Posts: 2245
PostPosted: Mon Dec 14, 2009 6:47 am    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
From: "David H. Lipman"

ADDENDUM:

In addition, don't install BOTH Avast and Norton. It is one or the other, and Avast is
preferred, as it is contrindicated to install more than one fully installed AV application
performing both "On Demand" and "On Acess" scanning on any singular PC.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Back to top
pg
External


Since: Dec 14, 2009
Posts: 6
PostPosted: Mon Dec 14, 2009 7:29 am    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Dec 13, 11:47 pm, "David H. Lipman"
wrote:
> From: "David H. Lipman"
>
> ADDENDUM:
>
> In addition, don't install BOTH Avast and Norton.  It is one or the other, and Avast is
> preferred, as it is contrindicated to install more than one fully installed AV application
> performing both "On Demand" and "On Acess" scanning on any singular PC.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

Report from GMER:

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-07 18:53:38
Windows 5.1.2600 Service Pack 3
Running: hgnokzt1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
\awtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software) ZwClose
[0xF1B6F6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software) ZwCreateKey
[0xF1B6F574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwDeleteValueKey [0xF1B6FA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwDuplicateObject [0xF1B6F14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software) ZwOpenKey
[0xF1B6F64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwOpenProcess [0xF1B6F08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software) ZwOpenThread
[0xF1B6F0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwQueryValueKey [0xF1B6F76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software) ZwRestoreKey
[0xF1B6F72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self
protection module/ALWIL Software)
ZwSetValueKey [0xF1B6F8AE]

INT
0x62 ?
FCC112AC
INT
0x63 ?
FC8B2634
INT
0x73 ?
FC8B19B4
INT
0x83 ?
FCC61E54
INT
0x93 ?
FC89F754
INT
0xA3 ?
FC89AE54
INT
0xA4 ?
FCA1A6EC
INT
0xB1 ?
FCCAD2AC
INT
0xB4 ?
FCA4F6DC

---- Kernel code sections - GMER 1.0.15 ----

..text C:\WINDOWS\system32\DRIVERS
\ati2mtag.sys
section is writeable [0xF55E4000, 0x21F557, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS
\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS
\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs
\Ntfs
aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL
Software)
AttachedDevice \Driver\Tcpip \Device
\Ip
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device
\Tcp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device
\Udp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device
\RawIp
aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MinEncryptionLevel 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Callback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@CallbackNumber
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Comment System
Console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Domain
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@InitialProgram
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@InputBufferLength 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@KeyboardLayout 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@KeyboardName \REGISTRY
\Machine\System\CurrentControlSet\Services\Kbdclass
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MaxConnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MaxDisconnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MaxIdleTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@MouseName \REGISTRY
\Machine\System\CurrentControlSet\Services\Mouclass
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@OutBufCount 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@OutBufDelay 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@OutBufLength 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Password
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdClass 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdDll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdFlag 30
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@PdName console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@UserName
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WdDll wdcon
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WdFlag 36
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WdName Console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@WorkDirectory
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritAutoLogon 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritCallback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritCallbackNumber 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritInitialProgram 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritMaxDisconnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritMaxIdleTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritMaxSessionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritReconnectSame 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritResetBroken 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fInheritShadow 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fLogonDisabled 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fPromptForPassword 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fReconnectSame 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fResetBroken 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fUseDefaultGina 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@Shadow 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@TraceClass 268435465
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@TraceDebugger 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@TraceEnable 12
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console@fEnableWinStation 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdClass 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdDLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdFlag 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CdName
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@CfgDll RDPCFGEX.DLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@InteractiveDelay 50
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@OutBufDelay 100
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdClass 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdDLL tdtcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdFlag 78
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@PdName tcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdDLL rdpwd
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdFlag 52
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdName Microsoft RDP
5.1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WdPrefix RDP
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\Console\RDP@WsxDLL rdpwsx
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CfgDll RDPCFGEX.DLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fEnableWinStation 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxInstanceCount -1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdName tcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdClass 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdDLL tdtcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PdFlag 78
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@OutBufLength 530
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@OutBufCount 6
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@OutBufDelay 100
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@InteractiveDelay 50
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@PortNumber 3389
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@KeepAliveTimeout 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@LanAdapter 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdName Microsoft RDP
5.1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdDLL rdpwd
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WsxDLL rdpwsx
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdFlag 54
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@InputBufferLength 2048
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdClass 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdName
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdDLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CdFlag 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Comment
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritAutoLogon 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritResetBroken 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritReconnectSame 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritInitialProgram 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritCallback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritCallbackNumber 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritShadow 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritMaxSessionTime 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritMaxDisconnectionTime 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritMaxIdleTime 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritAutoClient 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritSecurity 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fInheritColorDepth 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fPromptForPassword 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fResetBroken 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fReconnectSame 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fLogonDisabled 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fAutoClientDrives 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fAutoClientLpts 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fForceClientLptDef 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableEncryption 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fHomeDirectoryMapRoot 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fUseDefaultGina 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCpm 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCdm 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCcm 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableLPT 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableClip 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableExe 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@fDisableCam 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Username
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Domain
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Password
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WorkDirectory
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@InitialProgram
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@CallbackNumber
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Callback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@Shadow 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxConnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxDisconnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MaxIdleTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@KeyboardLayout 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@MinEncryptionLevel 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@NWLogonServer
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WFProfilePath
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@WdPrefix RDP
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@TraceEnable 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@TraceDebugger 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@TraceClass 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
\WinStations\RDP-Tcp@ColorDepth 3
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\System@OODEFRAG11.00.00.01WORKSTATION
0C04FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452BA7FD869164D6794BA7FD869164D67949280D8D7302FCC58A748D546B25B4C46155CF1082839BBB035AF617C9A29E1029A17F42D6BA01A6D4C9CB21ED020702B0FA16D77ECFB4387C0CC76F86CF57FBE40C9DB3B38225F246CDD34483FA247A72CC483FC3EB1AA1B87E022C1ACF580D2D53F3E88A52DCB0EF3656E27F3A3B23991724AF89B00A2F50B8F99D482D40877D4AF954F2292143173213A5247371753086F197EE4DD6097EB8F56637B8E3BD758E51DFE0373EE852011B196F7C4DC5C7F100F5863979FF1722D98D305F646151F43D1390147987852CB35F12608702B093F0C02BF509BEC88C6DF3FF131D6430FBBF8D53759D0EA08796A18D810C390D97BB5AA87FA98E23ECFF4737BB8A0E82F5818DC26C7DA3161D739F1784149CD4CD6F5392FE0D92445CF6070BB5AD903ABB37B1033857E9424B8CC195255FB995EF6F8440C1F2A72746270EE3339BC81D380B15F275807D3B77F965F96D3579C3217301AD8A6D605C735B7D444C987481C808E722C5CC49DA9A849C55DA05BF50D85CFB9B3BBB208DD0D8C423756FE309D8D29A355818A182C3EDD859E6D0E365924D2D71FF69119F842088736FCE60411935B81948631DC1263118938C

---- EOF - GMER 1.0.15 ----
Back to top
ASCII
External


Since: Mar 01, 2009
Posts: 35
PostPosted: Mon Dec 14, 2009 9:49 am    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Imported from groups: alt>comp>anti-virus (more info?)
This message is not archived
Back to top
pg
External


Since: Dec 14, 2009
Posts: 6
PostPosted: Mon Dec 14, 2009 3:41 pm    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: microsoft>public>security>virus, others (more info?)
Dear Mr. Lipman,

Email sent, with attachments of the full GMER log (zipped), along with
OTL files (extra.zip, otl.zip), from my hotmail account.

Thank you very much !!

On Dec 14, 9:27 am, "David H. Lipman"
wrote:
> From: "pg"
>
> | On Dec 13, 11:47 pm, "David H. Lipman"
>
> | wrote:
> >> From: "David H. Lipman"
> >> ADDENDUM:
> >> In addition, don't install BOTH Avast and Norton.  It is one or the other, and Avast
> >> is
> >> preferred, as it is contrindicated to install more than one fully installed AV
> >> application
> >> performing both "On Demand" and "On Acess" scanning on any singular PC..
> >> --
> >> Davehttp://www.claymania.com/removal-trojan-adware.html
> >> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp
>
> | Report from GMER:
>
> | GMER 1.0.15.15279 -http://www.gmer.net
> | Rootkit scan 2009-12-07 18:53:38
> | Windows 5.1.2600 Service Pack 3
> | Running: hgnokzt1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
> | \awtdapow.sys
>
> I have seen some logs but I haven't seen ...
> HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
>
> Shown so much in a Gmer log.
>
> Remove ~nospam~ from my posting address and send me the full Gmer log file.
>
> I will Ping Gmer and see what he says about it.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp
Back to top
David H. Lipman
External


Since: Jul 04, 2003
Posts: 2245
PostPosted: Mon Dec 14, 2009 4:27 pm    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
From: "pg"

| On Dec 13, 11:47 pm, "David H. Lipman"
| wrote:
>> From: "David H. Lipman"

>> ADDENDUM:

>> In addition, don't install BOTH Avast and Norton. It is one or the other, and Avast
>> is
>> preferred, as it is contrindicated to install more than one fully installed AV
>> application
>> performing both "On Demand" and "On Acess" scanning on any singular PC.

>> --
>> Davehttp://www.claymania.com/removal-trojan-adware.html
>> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

| Report from GMER:

| GMER 1.0.15.15279 - http://www.gmer.net
| Rootkit scan 2009-12-07 18:53:38
| Windows 5.1.2600 Service Pack 3
| Running: hgnokzt1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
| \awtdapow.sys


I have seen some logs but I haven't seen ...
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

Shown so much in a Gmer log.

Remove ~nospam~ from my posting address and send me the full Gmer log file.

I will Ping Gmer and see what he says about it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Back to top
pg
External


Since: Dec 14, 2009
Posts: 6
PostPosted: Mon Dec 14, 2009 6:11 pm    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
What is weird now is even when I want to run Kaspersky's online virus
scan, I can't !

Kaspersky told me to deactivate my resident virus scan, I did, and
still the online scan won't run.

Susequently I removed the avast! virus scanner from my computer, and
still something is blocking Kaspersky's online virus scan !
Back to top
pg
External


Since: Dec 14, 2009
Posts: 6
PostPosted: Mon Dec 14, 2009 8:27 pm    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Dec 14, 2:45 pm, Virus Guy wrote:
> pg wrote:
> > What is weird now is even when I want to run Kaspersky's online
> > virus scan, I can't !  Kaspersky told me to deactivate my
> > resident virus scan, I did, and still the online scan won't run.
> > Susequently I removed the avast! virus scanner from my computer,
> > and still something is blocking Kaspersky's online virus scan !
>
> Now that you've wasted a lot of time, maybe you'll do what anyone should
> really do when they have a Windoze system infected with malware:
>
> Remove the hard drive and slave it to a second trusted system and run a
> scan on it.
>
> I don't know why anyone bothers to scan an infected PC while Windoze is
> running on it.  It's like trying to repair your car while it's moving
> with the engine running.


That is one thing you do not understand ...

Doing the above won't get rid of many types of malware / virus /
spyware

2 reasons:

Reason # 1, NTFS has some protection in place (or encryption, I dunno)
that prevent 3rd party to look into users' directory.

Which means, putting the infected drive as a slave drive and scan it,
the virus / malware scanner can NOT reach place like " \Documents and
Settings\Administrator\* " or even " \ Documents and Settings\UserA\*
"

If the virus hides itself in those directories (such as \Documents and
Settings\UserA\Local Settings\Temp\* ) then the virus scanner will
NEVER detected that virus


Reason #2, Some malware / virus / spyware has inserted some rogue
registries inside the registry file, putting that infected drive as a
slave drive and scan it will NEVER get rid of those rogue registries

As soon as the infected drive boots up, the virus will be activated by
the rogue registries again
Back to top
Virus Guy
External


Since: Aug 05, 2005
Posts: 452
PostPosted: Mon Dec 14, 2009 9:45 pm    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
pg wrote:

> What is weird now is even when I want to run Kaspersky's online
> virus scan, I can't ! Kaspersky told me to deactivate my
> resident virus scan, I did, and still the online scan won't run.
> Susequently I removed the avast! virus scanner from my computer,
> and still something is blocking Kaspersky's online virus scan !

Now that you've wasted a lot of time, maybe you'll do what anyone should
really do when they have a Windoze system infected with malware:

Remove the hard drive and slave it to a second trusted system and run a
scan on it.

I don't know why anyone bothers to scan an infected PC while Windoze is
running on it. It's like trying to repair your car while it's moving
with the engine running.
Back to top
kavery
External


Since: Dec 15, 2009
Posts: 1
PostPosted: Tue Dec 15, 2009 3:10 am    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: alt>comp>anti-virus (more info?)
On Mon, 14 Dec 2009 20:27:28 -0800, pg wrote:

> On Dec 14, 2:45 pm, Virus Guy wrote:
>> pg wrote:

>>
>> Now that you've wasted a lot of time, maybe you'll do what anyone
>> should really do when they have a Windoze system infected with malware:
>>
>> Remove the hard drive and slave it to a second trusted system and run a
>> scan on it.
>>
>> I don't know why anyone bothers to scan an infected PC while Windoze is
>> running on it.  It's like trying to repair your car while it's moving
>> with the engine running.
>
>
> That is one thing you do not understand ...
>
> Doing the above won't get rid of many types of malware / virus / spyware
>

> As soon as the infected drive boots up, the virus will be activated by
> the rogue registries again

In that case you're better off formatting and re-installing. I've scanned
many infected systems, both by slaving the drive and by using a bootable
CD like UBCD4WIN. I've always been able to scan all users' directories up
to and including the browser cache and temp directories. UBCD4WIN has an
app that will let you clear all users' temp directories that works a
treat in a case like this. The only thing I could think of denying access
would be if the user made their home directory private. In that case they
may be out of luck.

Regedit has an option to load a remote registry so if you knew the
location of the rogue entries you could delete them that way. They
usually hang out in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce. If they are in a different location, if you know
the name of what's infected the system, many AV vendors will offer this
information on their website. They'd have to know it to be able to scan
for it. If you can delete the entries in the registry there's a good
chance it won't start the next time the machine is booted.
Back to top
David H. Lipman
External


Since: Jul 04, 2003
Posts: 2245
PostPosted: Tue Dec 15, 2009 6:43 am    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: microsoft>public>security>virus, others (more info?)
From: "pg"



| That is one thing you do not understand ...

| Doing the above won't get rid of many types of malware / virus /
| spyware

| 2 reasons:

| Reason # 1, NTFS has some protection in place (or encryption, I dunno)
| that prevent 3rd party to look into users' directory.

| Which means, putting the infected drive as a slave drive and scan it,
| the virus / malware scanner can NOT reach place like " \Documents and
| Settings\Administrator\* " or even " \ Documents and Settings\UserA\*
| "

| If the virus hides itself in those directories (such as \Documents and
| Settings\UserA\Local Settings\Temp\* ) then the virus scanner will
| NEVER detected that virus


If the file is encrypted under NTFS it would be green.

One can easily "take ownership" of the are blocked by insufficient permissions and scan
using a surrogate with an account with administrative rights.


| Reason #2, Some malware / virus / spyware has inserted some rogue
| registries inside
| the registry file, putting that infected drive as a
| slave drive and scan it will NEVER
| get rid of those rogue registries

| As soon as the infected drive boots up, the virus
| will be activated by the rogue registries again


Not true. If there is NO executable on the hard disk the (that is it was already removed)
the Registry entries can NOT resurrect the removed DLL or EXE.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Back to top
Dave Cohen
External


Since: Oct 16, 2004
Posts: 59
PostPosted: Tue Dec 15, 2009 10:19 am    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
David H. Lipman wrote:
> From: "pg"
>
>
>
> | That is one thing you do not understand ...
>
> | Doing the above won't get rid of many types of malware / virus /
> | spyware
>
> | 2 reasons:
>
> | Reason # 1, NTFS has some protection in place (or encryption, I dunno)
> | that prevent 3rd party to look into users' directory.
>
> | Which means, putting the infected drive as a slave drive and scan it,
> | the virus / malware scanner can NOT reach place like " \Documents and
> | Settings\Administrator\* " or even " \ Documents and Settings\UserA\*
> | "
>
> | If the virus hides itself in those directories (such as \Documents and
> | Settings\UserA\Local Settings\Temp\* ) then the virus scanner will
> | NEVER detected that virus
>
>
> If the file is encrypted under NTFS it would be green.
>
> One can easily "take ownership" of the are blocked by insufficient permissions and scan
> using a surrogate with an account with administrative rights.
>
>
> | Reason #2, Some malware / virus / spyware has inserted some rogue
> | registries inside
> | the registry file, putting that infected drive as a
> | slave drive and scan it will NEVER
> | get rid of those rogue registries
>
> | As soon as the infected drive boots up, the virus
> | will be activated by the rogue registries again
>
>
> Not true. If there is NO executable on the hard disk the (that is it was already removed)
> the Registry entries can NOT resurrect the removed DLL or EXE.
>
>
When oh when will people wise up and get an imaging program. I use
www.terabyteunlimited.com Image for Windows in addition to their regular
bootit product. These things go for around $35. Some people speak well
of Acronis and I've no doubt there is even free stuff on the web. The
advantage of IFW is it will run while you continue to use the system. I
still use Avira and take reasonable precautions of course. These days an
investment in one of the simple plug in usb external drives also makes
sense and I keep a number of backups.
Back to top
FredW
External


Since: May 03, 2009
Posts: 30
PostPosted: Tue Dec 15, 2009 2:10 pm    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Imported from groups: per prev. post (more info?)
This message is not archived
Back to top
David H. Lipman
External


Since: Jul 04, 2003
Posts: 2245
PostPosted: Tue Dec 15, 2009 4:04 pm    Post subject: Re: Weird things happen ! [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
From: "FredW"


| I use Macrium Reflect Free (4.2) on my Windows 7 64-bit.
| http://www.macrium.com/reflectfree.asp
| (just as good as Acronis.)
| The only "disadvantage" of this program is,
| that one needs to make a "recovery CD" to be able to restore.

| Backup (= image) and restore work fine, as I have found out.
| Wink

| --
| Fred W. (NL)

I use Ghost.

It is the ONLY Symantec product I swear by and not swear at. Smile

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Back to top
ImadoofusRU



Joined: Nov 15, 2006
Posts: 4
PostPosted: Mon Feb 22, 2010 9:53 am    Post subject: [Login to view extended thread Info.]
I have had at least 6 PC's with this problem. MalwareBytes AntiMalware is great BUT you need to DL & run SUPERantispyware then do the MalwareBytes scan. SUPERantispyware is one program I bought immediately after it fixed all PC's.
h**p://www.superantispyware.com/download.html
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> General Discussions All times are: Eastern Time (US & Canada)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum