My dad was experiencing some hard drive thrashing on his computer recently, so last night I had him install Malwarebytes' Anti-Malware and SUPERAntiSpyware, and ran a scan of each of the C: drive. SUPERAntiSpyware found no problems, but Malwarebytes' found one. I will paste the log below.
Malwarebytes' Anti-Malware 1.44
Database version: 3539
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865
1/11/2010 6:56:08 AM
mbam-log-2010-01-11 (06-56-08).txt
Scan type: Full Scan (C:\|D:\|J:\|K:\|)
Objects scanned: 403319
Time elapsed: 2 hour(s), 23 minute(s), 32 second(s)
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.0.6002.18005_lt-lt_bf12ba06fdc0c65b_msimsg.dll.mui_72e8994f (Trojan.Dropper) -> Quarantined and deleted successfully.
I had not heard of the Trojan.Dropper before, so am just curious -- do any of you recommend that he does more than this? I know that sometimes trojans can be hard to get rid of for good. I can have him install HiJack This and post a log here, if you feel that would be helpful.
Since he ran this scan, he said the hard drive still does some thrashing, but not as much as it was doing before. I don't have much experience with hard drive thrashing, but from the research I've done on the net, it sounds like it could be caused by any number of things, so I'm not really sure what else to do. He's running Windows Vista, so I'm wondering if this has anything to do with it. (I still run XP on my computers.)
As always, any help or suggestions are greatly appreciated.
That's a good start... follow these instructions and let us have a look at all of the logfiles... do run malwarebytes again in the order below.. (trojan dropper refers to a trojan that puts or drops malware into the computer.. it's a generic term and could be any one of hundreds of trojans)
Print these instructions out.
NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner4.exe
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.
PHYSICALLY DISCONNECT FROM THE INTERNET
Restart computer in Safe Mode. To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen
* Open SUPERAntiSpyware.
* Under Configuration and Preferences, click the Preferences button.
* Under [b]General and Startup" tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked): - Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* Back on the main screen, under Scan for Harmful Software click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again. - Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program. Post SUPERAntiSpyware log. NOTE: Tracking cookies can be omitted from the log.
RECONNECT TO THE INTERNET
RESTART COMPUTER!
2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop. (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
RESTART COMPUTER!
3. Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.
Sorry I haven't replied for a few days. Been waiting for my dad to have time to run those scans.
Broni - by hard drive thrashing, I mean the hard drive constantly being accessed. The hard drive light is on a LOT on his computer, and the computer runs slow because of it. He says since running the initial scan of Malwarebytes it's been better, but it hasn't stopped completely. I told him it might be something to do with Windows Vista. I still run XP Pro, so I wasn't sure what to recommend about the thrashing, other than running Malwarebytes. When it found the trojan, I suspected the trojan might be causing the thrashing.
He ran SUPERAntiSpyware in safe mode. Here is the log. All of the threats it detected were cookies, so I did not post that part of the log.
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
He then tried to run GMER.exe, but before the scan would finish, he would get the blue screen of death, and then his computer would reboot itself. He took a picture of the blue screen of death, and I have posted it to my flickr page:
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE. If Combofix asks you to install Recovery Console, please allow it.
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, I sent your post to my dad, but he was not comfortable running Combofix. I had been helping him do almost everything prior by taking control of his machine remotely, but I wouldn't be able to do that when it comes to Combofix, because it would shut off him internet connection. He is not very comfortable doing this kind of thing on computers, and was afraid that it might mess something up on his computer worse than it is now.
So, I told him to at least run HiJackThis and send me that log. I have pasted it below. Because he would not run Combofix, I understand if no one here wishes to look at it, but I posted it just in case.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:59 PM, on 1/18/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Windows\System32\WDBtnMgr.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MaAgent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\hp\kbd\kbd.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
Good news. My dad tried to run GMER.exe again, and this time it worked! The log is very, very long, so I think he may not have done it correctly. I started trying to post the entire log, but realized it would take about 20-30 posts to do it all.
I will attach the .log file to the next post here. Or, I can email it to someone if they would be willing to look at it, but don't want to download it here. You can email me at [email protected]
Last edited by mcomp72; January 24th, 2010 at 01:45 AM.
Reply With Quote
