Ghostrider 7

Ok Gringo, Everything has been complied with. I will download the antispyware programs you suggest tomorrow. The "Make your Internet Explorer more secure" link says it is for IE7, I'm guessing that also goes for IE8? There are a couple more things left on your post that I need to do tomorrow, so I'll be back on to take care of them. How long do these topics stay in the forum after they are closed? I should be back on tomorrow morning to finish up. If you are going to close this topic then let me thank you again for your assistance. You did a great job & a great service to all that face the scourge of malware. It was a pleasure working with you. KEEP KILLIN' THOSE BUGS!! Best Regards, No longer NeedhelpinTX (for now)

It says "Windows cannot find maxlook -cleanup". And it also says the same for ComboFix. McAfee ate ComboFix again after it was reactivated. I'm going on with the rest of your post. Defogger enable complied with. defogger_enable by jpshortstuff (23.02.10.1) Log created at 23:14 on 30/04/2010 (Dad) Parsing file... -=E.O.F=-

Here's the ESET log file & it appears to be the infection you cleared last night. (rasacd.sys renamed to rascd.old) ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=709d22b16f9d3a4a91bfa66f9d1d676c # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-05-01 02:38:44 # local_time=2010-04-30 09:38:44 (-0600, Central Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=5121 16776869 100 96 615308 24673278 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=182801 # found=6 # cleaned=0 # scan_time=13370 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\rasacd.sys.vir Win32/Patched.EQ trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP332\A0054278.sys Win32/Patched.EQ trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP334\A0055508.sys Win32/Patched.EQ trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP334\A0056936.sys Win32/Patched.EQ trojan 00000000000000000000000000000000 I C:\WINDOWS\maxdriver\rasacd.sys Win32/Patched.EQ trojan 00000000000000000000000000000000 I C:\WINDOWS\system32\drivers\rasacd.old Win32/Patched.EQ trojan 00000000000000000000000000000000 I The pc seems to be running okay, no redirects or pop-ups. Now, do I check the box for "Uninstall application on close"? ESET says, "Select Uninstall if you want to remove all ESET Online Scanner files from your computer. The next time you run ESET Online Scanner, they will need to be downloaded again". Then click "Finish". What's my next step?

ESET is at 99% step 3 of 4. It found five Win32/Patch/EQtrojan during the scan. Is this one we repaired? I'll post the log when finished. NHITX

Ok Gringo, I'll run ESET. By the way, I went to the Kaspersky website & I think their on-line scanner is down for an upgrade. This is what they had on the free scanner page. Detect viruses on your computer with Kaspersky

Hello Gringo! I did the TFC cleaner & MBAM. No problems encountered with these. TFC did have me reboot. McAfee also ate ComboFix like last time. But, I did have a problem when I went to the Kaspersky online scanner. I will also attach a screen shot of the problem I had with Kaspersky. The only way I could get of the Kaspersky website was alt-crtl-del. I wasn't going to click on anything, it may of been genuine, but I'm gun shy now. First, here is the MBAM log & it was clean. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4056 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/30/2010 5:04:32 PM mbam-log-2010-04-30 (17-04-32).txt Scan type: Quick scan Objects scanned: 158887 Time elapsed: 14 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Now, here's the screen shot of the Kaspersky problem. I got a Security Warning pop-up that read "The application's digital signature has an error. Do you want to run the application?" The yellow warning shield didn't look right to me, plus it says the name is javavm & the publisher is Microsoft Corporation. I did have a Java icon show up in the system tray next to the Ad-Aware icon. So, I'm not sure if this is real or another malware program. It seems funny that you would get something like this at the Kaspersky site. I'll be waiting for your response! NHITX

Sorry, I didn't see your post above my last post. I will run TCF, MBAM, Kapersky tomorrow after work & post the logs. Good night all! NHITX out

One last thing. Do I need to run defogger & activate the CD Emulators? I got this off of AdvancedSetup's post at topic 9573, "I'm infected - What do I do now?, Please follow these instructions to clean your system" DeFogger - Re-Enable (only run when instructed to when your system is clean again) To re-enable your Emulation drivers, double click DeFogger to run the tool. The application window will appear Click the Re-enable button to re-enable your CD Emulation drivers. Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OK IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop. Your Emulation drivers are now re-enabled. NHITX

Thanks a bunch Gringo! I really appreciate your help! I'll check back every so often, since I've posted enough to be an Honorary Member! Best Regards, NO LONGER NeedhelpinTX!! You may close the post!

Gringo, It looks like it is working ok. No redirects or no pop-ups. I need or will need to do the following: Enable the CD Emulators Turn McAfee back on Make sure Adobe is up to date Check Windows Update Do I need to uninstall/clean up any programs we used? Or can they just be sent to the recycle bin? Is there any thing else you can think of? After you give the pc a clean bill of health, all I ask of you is to answer my PM. Man, I might get to go to bed at a regular time tonight! NHITX

I guess what we done will take care of everybody's logon? There are 4 different logons, 1 for me, 1 for my wife, & 1 for each son. I'm rebooting & logging on each one & testing. Also, let me know when I can turn cd emulation back on with defogger, because I may forget later.

6 instances of IE8 open & no redirects! That's a good thing! Talk to you in 2 hours! Thanks! NHITX

Cool! It's 7:15 here now. I'll let you know something in 15 & again at 10:30 your time, 9:30 mine. So far so good! Don'y forget about my PM I sent you, I would really appreciate your advice. Thanks! NHITX

I was thinking the same thing? I'm surfin'!

Instructions carried out. No problems. Awaiting reboot & redirect testing. Do you want be to fully activate McAfee? It will eat ComboFix again.

Just to clarify, I believe I need to type in each line separately & press enter after each? cd c:\windows\system32\drivers > enter ren rasacd.sys rasacd.old > enter copy c:\rasacd.sys c:\windows\system32\drivers > enter exit > enter Correct?

More info! SystemLook v1.0 by jpshortstuff (11.01.10) Log created at 17:59 on 29/04/2010 by Dad (Administrator - Elevation successful) ========== filefind ========== Searching for "rasacd.*" C:\I386\RASACD.SY_ --a--c 5083 bytes [09:23 10/09/2003] [12:00 30/07/2003] 66536622E2D8F7CA008451260DD32F0C C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\rasacd.sys.vir --a--- 8832 bytes [19:00 10/08/2004] [21:50 26/04/2010] 26ABB5D5F7FB2DEAE93A0DAFFC4FA5EE C:\WINDOWS\I386\RASACD.SY_ --a--c 5083 bytes [01:13 16/08/2003] [19:00 30/07/2003] 66536622E2D8F7CA008451260DD32F0C C:\WINDOWS\maxdriver\rasacd.sys --a--- 8832 bytes [19:00 10/08/2004] [03:10 28/04/2010] 26ABB5D5F7FB2DEAE93A0DAFFC4FA5EE C:\WINDOWS\system32\dllcache\rasacd.sys --a--c 8832 bytes [19:00 10/08/2004] [22:28 29/04/2010] FE0D99D6F31E4FAD8159F690D68DED9C C:\WINDOWS\system32\drivers\rasacd.sys --a--- 8832 bytes [19:00 10/08/2004] [22:28 29/04/2010] FE0D99D6F31E4FAD8159F690D68DED9C Searching for "sunkfilt.*" C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\Sunkfilt.sys.vir --a--- 39904 bytes [17:05 22/03/2004] [17:05 22/03/2004] 61C7CE0D9789872AA1140C1A304143B0 C:\WINDOWS\maxdriver\Sunkfilt.sys --a--- 39904 bytes [17:05 22/03/2004] [17:05 22/03/2004] 61C7CE0D9789872AA1140C1A304143B0 C:\WINDOWS\system32\drivers\Sunkfilt.sys --a--- 39904 bytes [17:05 22/03/2004] [17:05 22/03/2004] 61C7CE0D9789872AA1140C1A304143B0 -=End Of File=-

SystemLook v1.0 by jpshortstuff (11.01.10) Log created at 17:34 on 29/04/2010 by Dad (Administrator - Elevation successful) No Context: rasacd.sys -=End Of File=-

I love it when a plan comes together! Here's the maxlook looklog.txt Run from C:\Documents and Settings\Dad\Desktop\maxlook.exe on Thu 04/29/2010 at 17:08:35.17--------- maxlook unsigned files --------- c:\windows\maxdriver\dsNcAdpt.sys: Verified: Unsigned File date: 8:29 PM 7/27/2005 Publisher: Juniper Networks Description: dsNcAdapter Product: Network Connect Version: 5, 0, 0, 8897 File version: 5, 0, 0, 8897 c:\windows\maxdriver\mhndrv.sys: Verified: Unsigned File date: 4:45 AM 8/10/2004 Publisher: Microsoft Corporation Description: Microsoft Multimedia Home Network (MHN) Support Driver Product: Microsoft

Good Morning Gringo, I'll comply with your request when I get home from work around 16:00 CDT & post shortly thereafter. I will activate McAfee firewall before I hook up to the internet, but I will leave the rest of McAfee disabled. The firewall shouldn't cause a problem with the maxlook run. Regards, NHITX

Hey Gringo, I followed the instructions & the result is below. 1. I did maxlook again, 2. restarted pc, 3. selected Recovery Console, 4. entered 3 (for C:\WINDOWS), 5. typed in batch look.bat (with the space), 6. it copied a bunch of files, 7. I typed in exit when it got back to C:\WINDOWS, 8. pc restarted, 9. I logged on, 10. entered maxloook -sig Then a maxlook sig box popped up & said Download failed! You must have an active internet connection! Press any key to continue . . . Do you want me to run maxlook again with the internet connected? NHITX

Do I run maxlook again?

It keeps going back to D:MiniNT> I am typing cd c:\windows then enter & back to D: I thing the only choice I get is exit? See scrren shot)

Gringo, My #1 is D:\MiniNT, choice #3 is C:\Windows I typed in 1 & pressed enter, now I'm at the D:\MiniNT prompt. How do I get back to C:\Windows? It's been along time since I've been in DOS & had to change directories (cd\C: I think?). I'm waiting for assistance.

Hello Gringo, Here's the ComboFix report is above & below are the answers to your other steps. 1. The report from ComboFix. See above post 2. Report from GMER Safe Mode ark.txt GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-28 16:28:34 Windows 5.1.2600 Service Pack 3 Running: bgetwgg9.exe; Driver: C:\DOCUME~1\Dad\LOCALS~1\Temp\uxldapob.sys ---- System - GMER 1.0.15 ---- SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E] SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE] ---- Kernel code sections - GMER 1.0.15 ---- init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF7757300] ---- EOF - GMER 1.0.15 ---- 3. Don't go onto the internet yet until after I get the reports. Ethernet cable still disconnected 4. Let me know of any problems you may have had. No problems running ComboFix in regular mode or GMER in safe mode. The only problem I ran into was getting out of safe mode after GMER ran. The pc was very slow, it took a little while for the GMER report to pop up so I could save it. I inserted by SD card & tried to click on "My Computer", but nothing happened. Looked in the Task Manager & process lsass.exe had 50-55 CPU usage & mcmscsvc.exe (McAfee) had 43-50 CPU usage. I stopped MCMSCSVC.exe, then lsass.exe jumped to 73-80 CPU usage. I never could open "My Computer" or shutdown the pc from safe mode, so I had to revert to the all powerful kill button. 5. How is the computer doing now? The pc started ok & it appears to operating fine. MBAM, McAfee, Lavasoft Ad-Aware, Spybot S&D MS Word, etc, all opened without any problems. I'm ready for more direction! Oh, don't forget about my PM. NHITX