deltalima

Hi Mortem, In addition to the Combofix scan please Download SystemLook and save it to your Desktop. Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: :filefind mouclass.sys Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt

Hi barleyfreak, Please delete the copy of Combofix that you already have and download and run the latest version as follows. Run Combofix: Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix. Download ComboFix from here to your Desktop. For more information about Combofix please see here. Close all programs. Double click combofix.exe and follow the prompts. If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it

Hi pvonkaenel, Please run another TDSSKiller scan and another GMER scan and post both logs in your next reply.

Hi gaffer61, Custom OTL scan Double click on OTL.exe to run it. Under the Custom Scan box paste this in /md5start ql10wnt.sys /md5stop Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. Please post the contents of OTL.txt in your next reply.

Hi gaffer61, It looked a straightforward problem to me at the start but malware is constantly being altered to make it harder to remove. Do you have the resources to burn a bootable CD? If so please download http://oldtimer.geekstogo.com/OTLPE.iso and burn it to a CD, I will get back with further instructions later (probably tomorrow as it is getting late in the UK). If not then let me know and I will find an alternative method.

Hi pvonkaenel, My apologies, I should have included the link Download OTL Download OTL by Old Timer and save it to your Desktop. Then follow the instructions from the last post.

Hi pvonkaenel, This looks to be a new variant of the rootkit, I have escalated this to a group of experts for a method to remove and will be back to you as soon as we have more information. Please be assured that I will reply as soon as we have identified a suitable fix. While this is happening please run the following - Custom OTL scan Double click on OTL.exe to run it. Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys mv61xx.sys nvraid.sys /md5stop %systemroot%\*. /mp /s CREATERESTOREPOINT %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\System32\config\*.sav Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. Please post the contents of OTL.txt in your next reply.

Hi barleyfreak, This looks to be a new variant of the rootkit, I have escalated this to a group of experts for a method to remove and will be back to you as soon as we have more information. Please be assured that I will reply as soon as we have identified a suitable fix.

Hi gaffer61, This looks to be a new variant of the rootkit, I have escalated this to a group of experts for a method to remove and will be back to you as soon as we have more information. Please be assured that I will reply as soon as we have identified a suitable fix.

Hi pvonkaenel, Run Combofix: Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix. Download ComboFix from here to your Desktop. For more information about Combofix please see here. Close all programs. Double click combofix.exe and follow the prompts. If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it

Hi barleyfreak, The infection is still showing although TDSSKiller fixed it on the first run. Please reboot and then run TDSSKiller one more time. Custom OTL scan Double click on OTL.exe to run it. Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys mv61xx.sys nvraid.sys /md5stop %systemroot%\*. /mp /s CREATERESTOREPOINT %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\System32\config\*.sav Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. Please post the contents of OTL.txt in your next reply. Please also post the TDSSKiller log.

Hi gaffer61 That's good, the scan is clean so we can concentrate on the rootkit. The same file that TDSSKiller fixed in the first run, we need another tool to fix this. Custom OTL scan Double click on OTL.exe to run it. Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys mv61xx.sys nvraid.sys /md5stop %systemroot%\*. /mp /s CREATERESTOREPOINT %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\System32\config\*.sav Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. Please post the contents of OTL.txt in your next reply.

Hi Mortem, Run Combofix: Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix. Download ComboFix from here to your Desktop. For more information about Combofix please see here. Close all programs. Double click combofix.exe and follow the prompts. If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it

Hi pvonkaenel, Please reboot the computer and then run another GMER scan and post the log in your next reply.

Hi barleyfreak, Please confirm that you have removed the infected items as the log shows -> No action taken please post a new Malwarebytes log. Please let me know if you can access other web pages without a problem. There is still another infection hiding we need to identify. Now run TDSSKiller again and post the log in the next reply. Download and Run Blacklight Please download F-Secure Blacklight (fsbl.exe) from here Save into C:\ with a name of fsbl.exe Go to Start > Run Copy and paste the contents of the below codebox into the run box C:\fsbl.exe /expert Click OK This will launch BlackLight Select I accept the agreement Click Next Click Scan Wait for the scan to finish Click on Next> Click Exit A logfile will have been created in the C:\ drive It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan Use notepad to open that log Post the contents of that log as a reply to this topic

Hi Mortem, Install HijackThis Download HJTInstall.exe to your Desktop. Doubleclick HJTInstall.exe to install it. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Copy/Paste the log to your next reply please. Please post the HijackThis log and the GMER log in your next reply.

Hi pvonkaenel, Welcome to the forum. My nickname is deltalima and I will be helping you with your computer problems. The logs can take some time to research, so please be patient with me. Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop. Please note the following: I will working be on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic. TDSSKiller Download the file TDSSKiller.zip and save it on your desktop Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop Next double-click the tdsskiller Folder on your desktop. Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop. Highlight and copy the text in the codebox below. "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt" Click Start, click Run... and paste the text above into the Open: line and click OK. Wait for the scan and disinfection process to be over. Open tdskiller.txt on your desktop and post the contents in your next reply

Hi barleyfreak, Please enable System Restore. Now please run Malwarebytes, check for updates and run a quick scan and post the log in your next reply and let me know how the computer is running now.

Hi gaffer61 Please confirm that this happens when the computer is idle with no programs running. There is still an infected email in your Outlook archive. Please check again though your archived emails to see if there are any emails with attachments and delete any attachments that you do not recognise and cannot trust. Once this is done then please empty deleted items. Compact PST file Open Outlook On the File menu, click Data File Management Click the Archive folders (.pst) files that you want to compact, and then click Settings. Click Compact Now, click OK, and then click Close. Next run another Kaspersky scan. The process of deleting, compacting and scanning may need to be done several times until the infected email can be eliminated. RootkitRevealer Please download Rootkit Revealer from Sysinternals -

We posted at the exact same time! Please continue with the instructions as posted.

Hi barleyfreak, We need to remove Spybot - Search & Destroy as it may interfere with any fixes that we do. It can be reinstalled later if required. Click Start, point to Settings, and then click Control Panel. In Control Panel, double-click Add or Remove Programs. In Add or Remove Programs, highlight Spybot - Search & Destroy click Remove Close the Add or Remove Programs and the Control Panel windows. The GMER scan would be good to have, however there are sufficient indications of the TDSS rootkit to proceed without the results of that scan. TDSSKiller Download the file TDSSKiller.zip and save it on your desktop Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop Next double-click the tdsskiller Folder on your desktop. Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop. Highlight and copy the text in the codebox below. "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt" Click Start, click Run... and paste the text above into the Open: line and click OK. Wait for the scan and disinfection process to be over. Open tdskiller.txt on your desktop and post the contents in your next reply

Hi Mortem, Welcome to the forum. My nickname is deltalima and I will be helping you with your computer problems. The logs can take some time to research, so please be patient with me. Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop. Please note the following: I will working be on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic. Download and run OTL Download OTL by Old Timer and save it to your Desktop. Double click on OTL.exe to run it. Under Output, ensure that Minimal Output is selected. Under Extra Registry section, select Use SafeList. Click the Scan All Users checkbox. Click on Run Scan at the top left hand corner. When done, two Notepad files will open. OTL.txt <-- Will be opened Extras.txt <-- Will be minimized [*]Please post the contents of these 2 Notepad files in your next reply. Please download GMER Rootkit Scanner from here. Double click the .exe file. If asked to allow gmer.sys driver to load, please consent If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO. Run Gmer again and click on the Rootkit tab. Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive. Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All". Click on the "Scan" and wait for the scan to finish. Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply. Note: If you have any problems, try running GMER in SAFE MODE Important! Please do not select the "Show all" checkbox during the scan.. Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

You may as well cancel the scan and follow the instructions I posted.

Hi barleyfreak, Welcome to the forum. My nickname is deltalima and I will be helping you with your computer problems. The logs can take some time to research, so please be patient with me. Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop. Please note the following: I will working be on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic. Download and run OTL Download OTL by Old Timer and save it to your Desktop. Double click on OTL.exe to run it. Under Output, ensure that Minimal Output is selected. Under Extra Registry section, select Use SafeList. Click the Scan All Users checkbox. Click on Run Scan at the top left hand corner. When done, two Notepad files will open. OTL.txt <-- Will be opened Extras.txt <-- Will be minimized [*]Please post the contents of these 2 Notepad files in your next reply. Please download GMER Rootkit Scanner from here. Double click the .exe file. If asked to allow gmer.sys driver to load, please consent If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO. Run Gmer again and click on the Rootkit tab. Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive. Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All". Click on the "Scan" and wait for the scan to finish. Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply. Note: If you have any problems, try running GMER in SAFE MODE Important! Please do not select the "Show all" checkbox during the scan.. Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

Hi gaffer61 There is an infected email in your Outlook archive. Please check though your archived emails to see if there are any emails with attachments and delete any attachments that you do not recognise and cannot trust. Once this is done then please emty deleted items and then run another Kaspersky scan. This may need to be done several times until the infected email can be eliminated. Run Combofix: Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix. Download ComboFix from here to your Desktop. For more information about Combofix please see here. Close all programs. Double click combofix.exe and follow the prompts. If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it