Blottedisk

You are welcome

1) The tools we've used will detect malware even in hidden files/folders. 2) Regarding BitTorrent, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. ZoneAlarm is known to be a bit resources-eater. I would therefore recommend you to use Comodo instead. Are you still having trouble deleting those files?

Let's see. Please download HijackThis 2.0.4 from HERE. To the right of the green arrow under HijackThis downloads click on the Executable button and download the HijackThis.exe file to your desktop. Double-click the HijackThis.exe file on your desktop to launch the program. If you get a security warning asking if you want to run this software because the publisher couldn't be verified click on Run to allow it. Click on the Scan button. The scan will not take long and when it's finished the resulting log will open automatically in Notepad. Save the log file to your desktop. Copy and paste the contents of the log in your post. Please do not fix anything with HijackThis unless you are instructed to do so. Most of what appears in the log will be harmless and/or necessary.

Great. Your machine does not appear to be infected anymore. We are done! Step 1 | Delete ComboFix and Clean Up The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK: ComboFix /Uninstall Please advise if this step is missed for any reason as it performs some important actions. Step 2 | Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Visit the following link to get the latest version of Java: Java Runtime Environment (JRE) 6 Step 3 | I don't see any evidence of a 3rd Party Firewall installed on your computer. If you have one installed, make sure it's functioning properly. As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access from the outside world. Firewalls protect against hackers and malicious intruders. If you do not have a firewall installed... I strongly recommend you download a free (for personal use) firewall NOW that monitors traffic in both directions... from one of these vendors: Comodo (Is now bundled with AV software, toolbar and search provider. Opt to install only the firewall software... uncheck the rest) Online Armor Free (Free version at bottom of page (XP/Vista/W7 (32bit).) 64bit version not available yet. Some reported conflicts with Avira AntiVir. ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one) Ashampoo If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a very basic firewall. This (XP) firewall is NO replacement for a dedicated software solution. Remember to install and have active, only one firewall at the same time. If you install one of these firewalls, remember to turn off Windows' firewall. Last Step | Now, in order to avoid future infections, please take time to read the following articles: Simple and easy ways to keep your computer safe and secure on the Internet Preventing Malware - Tools and Practices for Safe Computing So how did I get infected in the first place? How to prevent malware Read those articles and your potential for being infected again will reduce dramatically. Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

Logs look fine. How's the machine working? ComboFix - CFScript WARNING ! This script is for THIS user and computer ONLY! Using this tool incorrectly could damage your Operating System... preventing it from starting again! You will not have Internet access when you execute ComboFix. All open windows will need to be closed! Please open Notepad and copy/paste all the text below... into the window: clearjavacache:: Save it to your desktop as CFScript.txt Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below: This will cause ComboFix to run again. Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash. Do Not touch your computer when ComboFix is running! When finished... Notepad will open ... ComboFix will produce a log file called "log.txt". Please copy/paste the contents of log.txt... in your next reply. ** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Please follow these steps: Step 1 | As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings: Open Malwarebytes' Anti-Malware Select the Update tab Click Check for Updates After the update have been completed, Select the Scanner tab. Select Perform Quick scan, then click on Scan When done, you will be prompted. Click OK. If Items are found, then click on Show Results Check all items then click on Remove Selected After it has removed the items, Notepad will open. Please post this log in your next reply. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt Or via the Logs tab when the application is started. Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Step 2 | Let's perform an ESET Online Scan Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here. Please go here then click on: Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install. All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: When prompted allow the Add-On/Active X to install. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked. Now click on Advanced Settings and select the following: Scan for potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth Technology [*]Now click on: [*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection. [*]When completed the Online Scan will begin automatically. [*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall. [*]When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt [*]Copy and paste that log as a reply to this topic. [*]Now click on: (Selecting Uninstall application on close if you so wish)

Thanks for the results. One more CFScript to run: ComboFix - CFScript WARNING ! This script is for THIS user and computer ONLY! Using this tool incorrectly could damage your Operating System... preventing it from starting again! You will not have Internet access when you execute ComboFix. All open windows will need to be closed! Please open Notepad and copy/paste all the text below... into the window: Driver:: intelusb3 Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "intelusbs3"=- Save it to your desktop as CFScript.txt Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below: This will cause ComboFix to run again. Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash. Do Not touch your computer when ComboFix is running! When finished... Notepad will open ... ComboFix will produce a log file called "log.txt". Please copy/paste the contents of log.txt... in your next reply. ** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Please go to the following site to scan a file: Virus Total Click on Browse, and upload the following file for analysis: c:\windows\System32\svchost.exe [*]Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. [*]If it says already scanned -- click "reanalyze now" [*]Please post the results in your next reply.

Logs look better. Your MBR is now clean and we managed to replace the infected file. A non-legit service is showing in your latest log, so we still have some job to do: Please run SystemLook. -------------------------------------------------------------------- Copy the content of the following codebox into the main textfield: :filefind *intelusb3* :regfind intelusb Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt

I have already asked a moderator to remove that post. Thanks for the submission. Please follow these steps: Step 1 | ComboFix - CFScript WARNING ! This script is for THIS user and computer ONLY! Using this tool incorrectly could damage your Operating System... preventing it from starting again! You will not have Internet access when you execute ComboFix. All open windows will need to be closed! Please open Notepad and copy/paste all the text below... into the window: Folder:: c:\documents and settings\Ryan Deutsch\Application Data\tTNpz8VWCQXyZ c:\documents and settings\Ryan Deutsch\Application Data\fW6jAyPtPtnLfKd Save it to your desktop as CFScript.txt Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below: This will cause ComboFix to run again. Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash. Do Not touch your computer when ComboFix is running! When finished... Notepad will open ... ComboFix will produce a log file called "log.txt". Please copy/paste the contents of log.txt... in your next reply. ** Enable your Antivirus and Firewall, before connecting to the Internet again! ** Step 2 | Run aswMBR. Double click the aswMBR icon to run it. Vista and Windows 7 users right click the icon and choose "Run as administrator". Click the Scan button to start scan. When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply. Click the image to enlarge it

Good afternoon We are in the middle of the removal process of a difficult infection (the Zero Access rootkit, which is very popular these days), so let's first remove all of it's traces, and hopefully some of the remaining problems you are experiencing will be solved (if not, then we can focus on them later). Please do the following: Close any open browsers. Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix. Please open Notepad. In Notepad, Click "Format" and be certain that Word Wrap is not checked. Copy and paste all the all of the text in the code box below into the Notepad, (including the URL). Do Not copy the word CODE: http://forums.malwarebytes.org/index.php?showtopic=100114 Collect::[133] C:\windows\system32\drivers\tsk28.tmp Suspect::[133] c:\windows\system32\drivers\redbook.sys FCopy:: C:\WINDOWS\$NtServicePackUninstall$\redbook.sys | C:\WINDOWS\system32\drivers\redbook.sys Registry:: [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\redbook] "ImagePath"="\\SystemRoot\\System32\\drivers\\redbook.sys" DirLook:: c:\documents and settings\Ryan Deutsch\Application Data\tTNpz8VWCQXyZ c:\documents and settings\Ryan Deutsch\Application Data\fW6jAyPtPtnLfKd In the notepad click File, Save as..., and set the Save in to your Desktop In the filename box, type (including quotation marks) as the filename: "CFScript.txt" Click save. Close all browser/windows first. Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below. This will start ComboFix again. ComboFix may request an update; please allow it. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. IMPORTANT: Do not mouseclick combofix's window while it's running. That may cause it to stall. NOTE: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. Please post back including the Combofix log, which is usually located at C:\Combofix.txt

Ok, TDSSKiller has done it's job, removing a big part of the infection. Please try Combofix again, this time it should work.

If after 60 minutes CF gives no response (like the first time you ran it), then please proceed this way: Download TDSSKiller.zip Double-click on TDSSKiller.exe to run the application. Click on the Start Scan button and wait for the scan and disinfection process to be over. If an infected file is detected, the default action will be Cure, click on Continue If a suspicious file is detected, the default action will be Skip, click on Continue If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here. If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Thank you. Some more work: Step 1 | Please download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 -------------------------------------------------------------------- Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: :filefind redbook.sys Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt Step 2 | Please download ComboFix from one of the following locations: Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts. Accept the disclaimer and allow to update if it asks When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions. Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Let's skip the DDS scan for now. There's something nasty going on, so we will try a different alternative. Please follow these steps: Step 1 | Please download DeFogger to your desktop. Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OK IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop. Do not re-enable these drivers until otherwise instructed. Step 2 | Please run aswMBR again with the instructions from my previous post and and paste the log. Step 3 | Please go to the following site to scan a file: Virus Total Click on Browse, and upload the following file for analysis: C:\WINDOWS\system32\DRIVERS\redbook.sys [*]Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. [*]If it says already scanned -- click "reanalyze now" [*]Please post the results in your next reply.

It's ok Speedr73, thanks for letting us know We have some scans to run. Please follow these steps: Step 1 | Download DDS from any of the links below: Link 1 Link 2 Link 2 -------------------------------------------------------------------- Save it to your desktop. Please disable any anti-malware program that will block scripts from running before running DDS. Double-Click on dds and a command window will appear. This is normal. Shortly after two logs will appear: DDS.txt Attach.txt [*]A window will open instructing you save & post the logs. [*]Save the logs to a convenient place such as your desktop. [*]Post the contents of the DDS.txt report in your next reply. [*]Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD. Step 2 | Please download GMER from one of the following locations and save it to your desktop: Main Mirror - This version will download a randomly named file (Recommended) Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. -------------------------------------------------------------------- Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO. Make sure all options are checked except: IAT/EAT Drives/Partition other than Systemdrive, which is typically C:\ Show All (This is important, so do not miss it.) Click the image to enlarge it Now click the Scan button. If you see a rootkit warning window, click OK. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log. Click the Copy button and paste the results into your next reply. Exit GMER and re-enable all active protection when done. -- If you encounter any problems, try running GMER in Safe Mode. Step 3 | Please download aswMBR to your desktop. Double click the aswMBR icon to run it. Vista and Windows 7 users right click the icon and choose "Run as administrator". Click the Scan button to start scan. When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply. Click the image to enlarge it

Hi MarioGA, welcome to Malwarebytes Sorry for the delay in replying, the forum is very busy at the moment. Do you still require help?

Hi Speedr73, welcome to the forum. Do you still require help?

Hi, welcome to Malwarebyte's Antimalware forums Please follow these steps: Step 1 | Please download RKill by Grinler from Link #1 below and save it to your desktop. Link #1 Link #2 Link #3 Link #4 Link #5 -------------------------------------------------------------------- Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Double-click on Rkill on your desktop to run it. (If you are using Windows Vista or Windows 7, please right-click on it and select Run As Administrator) A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed. If this does not occur please delete that application and download Link #2. Continue process until the tool runs. If the tool does not run from any of the links go to step 2 and let me know in your next reply Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again. Step 2 | Download DDS from any of the links below: Link 1 Link 2 Link 2 -------------------------------------------------------------------- Save it to your desktop. Please disable any anti-malware program that will block scripts from running before running DDS. Double-Click on dds and a command window will appear. This is normal. Shortly after two logs will appear: DDS.txt Attach.txt [*]A window will open instructing you save & post the logs. [*]Save the logs to a convenient place such as your desktop. [*]Post the contents of the DDS.txt report in your next reply. [*]Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD. Step 3 | Please download GMER from one of the following locations and save it to your desktop: Main Mirror - This version will download a randomly named file (Recommended) Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. -------------------------------------------------------------------- Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO. Make sure all options are checked except: IAT/EAT Drives/Partition other than Systemdrive, which is typically C:\ Show All (This is important, so do not miss it.) Click the image to enlarge it Now click the Scan button. If you see a rootkit warning window, click OK. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log. Click the Copy button and paste the results into your next reply. Exit GMER and re-enable all active protection when done. -- If you encounter any problems, try running GMER in Safe Mode.

Centralkong? It

Hi exile360 I

I competely agree with you, Firefox. Including this information would be most handy, as it could show trojan activity on the OP

Hello there. I