negster22

November 12, 2010

You're Welcome and Good Luck to you on your learning quest!

November 12, 2010

A file by that name was tested by all the virus scanners on the VirusTotal website and out of 41 anti-malware scanners, 0 detected it as a threat:

http://www.virustotal.com/file-scan/report...08b7-1288039637

November 12, 2010

That looks good so what I want You to do is surf with your computer for the next couple days to test whether everything is OK. Then report back to me, and let me know how it went. If all is still OK, we'll remove the tools we used and perform some final clean-up measures.

November 12, 2010

The ESET scan detected nothing unexpected (aka new) so that's encouraging.

OK, let's run the previous mbr command like this and you should not get rebooting -

Open a command prompt (click Start -> Run, type cmd, and hit Enter)

Copy / Paste the following command at the command prompt, and hit Enter

mbr.exe -s -t > "%userprofile%\desktop\mbr.log"

Leave the command prompt open.

Copy / Paste the following command and hit Enter:

del /a /f "c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe"

Please let me know if any errors came up in response to the above command..

Close the command prompt.

Open mbr.log by double-clicking mbr.log

Copy and paste the contents of mbr.log into your next reply.

November 11, 2010

Not sure about why IE appears on the desktop, but if it is just a short-cut to IE (the icon contains an arrow), you can just delete it.

Open a command prompt (click Start -> Run, type cmd, and hit Enter)

Copy / Paste the following command at the command prompt, and hit Enter

mbr.exe -s -tDFR > "%userprofile%\desktop\mbr.log"

Open the log it created by double-clicking mbr.log

Copy and paste the contents of mbr.log into your next reply.

--------------

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

http://www.eset.com/onlinescan/index.php

You need to disable your Lavasoft AV's auto-protection feature before beginning the scan to avoid conflicts and system hangs
Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
Check the "Yes, I accept the terms of use" box.
Click Start
Approve the installation of the ActiveX control that's required to enable scanning
Make sure the box to
- Remove found threats. is CHECKED!!
- Click Start
[*]Allow the definition data base to install
[*]Click "Scan"

When the scan is done, please post the scan report in your next reply. It can be found in this location:

C:\Program Files\EsetOnlineScanner\log.txt

November 11, 2010

Hi mooneym20 and Welcome to the Malwarebytes' Forum,

I have tried everything

Please elaborate on what You've tried. I see You have two active antivirus's installed AVG and Lavasoft - VERY IMPORTANT -Please remove one of them or serious system instability can result!!!

What makes You think that You have a "possible rootkit infection not detected by malwarebytes"?

Your DDS.txt log is incomplete:

Please post the FULL log, and if you did not save it, run DDS.SCR to recreate it. Then copy/paste it into your next reply.

Please follow the directions to perform a Gmer Rootkit Scan HERE and post the scan log into your next reply.

I'll be able to help You better when I see those results. Thanks!

November 11, 2010

Just run it without the CFscript for now, to see if it will complete a run and produce a log.

Judging from your DDS.txt, Combofix did the necessary deletions it was supposed to do, though I won't know the full extent to which that was accomplished, until I see combofix.txt.

Make sure your antivirus is disabled before You launch Combofix.

November 10, 2010

Ran and it said it detected nothing!! heres the log...

Yes - that is what your MBR (dump.dat) , and the Gmer and DDS logs also show.

Now, you should be able to download and run combofix without interference because there may be some residual infected elements.

Please do that by following the instructions in my reply #21 and post back the log:

C:\Combofix.txt

November 10, 2010

Things are looking good BUT I need you to verify something for me.

Delete TDSSKiller.exe on your desktop.

Download a new copy of TDSSKiller to your Desktop from here:

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Run it as before, by following these directions and choosing the suggested default actions that TDSSKiller recommends.

Please post back the TDSSKiller log.

November 9, 2010

OK Thanks for all the requested items.

I hope you're awake now!

When You ran TDSSKiller the second time in Post #30 above - did you have to power down and up to restart your PC again?:

2010/11/07 18:17:32.0484 Detected object count: 1
2010/11/07 18:17:35.0312 \HardDisk0 - will be cured after reboot
2010/11/07 18:17:35.0312 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/11/07 18:17:45.0640 Deinitialize success

November 9, 2010

Now, we have to perform a more in depth anti-rootkit scan:

Disable your antivirus and anti-malware programs
Double-click the randomly name EXE located in the C:\ARK folder that you previously downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the "Quick scan" is done, a few seconds, if you're notified of "Rootkit Activity and asked to perform a Full Scan say "No" so we can configure the scan options first.
In the right pane, UNCHECK the following options:
- IAT/EAT
- Drives/Partition other than Systemdrive, which is typically C:\
- Show All (This is important, so do not miss it.)
[*]Once, configured according to the above, select the Scan button.
[*]Leave your system completely idle while this longer scan is in progress.
[*]When the scan is done, save the scan log to the Windows clipboard
[*]Open Notepad or a similar text editor
[*]Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
[*]Exit the Program
[*]Save the Scan log as ARKFullScan.txt and post it in your next reply. If the log is very long attach it please.

Please upload dump.dat as described previously, too!

Thanks!

November 9, 2010

You're Welcome!

November 8, 2010

You aren't out of the clear yet because some of your logs detect the symptoms of the TDL4 variant of the MBR Bootkit:

Your MBR dump analysis should confirm that, so you should use the laptop in the interim.

Now, that I know D: is not a Recovery Partition, I feel OK about having You run "Fixmbr" from the Recovery Console. If You did have a Recovery Partition on D:, using that command would overwrite the infected MBR with a default Windows XP MBR and You would lose access to that partition. However, it will NOT impact your being able to access your "music, pictures, misc. storage" on the D: drive.

I'll get back to you after the analysis is complete.

In the meantime please download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here

As far as security programs go -

I use ESET Smart Security and I recommend it highly.

The following AV's are also excellent:

1. Microsoft Security Essentials (Free AV from Microsoft)

2. Avira Antivir (Free to Home Users)

3. Avast (Free to Home Users)

I just retrieved the file your uploaded and it is the mbr.log that MBRCheck created during its run.

I need the following file which is a copy of your MBR uploaded:

C:\Documents and Settings\Nick Kruse\Desktop\dump.dat

It's only 512 bytes in size.

Can You please upload it to my channel here:

http://www.bleepingcomputer.com/submit-mal....php?channel=75

Thanks!!

November 8, 2010

Any word on those dumps?

This is the word from my post #49:

Good News! Your MBR isn't infected!!

Excellent job!

Your scans are all coming up clean now!

We have a few steps to finish up now!!

If I asked you to download and run an ARK (Antirootkit program) such as Gmer, Rootkit Unhooker, or Root Repeal, or Rootkit Unhooker, then please uninstall it by doing the following:

Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)

If I asked You to download TDSSKiller, MBRCheck or mbr.exe, please delete these programs from your Desktop (or their download location). If I asked you to make a back-up copy of your MBR, retain that on your hard drive and it's also a good idea to burn it to CD for safekeeping, in the event You need to restore it.

To remove Combofix and it's quarantine folder:

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

"%userprofile%\desktop\combofix.exe" /uninstall

This will do the following:

Uninstall Combofix and all its associated files and folders.
Flush your system restore points and create a new restore point.
Re-hide your system files and folders
Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

November 8, 2010

Hi coffman1809,

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

Now we have to run Combofix again to get rid of some more items and unnecessary startups:

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt

3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,

DirLook::
C:\JETFRM42
C:\1234

Folder::
c:\program files\My.Freeze.com Toolbar\

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"=- 
[-HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[-HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[-HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[-HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=""
"TkBellExe"="" 
"Adobe Reader Speed Launcher"=""
"Adobe ARM"=""
"iTunesHelper"=""
"QuickTime Task"=""

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this to your Desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (c:\1234.exe)

This will cause ComboFix to run again.

Please post back the log (C:\Combofix.txt) that opens when it finishes.

Re-enable all active protection.

November 8, 2010

Is this still happening?

www.google.com/webhp keeps popping up

Is D: your recovery partition, and if so, do you have your XP Installation CD?

There's conflicting information in your logs so I need you to create and upload a file for me using MBRCheck

You'll be running MBRCheck again, but this time from the command prompt.

Open a Command Prompt (Start -> Run -> Type cmd, and hit Enter)

Copy/paste the following (exactly as it is written) at the command line, and then hit Enter:

cd "%userprofile%\desktop"

Copy/paste the following (exactly as it is written) and hit Enter:

MBRCheck.exe -s 0 -d dump.dat

MBRCheck will run and you'll get this message:

Dumping \\.\PhysicalDrive0 to dump.dat...
Dumped successfully!
Done!
Press ENTER to exit...

Press Enterto finish.

Locate the following file MBRCheck created on your Desktop:

dump.dat

Can you please visit this submission webpage

In the "Link to topic where this file was requested: " box, copy/paste the url to this topic as follows:

http://forums.malwarebytes.org/index.php?s...=66928&st=0

Next, in the "Browse to the file you want to submit:" box, browse to this file (on your desktop):

c:\documents and settings\Nick Kruse\Desktop\dump.dat

Then click 'Send File'

Let me know when that has been done.

November 7, 2010

Hi Nick,

That report curiously looks OK, and it shows that Combofix did fix the items in the script I gave you to process it with.

Please also download MBRCheck to your desktop

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

Double click MBRCheck.exe to run (Vista and Win 7 users should right-click and select Run as Administrator)
It will show a Black screen with some data on it
a report called MBRcheck will be on your desktop
open this report
Right click on the screen and select > Select All
Press Control+C
now please copy that report to this thread

Also, I want you to run TDSSKiller again and post the NEW log back here.

You didn't respond to my question about whether the Recovery Console appears as Windows Startup Menu option when you reboot your computer.

Please respond!!!!

I'd like you to copy/past into your next reply:

1. MBRCheck.txt (on desktop)

2.TDSSKiller Log

3. Is Recovery Console installed and accessible can you boot to it?

4. Copy/Paste this log, too:

C:\Qoobox\ComboFix-quarantined-files.txt

November 7, 2010

OK be sure to rename it to iexplore.exe as you download. This infection you have has a lot of self-protection in place.

November 7, 2010

Did you redownload a NEW copy of Combofix and rename it as you downloaded it?

I need you to run DDS.SCR again from a fresh copy by following these directions:

Download DDS and save it to your desktop from here

Disable any script-blocking and security programs you may have installed and then double-click dss.scr to run the tool.

When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
[*]Save both reports to your desktop
[*]Please copy and paste dds.txt into your next reply (do NOT attach and hold on to attach.txt for now).

Also, please verify whether you can boot into the XP Recovery Console by restarting your system, and cursoring to the "Microsoft Windows Recovery Console" Option on the Start Up Options Menu., and hitting Enter.

November 7, 2010

Please check to see if a log was created even though it didn't open it may be there:

C:\Combofix.txt

If it's there, immediately post it, then do the following:

Do You see the Recovery Recovery Console Option on theWindows start menu when you boot up now?

Delete the Combofix.exe on your desktop:

Running from: c:\documents and settings\Nick Kruse\Desktop\ComboFix.exe

YOU NEED TO RENAME COMBOFIX AS FOLLOWS:

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before downloading Combofix!!

http://www.bleepingcomputer.com/forums/topic114351.html

Please download a NEW Combofix fromHERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
For Firefox
- Open Firefox and click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- When downloading, choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Now, launch Combofix by dragging the CFScript into it, that I gave you in my last reply..

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt

November 7, 2010

Hi kgpc,

A Hijack log rarely reveals the more crafty malware that exists nowadays, so please follow the directions listed here to run more in-depth tools, and post back all the requested logs:

http://forums.malwarebytes.org/index.php?showtopic=9573

Thanks!

November 7, 2010

Good Job, Nick!

It looks like the TDSSKiller didn't get rid of your TDL4 bootkit after all, but Combofix did successfully disinfect it according to the log.

Now we have to run Combofix again to get rid of more infected items and AVG remnants:

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt

3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,

Kill All::

Driver::
xvffes
yquwkuue
avg9wd
AVG Security Toolbar Service

File::
c:\windows\system32\avgrsstx.dll
c:\windows\system32\drivers\gbsand.sys

Folder::
c:\documents and settings\Yajaira Cruz\Local Settings\Application Data\AVG Security Toolbar
c:\program files\AVG\

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"=-
"SunJavaUpdateSched"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\windows\system32\ctfmon .exe

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will cause ComboFix to run again.

Please post back the log (C:\Combofix.txt) that is opens when it finishes.

Questions:

1. Did You have Counterspy installed at one time because You still have that driver file on your system??

2. Do you have a proxy set in Firefox?

counterspy

November 7, 2010

Let avgremover.exe run then! Also, You should reboot so it can remove loaded drivers.

November 6, 2010

You can try YourUninstaller. Click "Download from the Author's site".

November 6, 2010

That may have been the infection interfering with TDSSKiller. Let's hope it got it all - we'll be checking that it did.

Your DDS.txt is showing a lot of infected items so please run this tool next - it will clear a lot of that mess out:

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important!BEFORE downloading Combofix, temporarily disable your antivirus and ALL antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove on-board components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it iexplore.exe.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and enter (copy/paste) this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a log file located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouse-click combofix's window while it is running. That may cause your system to stall/hang!!!

Please post C:\ComboFix.txt in your next reply.

Events

Profiles

Forums

Posts posted by negster22

Important Information