negster22

OK - good job!

Hi Panda, Good job! Unfortunately you are not out of the clear yet! Please relaunch the antirootkit program in your C:\ARK folder by double-clicking the EXE located within the C:\ARK folder. After the quick scan finishes in a few seconds, click the ">>>" Tab and this will reveal another set of tabs Click the Registry tab Now we are going to expand the Registry tree by clicking the + signs next to the keys I indicate, as follows: Click the "+" sign next to HKEY_LOCAL_MACHINE Click the "+" sign next to Services Click the "+" sign next to System Click the "+" sign next to CurrentControlSet Click the "+" sign next to Services Now a list of services will be displayed and arranged in numerical, then alphabetical order. In the list of services, locate the following service: xmlsvc Left-click this service, and you will see several fields of information displayed in the right-pane such as: Image Path, Start, Type, etc Next click the Export button, and you will be prompted for a filename and location to save this information to Save it as filename: xmlsvc.txt Save it to your Documents folder Exit the antirootkit program Please upload/attach the file xmlsvc.txt in your nexxt reply! We have some more files, folders and registry entries to clean up that we will manually specify for deletion by using a Combofix script. It is important that you follow the next set of instructions precisely. Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK. On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled). Copy/paste the text in the code box below into Notepad. Save this to your desktop as CFScript.txt by selecting File -> Save as. http://www.malwarebytes.org/forums/index.php?act=post&do=reply_post&f=7&t=14751 KillAll:: Suspect::[75]C:\Windows\system32\zhzik.dllc:\windows\system32\drivers\bob.sys Netsvcs::xmlsvc Driver::xmlsvc Rootkit::C:\Windows\system32\zhzik.dll DirLook::c:\programdata\sentinel FileLook::c:\windows\system32\SigUpdRequest_1240996613.tmpc:\windows\RAVTC.TMPc:\windows\system32\drivers\bob.sysVery Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe This will cause ComboFix to run again. Please post back the log that is opens when it finishes.

Please follow the directions here: Please download ATF Cleaner by Atribune Close Internet Explorer and any other open browsers Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Relaunch Malwarebytes' Anti-Malware (MBAM) Click the Update tab and Check for Updates- then wait for MBAM to update Click the Scanner tab, and select Perform Quick scan, then click Scan. When the scan is complete, click OK -> Show Results to view the scan results. Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply. _____________________________________________ Download DDS and save it to your desktop from here Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool. When done, DDS will open two (2) logs:DDS.txt Attach.txt [*]Save both reports to your desktop [*]Please copy and paste both logs into your next reply, To sum it up, I need to see: 1. An updated MBAM log 2. A HJT log 3. DDS - DDS.txt & Attach.txt posted in your reply - not attached

Hi Panda, Yes, please I need to see the logs. Often times you can think you're clean when you really aren't or you may have an infection that reinstalls itself. The antirootkit program will not remove anything on its own, and if it did detect something I need to see that. Combofix does remove known malicious software automatically, and I need to see that so I can ascertain what infection you had and if there are any active elements of it it left. After seeing those logs I can give you a better indication of what infection you had and the implications. Thanks! neg

Please give me some time to review you logs. Your first MBAM scan using database #2049 found and remove a rogue program called Personal Antivirus. Your next MBAM scan using database #2059 found and removed a registry entry. Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2e59498d-7e44-4452-9044-0973b080b9e8} (Rogue.PersonalAntiVirus) It is possible that detection for the above key was added to the database after your initial scan. The above registry key does not pose a threat in and of itself, since there are no executable files related to it that were found. Let me see if there is anything in your DDS scan report that merits further investigation.

You're welcome, jonasthern! Good job! I am glad that things worked out well for you. Please take the following measures to keep you system in good working order: Flush your system restore points so you have a suitable backup should you need to restore your system files: Turn off System Restore: On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. Reboot Turn System Restore back on: On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK. ================================= Here are some additional measures you should take to keep your system in good working order and ensure your continued security. 1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs. Note: If your firewall prompts you about access, allow it. 2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes. 3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. The check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer. Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

The file MBAM kept flagging is gone, but unfortunately you are still infected. Please disable any script or registry blocking programs you may have running, such as Norton scriptblocking. Download The Avenger by Swandog46: http://swandog46.geekstogo.com/avenger2/download.php Unzip/extract it to a folder on your desktop. Double click on avenger.exe to launch Avenger. Click OK. Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked. Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box: Drivers to delete:ftepuvhvLegacy_ftepuvhvYWAUKOCDLegacy_YWAUKOCDAUJASNKJLegacy_AUJASNKJfajxrhge Files to delete:c:\windows\system32\drivers\ftepuvhv.sysc:\windows\system32\drivers\ywaukocd.sysc:\windows\system32\drivers\aujasnkj.sysc:\windows\system32\fajxrhge.dllClick the Execute button. You will be prompted with "Are you sure you want to execute the current script?" Click "Yes" You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?. Click "Yes". Your PC will reboot. After your PC has completed the necessary reboot, a log should automatically open. If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt) Please post the Avenger log, along with a new HijackThis log in your next reply. After Avenger reboots, immediately run a Combofix scan and then post both the Avenger (C:\Avenger.txt) and Combofix (C:\Combofix.txt) reports.

Hi Panda - you have the same name as your AV - what a coincidence! I see a couple of anomalies in your DDS log but I want to run Combofix to see if it finds anything else. Please rerun ATF Cleaner as follows. Close Internet Explorer and any other open browsers Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Reboot Download RootRepeal: http://rootrepeal.googlepages.com/RootRepeal.zip Extract the archive to a folder you create such as C:\RootRepealDouble-click RootRepeal.exe to launch the program (Vista users (you!) should right-click and select "Run as Administrator). Click the "File" tab (located at the bottom of the RootRepeal screen) Click the "Scan" button In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C: Click OK and the file scan will begin When the scan is done, there will be files listed, but most if not all of them will be legitimate Click the "Save Report" Button Save the log file to your Documents folder Post the content of the RootRepeal file scan log in your next reply. Reboot. Next, download this Antirootkit Program to a folder that you create such as C:\ARK\:, by choosing the "Download EXE" button on the webpage. Disable the active protection component of your antivirus by following the directions that apply here - this can usually be accomplished by right-clicking your AV's system tray icon, and then selecting the disable feature from the context menu: http://www.bleepingcomputer.com/forums/topic114351.html Next, please perform a rootkit scan: Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program. When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places. When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button. Leave your system completely idle while this longer scan is in progress. When the scan is done, save the scan log to the Windows clipboard Open Notepad or a similar text editor Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V Exit the Program Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please. Please download Combofix from one of these locations: HERE or HERE I want you to rename Combofix.exe as you download it to a name of your choice such as platypus.exe Notes: It is very important that save the newly renamed EXE file to your desktop. You must rename Combofixe.exe as you download it and not after it is on your computer. You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:Open Firefox Click Tools -> Options -> Main Under the downloads section check the button that says "Always ask me where to save files". Click OK [*]For Internet Explorer: Choose to save, not open the file When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end. Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it. http://www.bleepingcomputer.com/combofix/how-to-use-combofix Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective: http://www.bleepingcomputer.com/forums/topic114351.html Also, disable your firewall! You can enable the Window firewall in the interim, until the scan is complete. Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix. Running Combofix In the event you already have Combofix, please delete it as this is a new version. Close any open browsers. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. 1. Double click on the renamed combofix.exe (platypus.exe) & follow the prompts. 2. When finished, it will produce a logfile located at C:\ComboFix.txt 3. Post the contents of that log in your next reply with a new hijackthis log. Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix. Please post the RootRepeal log, your antirootkit log (ARK.txt), C:\ComboFix.txt, and a new HJT log in your next reply.

You're welcome. Reformatting is not a bad idea considering the seriousness of the threat you had. FYI: http://www.threatexpert.com/report.aspx?md...ab0dc44c03a468c You should also change all passwords from a known clean computer since you did have an infostealer installed.

By comparing your "before and after" logs it appears you are clean now! Good job! I would like to know two things please! In reference to my previous instructions where I said this in reference to running RootRepeal: When you said in return about RootRepeal that 1. Did it find the SYS file by using the driver scan OR with the longer file scan? 2. Did you perform the "wipe file" operation on the G**.SYS file you found, as instructed? BTW, the threat you had was a DNS hijacker that was hidden by a rootkit (cloaking program) to prevent its removal. I just want to do one more antivirus scan to get a second opinion in order to verify that your system is clean Please perform a scan with the ESET online virus scanner: http://www.eset.com/onlinescan/index.php ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running. Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan. Check the "Yes, I accept the terms of use" box. Click "Start" Check the boxes the following two boxes:enable "Remove found threats" Scan unwanted applications [*]Click the Scan button to begin scanning. [*]When the scan is done the log is automatically saved. To retrieve it Close the ESET scan Window. Now open a run line by clicking Start >> Run... Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box: The Scan results will now display in Notepad [*]Please copy and paste the ESET scan report that can be found in this location C:\Program Files\EsetOnlineScanner\log.txt into your next reply Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode). To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

You were infected with a CLB rootkit. There are many variants TDSS, Seneka ,UAC, and GAOPDX. You were infected with the last type listed here: http://vil.nai.com/vil/content/v_154186.htm Now, I have to wade through your logs so please be patient for a while. I noticed you said you ran "malware" in safe mode. Did you mean Malwarebytes' MBAM)? MBAM is not meant to be run in safe mode because it detects active malware, and in safe mode some but not all threats may not be running.

Thanks for following directions so well. You have a rootkit DNS hijacker. Relaunch RootRepeal * Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator). * Click the "Driver" tab (located at the bottom of the RootRepeal screen) * Click the "Scan" button * Click OK and the Driver scan will begin * When the scan is done, there will be drivers listed, but most if not all of them will be legitimate * Hidden drivers will bear a "File Visible: No" label and this is what we are looking for (note: some hidden drivers may be legit) * If the following hidden driver is listed or a similar gxxx.SYS file that begins with a g" and has a ridiculously long name, select it - then right-click the driver and choose "Wipe file" C:\WINDOWS\system32\drivers\gxvxcewwcmpeojtkqtpmomsysamekxespkexl.sys * Click the "Save Report" * Save the log file to your Documents folder as RRDrivers4-20-09.txt * Post the content of the RootRepeal driver scan log in your next reply. If you were unable to locate the malicious driver using a driver scan with Rootkit Repeal, try doing the longer file system scan like you did before: Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator). Click the "File" tab (located at the bottom of the RootRepeal screen) Click the "Scan" button In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C: Click OK and the file scan will begin When the scan is done, there will be files listed, but most if not all of them will be legitimate Click the "Save Report" Button Save the log file to your Documents folder Post the content of the RootRepeal file scan log in your next reply. Reboot immediately if you did the wipe file operation. If not, just move on to the next step. Perform an updated MBAM scan, only if you were able to locate and wipe the malicious driver (SYS file).. Post the RootRepeal log and the MBAM scan report, as soon as you get them - Please download Combofix from one of these locations: http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe I want you to rename Combofix.exe as you download it to a name of your choice like such as springishere.exe Notes: * It is very important that save the newly renamed EXE file to your desktop. * You must rename Combofixe.exe as you download it and not after it is on your computer. You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that: o Open Firefox o Click Tools -> Options -> Main o Under the downloads section check the button that says "Always ask me where to save files". o Click OK * For Internet Explorer: o Choose to save, not open the file o When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end. Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective: http://www.bleepingcomputer.com/forums/topic114351.html Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the following instructions, so make sure you complete the renaming step before launching Combofix. Running Combofix In the event you already have Combofix, please delete it as this is a new version. * Close any open browsers. * Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. 1. Double click on the renamed combofix.exe & follow the prompts. 2. When finished, it will produce a logfile located at C:\ComboFix.txt, 3. Post the contents of that log in your next reply with a new hijackthis log. Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix. Please post a new MBAM log, C:\ComboFix.txt and the RootRepeal log in your next reply.

You're welcome! A couple questions first - Is this a program that you intentionally installed and are familiar with?: [RockBot] C:\Program Files\rock\rockbot.exe This indicates you ran Combofix twice: ComboFix2.txt 2009-04-27 22:11 Why was it necessary to run Combofix more than once? We have some more files, folders and registry entries to clean up that we will manually specify for deletion by using a Combofix script. It is important that you follow the next set of instructions precisely. Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK. On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled). Copy/paste the text in the code box below into Notepad. Save this to your desktop as CFScript.txt by selecting File -> Save as. KillAll:: Folder::c:\documents and settings\NetworkService\Application Data\pvswvxgpc:\documents and settings\NetworkService\Local Settings\Application Data\pvswvxgpc:\documents and settings\rhonda\Application Data\pvswvxgpc:\documents and settings\rhonda\Local Settings\Application Data\pvswvxgp File::C:\74.tmpc:\windows\system32\drivers\ywaukocd.sysC:\Documents and Settings\rhonda\Local Settings\Temp\awldwjyh.dat Driver::ywaukocdaujasnkjLegacy_ywaukocdLegacy_aujasnkj NetSvcs::fajxrhgeNow, disable your Norton Antivirus active protection and any script blocking programs you may have running, such as Norton Script Blocking. Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (cartwheel.exe on your desktop) This will cause ComboFix to run again. Please post back the log that is opens when it finishes (C:\Combofix.txt). Relaunch Malwarebytes' Anti-Malware (MBAM) Click the Update tab and Check for Updates- then wait for MBAM to update Click the Scanner tab, and select Perform Quick scan, then click Scan. When the scan is complete, click OK -> Show Results to view the scan results. Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

Hi and Welcome, Please download ATF Cleaner by Atribune Close Internet Explorer and any other open browsers Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. \ Download RootRepeal: http://rootrepeal.googlepages.com/RootRepeal.zip Extract the archive to a folder you create such as C:\RootRepeal It is very important that you disable your Norton Antivirus now - before running a scan Double-click RootRepeal.exe to launch the program Click the "File" tab (located at the bottom of the RootRepeal screen) Click the "Scan" button In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C: Click OK and the file scan will begin When the scan is done, there will be files listed, and most if not all of them will be legitimate Click the "Save Report" Button Save the log file to your Documents folder Post the content of the RootRepeal file scan log in your next reply. Re-enable your Norton Antivirus Remove MBAM from your system. Then redownload the MBAM installer and rename it as you download it from mbam-setup.exe to bambisetup.exe Note:You must rename installer as you download it and not after it is on your computer. You may have to modify your browser settings so you can rename as you download it. To do that: For Firefox Click Tools -> Options -> Main Under the downloads section check the button that says "Always ask me where to save files". Click OK For Internet Explorer: Choose to save, not open the file When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end. Now, double-click bambisetup.exe to install MBAM but do not update or run a scan. Close it immediately once MBAM is installed. Then rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\newyork.exe" Now, launch MBAM by double-clicking newyork.exe in the MBAM folder. Select the Update tab -> Check for Updates After MBAM updates, select the Scanner tab. Select Perform quick scan, then click Scan. When the scan is complete, click OK -> Show Results to view the scan results. Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply. NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. Download DDS and save it to your desktop from here Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool. When done, DDS will open two (2) logs:DDS.txt Attach.txt [*]Save both reports to your desktop [*]Please copy and paste both logs into your next reply - do NOT attach them. =============================================================== Please post the MBAM log, the RootRepeal log, the DDS scan reports (do NOT attach), and a new HJT log.

You're welcome, Alana. It was a pleasure to work with you.

You're welcome! I am reviewing your logs now, but please do the following for me in the meantime: Please run Option 1 of this tool and post back the log that is generated.

You're welcome, but I am not seeing anything wrong in your logs. You didn't answer this question I asked that would perhaps shed more light on your problems: You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 13: 1. Download the latest JRE version at the http://java.sun.com/javase/downloads/index.jsp Sun Microsystem's website 2. Select the option that says: Java SE Runtime Environment (JRE) 6 Update 13 - "This release includes several key security updates, the highly anticipated 64-bit Java Plug-In (for 64-bit browsers only), Windows Server 2008 support, and performance improvements of Java and JavaFX applications", and click Download button. 3. Select your platform: Windows, in the pull down menu. 4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement." 5. Click Continue. 6. Under the Windows Platform - Java SE Runtime Environment 6 Update 13 section, click on the link to download the Windows Offline Installation and save the installer to your desktop. 7. Close any programs you may have running - especially your web browser. 8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

Hi and Welcome to the Malwarebytes' forum. Please download ATF Cleaner by Atribune Close Internet Explorer and any other open browsers Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Reboot Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage. Disable the active protection component of your antivirus by following the directions that apply here: http://www.bleepingcomputer.com/forums/topic114351.html Next, please perform a rootkit scan: Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program. When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places. When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button. Leave your system completely idle while this longer scan is in progress. When the scan is done, save the scan log to the Windows clipboard Open Notepad or a similar text editor Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V Exit the Program Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please. Please download Combofix from one of these locations: HERE or HERE I want you to rename Combofix.exe as you download it to a name of your choice such as cartwheel.exe Notes: It is very important that save the newly renamed EXE file to your desktop. You must rename Combofixe.exe as you download it and not after it is on your computer. You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:Open Firefox Click Tools -> Options -> Main Under the downloads section check the button that says "Always ask me where to save files". Click OK [*]For Internet Explorer: Choose to save, not open the file When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end. Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective: http://www.bleepingcomputer.com/forums/topic114351.html Also, disable your firewall! You can enable the Window firewall in the interim, until the scan is complete. Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix. Running Combofix In the event you already have Combofix, please delete it as this is a new version. Close any open browsers. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. 1. Double click on the renamed combofix.exe & follow the prompts. 2. When finished, it will produce a logfile located at C:\ComboFix.txt 3. Post the contents of that log in your next reply with a new hijackthis log. Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix. Rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\newyork.exe" Now, relaunch MBAM by double-clicking newyork.exe in the MBAM folder. Select the Update tab -> Check for Updates After MBAM updates, select the Scanner tab. Select Perform quick scan, then click Scan. When the scan is complete, click OK -> Show Results to view the scan results. Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply. NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. Please post C:\ComboFix.txt, your antirootkit log (ARK.txt), and a new MBAM log in your next reply.

Hello and Welcome to Malwarebytes' Malware Removal forum. It looks like MBAM cleaned the personal antivirus threat - are you still experiencing problems? Please download ATF Cleaner by Atribune Close Internet Explorer and any other open browsers Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Relaunch Malwarebytes' Anti-Malware * Click the Update tab and Check for Updates- then wait for MBAM to update * Click the Scanner tab, and select Perform Quick scan, then click Scan. * When the scan is complete, click OK -> Show Results to view the scan results. * Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. * When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply. _____________________________________________ Download DDS and save it to your desktop from here Disable any script blocking programs you may have installed (such as Norton or McAfee script blocking), and then double-click dss.scr to run the tool. When done, DDS will open two (2) logs:DDS.txt Attach.txt [*]Save both reports to your desktop [*]Please copy and paste both logs into your next reply, To sum it up, I need to see: 1. An updated MBAM log 2. A HJT log 3. DDS - DDS.txt & Attach.txt posted in your reply - not attached

Hello and welcome to Malwarebytes' Forum Let's run some more tools. Please download ATF Cleaner by Atribune Close Internet Explorer and any other open browsers Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. _____________________________________________ Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from: BestTechie.net http://www.besttechie.net/tools/mbam-setup.exe or MajorGeeks.com: http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html Double-click mbam-setup.exe and follow the prompts to install the program. At the end of the install, place a checkmark next to the following two options: Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-Malware Click Finish. MBAM will automatically update, if the above options are checked. Once the program launches, select Perform quick scan, then click Scan. When the scan is complete, click OK -> Show Results to view the scan results. Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply. NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. ____________ Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instructions for disabling the active protection component of the most commonn antivirii can be found here: http://www.bleepingcomputer.com/forums/topic114351.htmlDouble click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HJT log. =============================================================== Please post the MBAM log, C:\ComboFix.txt, and a new HJT log.

Hello and welcome to Malwarebytes forum! What sort of problem are you experiencing - please describe fully the symptoms and whether you used any scanners prior to posting. If so did, did the scanners detect any threats, and if so, did you save the logs? Let's run some more tools. Please download ATF Cleaner by Atribune Close Internet Explorer and any other open browsers Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. _____________________________________________ Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from: BestTechie.net http://www.besttechie.net/tools/mbam-setup.exe or MajorGeeks.com: http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html Double-click mbam-setup.exe and follow the prompts to install the program. At the end of the install, place a checkmark next to the following two options: Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-Malware Click Finish. MBAM will automatically update, if the above options are checked. Once the program launches, select Perform quick scan, then click Scan. When the scan is complete, click OK -> Show Results to view the scan results. Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply. ____________ NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. ____________ Download DDS and save it to your desktop from here Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool. When done, DDS will open two (2) logs:DDS.txt Attach.txt [*]Save both reports to your desktop [*]Please copy and paste both logs into your next reply - do NOT attach them. =============================================================== Please post the MBAM log, the DDS scan reports (do NOT attach), and a new HJT log.

Hello and Welcome to Malwarebytes' Malware Removal forum. First, go to the Control panel - Programs and Features and remove the ALOT Toolbar. Please download ATF Cleaner by Atribune Close Internet Explorer and any other open browsers Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Relaunch Malwarebytes' Anti-Malware * Click the Update tab and Check for Updates- then wait for MBAM to update * Click the Scanner tab, and select Perform Quick scan, then click Scan. * When the scan is complete, click OK -> Show Results to view the scan results. * Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. * When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply. _____________________________________________ Download DDS and save it to your desktop from here Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool. When done, DDS will open two (2) logs:DDS.txt Attach.txt [*]Save both reports to your desktop [*]Please copy and paste both logs into your next reply - please do NOT attach them! Please run this tool by right-clicking it and choosing "Run as Administrator". Choose Option 1 and post back the log that is generated. To sum it up, I need to see: 1. An updated MBAM log 2. A HJT log 3. DDS - DDS.txt & Attach.txt posted in your reply - not attached 4. The tool log

Good job, Alana! Your computer is clean now. Thank you for the file submission. The antirootkit scan results are perfect. We have a few steps to finish up now. Let's remove Combofix and all its associated files including those in quarantine: Click start -> run, then copy and paste the following line (include the quotes) into the Open box and click OK. "%userprofile%\desktop\Trajectory.exe" /u Note: You will have to issue the above command for all renamed combofix EXEs that you have launched. For example, to remove gadget.exe and its associated files, repeat the above - but copy/paste the following on the run line and then click OK: "%userprofile%\desktop\gadger.exe" /u This will do th following: Uninstall Combofix and all its associated files and folders. It will flush your system restore points and create a new restore point. It will rehide your system files and folders Reset your system clock Also, delete the following folders and their contents: C:\Avenger\ C:\ARK\ Here are some additional measures you should take to keep your system in good working order and ensure your continued security. 1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs. Note: If your firewall prompts you about access, allow it. 2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes. 3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer. Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment. Happy Surfing!

Avenger seems to have done the job all right!! Before deleting anything (and partying), I'd like to get some malware samples of the files removed on your computer by Avenger. Avenger creates a backup archive of all files and registry entries it removes in this location: C:\avenger\backup.zip Can you please visit this submission webpage In the "Link to topic where this file was requested: " box, copy/paste the url to this topic as follows: http://www.malwarebytes.org/forums/index.p...amp;#entry76587 Next, copy and paste the following bolded text into the "Browse to the file you want to submit:" box: C:\avenger\backup.zip Or just browse to that location in your file system by clicking the "Browse" button. Then click 'Send File' Let me know when that has been done, and thank you! This will enable us to improve MBAM's detection and removal capabilities. The process you're referring to CF31775.exe is indeed part of Combofix, and it is only a renamed copy cmd.exe that is running. You can safely end that, but you may just want to perform the following instructions, as it will not relaunch on reboot. I'd also like you to clean all your temps with ATF Cleaner, again. Then disable all active protection. Then reboot and run another "Rootkit/Malware" scan by launching the randomly named EXE in your C:\ARK folder. Please save the antirootkit scan log by copying and pasting it to a Notepad file, and then paste the results back in your next reply. Re-enable all active protection.

Good job, Terry! Your computer is clean now. We have a few steps to finish up now. Let's remove Combofix and all its associated files including those in quarantine: Click start -> run, then copy and paste the following line into the Open box and click OK. "%userprofile%\desktop\combofix.exe" /u This will do the following: Uninstall Combofix and all its associated files and folders. It will flush your system restore points and create a new restore point. It will rehide your system files and folders Reset your system clock Here are some additional measures you should take to keep your system in good working order and ensure your continued security. 1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs. Note: If your firewall prompts you about access, allow it. 2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes. 3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer. Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment. Happy Surfing!