negster22

October 21, 2011

Check in Add/Remove Programs to see if you have Java installed. If so

Click Start > Settings > Control Panel.

Double-click the Java icon (Coffee Cup) so the Java Control Panel appears.

Click the Update tab.

Click Update Now

Click OK

What Happens?

Please check to see if your inability to scan with Secunia Security Inspector happens in all three of your browsers:

1. Internet Explorer

2. Chrome - FYI: You need a Plug-in so if you are testing in Chrome it won't run

http://www.java.com/en/download/faq/chrome.xml

3. Firefox

October 21, 2011

That should do it. Everything that user account owned is located in subfolders off that folder branch.

We have a few steps to finish up now.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) Version 6 Update 29 - if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update your Java Runtime Environment (JRE), then follow these steps:

1. Download the latest JRE version by clicking the "Download Java Now" button, followed by the "Agree and Start Free Download" Button.

2. Save the installer to your desktop or default browser download folder.

3. Close any programs you may have running - especially your web browser.

4. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

5. Reboot your system

6. Then with Windows up & running again, double-click on the installer you just downloaded jre-6u29-windows-i586-iftw.exe to install the newest version of the Sun Java Platform

7. NOTE: "Install the Ask Toolbar' is prechecked by default, so be sure to UNCHECK it, if you do not care to have it - it is NOT part of the JRE install and it is NOT required for any Java applications.

8. You may verify that the current version of Java installed properly by clicking http://java.com/en/download/installed.jsp here.

--------------------

Now clear the Java cache, again:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
- Trace and Log Files
[*]Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
[*] Click OK to leave the Temporary Files Window
[*]Click OK to leave the Java Control Panel.

We have a perform a few "housekeeping" steps to remove the clean-up tools that we used!!

If I asked You to download OTL, TDSSKiller, MBRCheck or mbr.exe, please delete these programs from your Desktop (or their download location).

To remove Combofix and it's quarantine folder:

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

combofix /uninstall

This will do the following:

Uninstall Combofix and all its associated files and folders.
Flush your system restore points and create a new restore point.
Rehide your system files and folders
Reset your system clock
Disable autorun to prevent you from contracting USB transferred infections. You can still access all plugged in devices via My Computer (or Computer in Vista & W7) or by hitting the (Windows key + E) simultaneously to open Windows Explorer.

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Windows Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You should set your computer to download and install updates automatically so you will be relieved of the responsibility of doing this manually on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place, so you can maintain a safe and secure computing environment (to be read at your leisure):

http://spywarehammer.com/simplemachinesforum/index.php?topic=398.0

HAPPY SURFING!!

October 21, 2011

Hi and Welcome to the Malwarebytes Forum,

Please follow the directions HERE and copy/paste the requested logs in your next reply.

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
This is the executable version:
Download TDSSKiller and save it to your Desktop.
Double-click on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

October 21, 2011

Try this:

1. Open Windows Explorer

2. Navigate to the Documents folder containing the photos you want to delete.

C:\Documents and Settings\<username>

Note: <username> is the name of the account you previously deleted

3. Right-click that folder and select "Delete"

What Happens?

October 21, 2011

You're welcome!!

Now as far as your question concerning User Accounts goes - have you already deleted the User Account from the Control Panel? When you do - it asks if you would like to retain the user account's documents and Desktop files and files.

Please read this and let me know:

http://uis.georgetown.edu/software/documentation/winxp/winxp.deleting.accounts.html

October 20, 2011

Yes, that's it - if you saw the black box with flashing code it ran properly. It flushes the dns cache (a repository similar to your temporarily internet cache) and resets your internet connection which often resolves problems.

Were just about finished up now!

Please read:

Slow Computer May Not Be Malware Related

Any more questions before I give you some final security advice on protecting your computer?

October 20, 2011

Hi and Welcome,

Yes, if you have MBAM Pro, you should still have an antivirus, too.

Re: Webroot please follow the directions that pertain here (or are you speaking of a fake program masquerading as a legit antivirus):

http://support.webroot.com/app/answers/detail/a_id/1761 download my Security Check from here or here.

Download SecurityCheck and save it to your desktop:

http://screen317.spywareinfoforum.org/SecurityCheck.exe

Right-click SecurityCheck.exe and select "Run as Adminstrator"
Follow the onscreen instructions inside of the black box.
When it is finished, a Notepad document will open automatically.
Please post the contents of that document, checkup.txt in your next reply.

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it iexplore.exe.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers and programs.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!
If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Right-Click the renamed ComboFix.exe on your desktop and Select "Run as Administrator":

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

If You have problems running Combofix then try running it in "Safe Mode with Networking" as follows:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading normally, the Advanced Options Menu should appear;
Select the option, to run Windows in "Safe Mode with Networking", then press Enter.
Choose your usual account, and launch Combofix as directed above.

October 20, 2011

Glad you like Chrome's speediness!

Let me address this:

Even after renaming it DNS-RESET.bat, it just opens notepad and shows.

Running this script is not critical but it may help to speed things up a bit. Apparently, XP is seeing it as a text file & defaulting to opening it with Notepad (as opposed to running it as an executable file). The icon on your desktop should look like a gear (spoked wheel) and not have a TXT file icon. You can try the following options:

1. When it is open in Notepad:

Click File -> Save as
In the File Name field, make sure it says only "DNS-RESET.bat" (no quotes of course) and then save it.
In the "Save as Type" pull down menu set the File Type to "All Files (*.*)"
Click Save.

Try to Double-click DNS-RESET.bat on your desktop to run it again.

OR

2. Right-click DNS-RESET.bat on your desktop & select "Open" (does it execute by opening a Command Prompt Window with executing code or does it open in Notepad?)

October 20, 2011

You should use TFC regularly to clear out temp files and unnecessary clutter that is apt to drag your browser down. Forgot we had already used it!

Let's see if the batch file uploads this time if not I'll just give you the code with instructions on how to create & run the batch file.

OK on my second attempt, I see what is happening. I believe a file with a bat file extension cannot be uploaded, so I made it a TXT file instead.

Just rename DNS-RESET.txt => DNS-RESET.bat and then double-click DNS-RESET.bat to run it.

Next, download & test out Google Chrome to see if you can pick up any significant speed.

DNS-RESET.txt

October 20, 2011

Hi and Welcome to the Malwarebytes' Forum,

A lone registry trace has absolutely no impact on the state of your system.

For browser sluggishness -

Clean your temp files etc with this temporary file cleaner as follows:

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time

Let's dig deeper to see if there is anything else lingering to cause the slowness in your system. Are you having any other problems besides browser sluggishness. Is your PC slow in general or just when you use the internet?

Please perform the steps requested in this topic and copy/paste back the requested logs. Thanks!

I'm infected - What do I do now?

October 20, 2011

Hi GraveDigger,

We'll answer your user account question later, if you don't mind.

First of all, the active infection on your PC appears to be gone. Your ESET log shows nothing other than system restore remnants & Combofix quarantine items, so that is great news.

For browser sluggishness -

Clean your temp files etc with this temporary file cleaner as follows:

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time

Next, download the attached file (DNS-REST.bat) to your desktop.

Disable Microsoft Security Essentials
Double-click DNS-Reset.bat to run it
A black command window will open temporarily, allow the script to complete.
Re-enable Microsoft Security Essentials

Please try running Google Chrome to see if that speeds things up. Many have success with that program in curing browser lagginess:

http://www.google.com/chrome

October 20, 2011

Good Job!

The MSRT log is clean!

As you can see Combofix found and deleted a lot of infected items so that is good news. Are you still being redirected?

I did notice an infected service in your Combofix log that I want to remove. To do that open a Command Prompt:

Click Start --> Run, Type cmd

Hit Enter

Copy/paste this command exactly as shown:

sc stop wyibviqo

Hit Enter (you may get an error because the service should already be stopped)

Copy/paste this command exactly as shown

sc delete wyibviqo

Hit Enter

Close the Command Window

Please perform a scan with the ESET online virus scanner

You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active threats, so don't worry:

Navigate to the following url using Internet Explorer:

http://www.eset.com/onlinescan/index.php

ESET recommends disabling your resident antivirus's auto-protection feature (MSE) before beginning the scan to avoid conflicts and system hangs
Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
Check the "Yes, I accept the terms of use" box.
Click "Start"
Approve the installation of the ActiveX control that's required to enable scanning
Make sure the box to
- Remove found threats is CHECKED!!
- Click "Start"
[*]Allow the definition data base to install
[*]Click "Scan"

When the scan is done:

Do NOT choose the option to uninstall the ESET Online Scanner with all its components because you need to retain the scan log for posting.
Please post the scan report in your next reply. It can be found in this location:
C:\Program Files\EsetOnlineScanner\log.txt
You can remove the ESET Online Scanner using the Windows Control Panel - Add/Remove Programs feature

October 19, 2011

I just saw your questions here:

a few quick questions - are you suggesting that I find the .exe file for QQ on my home computer and send to my work compueter and trying running? I guess the assumption woud be that something is happening during the download, because it is literally teh same install file from the same website.

Yes, I am suggesting that you use the same installer that works at home. You probably had an incomplete or corrupt download (possbly caused by restrictions on your work computer or McAfee Blocking).

what exactly does the DDS do?

DDS, is an acronym for "doesn't do squat". DDS examines key areas of your system that malware commonly targets and then it creates a log of its findings. It was aptly named DDS (doesn't do squat) because it does not alter your system in anyway - it just reports what it sees so we can use it as an aid in troubleshooting your computer.

October 19, 2011

It is most likely not a threat. I just downloaded the installer named QQIntl1.1.exe from:

http://www.imqq.com/

I scanned with both ESET & Malwarebytes and neither sees it as a threat. Also scanned with sigcheck and this is a digitally signed file so highly unlikely anything within it is malicious

Double-check the name of the installer to make sure it corresponds with what I got. If so, the most likely scenario is that you are being blocked on your work computer. qq.exe is probably the main chat application EXE file that is extracted from the installer and called to run when you invoke the program.

October 19, 2011

You may have to modify your browser settings if you use Firefox, so you can rename the file as you download it. To do that:

Open Firefox

Click Tools -> Options -> Main

Under the downloads section check the button that says "Always ask me where to save files".

Click OK

For Internet Explorer:

Choose to save, not open the file

When prompted - save the file to your desktop, and rename it iexplore.exe.

Looks like you use Firefox so the above should help.

October 19, 2011

Hi and Welcome to Malwarebytes' Forum,

It could be that McAfee is blocking the install and perhaps this is a good thing -

FYI qq.exe is very often a threat:

http://www.threatexpert.com/files/qq.exe.html

http://www.bleepingcomputer.com/startups/QQ.exe-11014.html

What instant messaging program are you attempting to download? If you have a trusted installer from the IM Program Vendor site on your home PC, I suggest you transfer that to your work PC and run it. Work computers often have restrictions in place through group policy settings and that may explain why DDS won't run. Then again, I have seen AVs completely nip DDS in the bud, so again, McAfee must be completely disabled because it is the most likely culprit that is preventing DDS from running.

October 19, 2011

Now for some additional instructions - but just a general note - when I tell you to download something to the infected PC, it is really better if you download the troubleshooting program in question to a clean PC and transfer it to the infected PC via an otherwise empty USB Flash drive or other media.

First, I want you to clear the Java cache:

Go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
- Trace and Log Files
[*]Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
[*] Click OK to leave the Temporary Files Window
[*]Click OK to leave the Java Control Panel.

As Java Cache can be an infection repository, You can quickly scan it periodically for infectious elements, by right-clicking the following folder and selecting the "Scan with <Your antivirus>" option:

The location of this folder is:

In XP:

C:\Documents and Settings\<user_name>\Application Data\Sun\Java\Deployment\cache\

Reset Internet Proxy Settings if they were altered by the infection for all browsers you use by following these directions:

http://forums.avg.com/us-en/avg-forums?sec=thread&act=show&id=166875

Download and run a complete scan with the Microsoft Malicious Removal Tool:

Download Microsoft's Malicious Software Removal Tool (MSRT) to your desktop

Save and Rename it as You download it to explorer.exe

Double-click explorer.exe on your Desktop to run it

In the "Scan Type" selection window, select "Full Scan"

Perform a Full scan and the Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Click on Start, Run

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter

notepad c:\windows\debug\mrt.log

You can use this tutorial as a guide, then attach the resulting scan report to your next reply:

http://secure-computer-solutions.com/blog/2010/09/scanning_and_removing_malware.html

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it iexplore.exe.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers and programs.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!
If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and enter (copy/paste)this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

If You have problems running Combofix then try running it in "Safe Mode with Networking" as follows:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading normally, the Advanced Options Menu should appear;
Select the option, to run Windows in "Safe Mode with Networking", then press Enter.
Choose your usual account, and launch Combofix as directed above.

=============

NOTE: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

-------------------

Please copy/paste the following into your next reply:

c:\windows\debug\mrt.log (attach this)

C:\Combofix.txt

October 19, 2011

Hi and Welcome to the Malwarebytes Forum,

Download TFC to your desktop.

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Download DDS and save it to your desktop from HERE or HERE.

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dds.scr to run the tool.

When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
[*]Save both reports to your desktop
[*]Please copy and paste dds.txt into your next reply and hold on to attach.txt for now.

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
This is the executable version:
Download TDSSKiller and save it to your Desktop.
Double-click on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

To sum it up - I'd like your to copy/paste dds.txt and the tdsskiler log into your next reply. Thank You!

October 4, 2011

Any time! Glad to be of help!!

September 30, 2011

You're welcome and good job! You were infected with a widespread rootkit variant of the Alureon trojan that infects the MBR (Master Boot Record) of the host computer and is a common cause for browser redirection. This variant is aka TDL4, and TDSSKiller successfully removed it and restored your MBR to the XP standard. You can read more about TDL4 here in this article I wrote for my blog:i

http://secure-computer-solutions.com/blog/2010/10/why_you_should_backup_your_mbr.html

In answer to your questions - this section of the TDSSKIller log showed me you were infected here:

09:20:04.0437 4836 MBR (0x1B8) (7b611618d69d8a39a21c85e627379a6c) \Device\Harddisk0\DR0
09:20:04.0437 4836 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - infected
09:20:04.0437 4836 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
09:20:04.0437 4836 Boot (0x1200) (9828a22caf7d6192a26f57d5600c0267) \Device\Harddisk0\DR0\Partition0
09:20:04.0437 4836 \Device\Harddisk0\DR0\Partition0 - ok
09:20:04.0437 4836 ============================================================
09:20:04.0437 4836 Scan finished
09:20:04.0437 4836 ============================================================
09:20:04.0437 5556 Detected object count: 1
09:20:04.0437 5556 Actual detected object count: 1
09:21:08.0578 5556 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - will be cured on reboot
09:21:08.0578 5556 \Device\Harddisk0\DR0 - ok
09:21:08.0578 5556 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - User select action: Cure
09:21:39.0203 5032 Deinitialize success

This is a very specific "hidden" infection that needs special dedicated programs to locate and remove it. Only certain antirootkit programs can do that and antivirus programs are usually not successful. Perhaps they might pick it up in a boot scan but probably not. Avira has a specialized tool for this but I would not use it now because tampering with the MBR more than you need to can be dangerous:

http://www.avira.com/en/support-download-antivir-boot-sector-repair-tool

Your antivirus is one of the best so keep it!

Your computer appears to be disinfected now but we have a few steps to finish up.

First, you can safely remove TDSSKiller from its download location.

Secondly, set a new system restore point so you have a new "clean" baseline established that you can revert back to in the event your need to use it:

http://support.microsoft.com/kb/948247

Here's some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC to be vulnerable, by using the Secunia Online Software Inspector (OSI) . Just click the "Start Scanner" button to receive a detailed report. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. Make sure you have the latest critical updates from the Windows Update Website. Windows Updates are your first line of defense against malware.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

September 30, 2011

Hi and Welcome to the Malwarebytes' forum.

First, disable Spybot's TeaTimer or any fixes we make in HjiackThis will be reversed. This is a two step process.

First:

- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)

- Choose Exit Spybot S&D Resident

Second:

- Open Spybot S&D

- Click Mode, check Advanced Mode

- Go To Left Panel, Click Tools, then also in left panel, click Resident

Please LEAVE TEATIMER OFF while I am helping you, or it will reverse all our beneficial fixes.

Download DDS and save it to your desktop from here

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
[*]Save both reports to your desktop
[*]Please copy and paste both logs into your next reply (do NOT attach them).

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

September 19, 2011

If you are running TrendMicro Anitvirus/Antimalware that is a legitimate service.

If it is consuming high CPU's this Hotfix may be relevant to you:

http://esupport.trendmicro.com/solution/en-us/1057050.aspx

March 30, 2011

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Next, please follow the steps in this topic and copy/paste all requested logs in your next reply (do NOT attach them):

http://forums.malwarebytes.org/index.php?showtopic=9573

If you cannot get MBAM to complete a QUICK scan in normal mode, please try running it in safe mode with networking. This tells you how to boot into safe mode with networking:

http://windows.microsoft.com/en-US/windows-vista/Start-your-computer-in-safe-mode

Thank you!!

February 12, 2011

Sorry, frenzylindsey !!

Yes, You can re-enable your emulation software now.

You can also safely delete any Combofix.exe that you find.

Please perform the following steps manually (that uninstalling Combofix was supposed to have accomplished):

Flush your system restore points and create a new restore point.
Turn off Windows XP System Restore:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn System Restore back on again:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Create a new System Restore Point
Re-hide your system files and folders:
- Click Start > Control Panel > Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading, de-select Show hidden files and folders.
- Check: Hide file extensions for known file types
- Check the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
[*] Reset your system clock (only if it needs it)
[*] Disable autorun to prevent USB flash drive infections (you can access any attached devices through through Windows Explorer (Windows key + E) or through Start -> Computer)"

The need for enacting the last point was superseded by was an update to Security Advisory 967940 which retires the autorun feature, in the last batch of Windows Updates on Tuesday, February 8. You can read about it >HERE< and then check your update history to see if you installed it.

You can also remove the C:\Qoobox folder (which belongs to Combofix) if it is still present.

February 12, 2011

Sorry, aqt395!! I wonder why that happened!

Yes, please do the following manually:

Flush your system restore points and create a new restore point.
Turn off Windows Vista System Restore:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
9. When you have finished, restart the computer.
Turn on Windows Vista System Restore:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK
Create a new System Restore Point
Re-hide your system files and folders:
- Click Start > Control Panel > Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading, de-select Show hidden files and folders.
- Check: Hide file extensions for known file types
- Check the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
[*] Reset your system clock (only if it needs it)
[*] Disable autorun to prevent USB flash drive infections (you can access any attached devices through through Windows Explorer (Windows key + E) or through Start -> Computer)"

The need for enacting the last point was superseded by was an update to Security Advisory 967940 which retires the autorun feature, in the last batch of Windows Updates on Tuesday, February 8. You can read about it >HERE< and then check your update history to see if you installed it.

You can also remove the C:\Qoobox folder (which belongs to Combofix) if it is still present.

Events

Profiles

Forums

Posts posted by negster22

Important Information