steviedm Posted January 20, 2013 ID:636944 Share Posted January 20, 2013 I'm infected and can run Malwarebytes as a chameleon. It identifies six infected files but is unable to delete them. It requests a restart when I click 'Remove Selected' but they are still there when the restart has finished and can be found again by running the program in chameleon mode. FYI I've also uploaded a screenshot of the Malwarebytes screen listing the infected files. Advice would be appreciated.dds.txtattach.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:636950 Share Posted January 20, 2013 Welcome to the forum.Please remove any usb or external drives from the computer before you run this scan!Please download and run RogueKiller to your desktop.Quit all running programs.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system. When the scan completes > Close out the program > Don't Fix anything!Don't run any other options, they're not all bad!!!!!!!Post back the report which should be located on your desktop.MrCPlease don't run any other scans, download, install or uninstall any programs while I'm working with you.Please stick with me until I give you the "all clear".------->Your topic will be closed if you haven't replied within 3 days!<--------(If I don't respond within 24 hours, please send me a PM) Link to post Share on other sites More sharing options...
steviedm Posted January 20, 2013 Author ID:636991 Share Posted January 20, 2013 Thanks for the prompt response. I've run Rogue Killer and attached the log below.SteveRKreport1_S_01202013_02d1914.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:636997 Share Posted January 20, 2013 I don't like the looks of this but we'll give it a try.............Run RogueKiller again and click ScanWhen the scan completes > click on the Registry tabPut a check next to all of these and uncheck the rest: (if found)[RUN][sUSP PATH] HKCU\[...]\Run : TmmTqllv (C:\Users\Nicky\AppData\Local\lguhgicf\tmmtqllv.exe) -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1893289570-2574008403-2770631692-1003[...]\Run : TmmTqllv (C:\Users\Nicky\AppData\Local\lguhgicf\tmmtqllv.exe) -> FOUND[sHELL][sUSP PATH] HKLM\[...]\Winlogon : Userinit (userinit.exe,,C:\Users\Nicky\AppData\Local\lguhgicf\tmmtqllv.exe) -> FOUNDNow click Delete on the right hand column under Options-------------Next click on the Processes tab and put a check next to these and uncheck the rest. (if found)[sVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc][sVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]Now click Delete on the right hand column under Options---------------Next click on the Driver tab and put a check next to these and uncheck the rest. (if found)SSDT[70] : NtCreateKey @ 0x81E6E917 -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB1746AC)SSDT[72] : NtCreateKeyTransacted @ 0x81ED7F31 -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB174708)SSDT[182] : NtOpenKey @ 0x81E9AEC9 -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB174562)SSDT[183] : NtOpenKeyEx @ 0x81E96E59 -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB1745B2)SSDT[185] : NtOpenKeyTransacted @ 0x81ED34FD -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB174604)SSDT[186] : NtOpenKeyTransactedEx @ 0x81ED38D8 -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB174656)Now click Delete on the right hand column under OptionsPost the new log from RogueKiller, MrC Link to post Share on other sites More sharing options...
steviedm Posted January 20, 2013 Author ID:637016 Share Posted January 20, 2013 Thanks. The final RK file produced is attached.SteveRKreport5_D_01202013_02d1939.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:637019 Share Posted January 20, 2013 Please read the directions carefully so you don't end up deleting something that is good!!Please note that TDSSKiller can be run in safe mode if needed.Here's a video that explains how to run it if needed: Please download the latest version of TDSSKiller from here and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.Put a checkmark beside loaded modules.A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.Then click on Change parameters in TDSSKiller.Check all boxes then click OK.Click the Start Scan button.The scan should take no longer than 2 minutes.If a suspicious object is detected, the default action will be Skip, click on Continue.Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.Here's a summary of what to do if you would like to print it out:If a suspicious object is detected, the default action will be Skip, click on ContinueIf you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on ContinueAny entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.If malicious objects are found, they will show in the Scan results and offer three (3) options.Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.~~~~~~~~~~~~~~~~~~~~You can attach the logs if they're too long:Bottom right corner of this page.New window that comes up.MrC Link to post Share on other sites More sharing options...
steviedm Posted January 20, 2013 Author ID:637036 Share Posted January 20, 2013 Log attached. No cure option offered on three suspect files so used skip.SteveTDSSKiller.2.8.15.0_20.01.2013_19.49.42_log.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:637043 Share Posted January 20, 2013 No cure option offered on three suspect files so used skip.That's what you were supposed to do.If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on Continue~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Please download and run ComboFix.The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.Please visit this webpage for download links, and instructions for running ComboFixhttp://www.bleepingc...to-use-combofixEnsure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Information on disabling your malware programs can be found Here.Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed.Please include the C:\ComboFix.txt in your next reply for further review.---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.MrC Link to post Share on other sites More sharing options...
steviedm Posted January 20, 2013 Author ID:637066 Share Posted January 20, 2013 ComboFix log attached.ComboFix.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:637071 Share Posted January 20, 2013 I think you have an polymorphic file infector infection:Please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scan.http://www.eset.eu/online-scannerTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick Advanced settings and select the following:Scan potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth technologyClick StartWait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topicMrC Link to post Share on other sites More sharing options...
steviedm Posted January 20, 2013 Author ID:637075 Share Posted January 20, 2013 Unfortunately, I can't run this as the virus has blocked all access to online scanners (The message 'Internet Explore cannot display the webpage' comes up). I've tried shortening the URL but this doesn't work. Link to post Share on other sites More sharing options...
steviedm Posted January 20, 2013 Author ID:637081 Share Posted January 20, 2013 PS I've also tried running in 'Safe Mode with networking' but virus prevents internet access to scan websites in this mode also. Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:637093 Share Posted January 20, 2013 See if you can download and run this tool:http://www.symantec.com/security_response/writeup.jsp?docid=2009-022016-4444-99MrC Link to post Share on other sites More sharing options...
steviedm Posted January 21, 2013 Author ID:637438 Share Posted January 21, 2013 I scanned my machine and the log is attached. The dialog box said it could't find the Virut virus on the machine.FixVirut.log Link to post Share on other sites More sharing options...
MrCharlie Posted January 21, 2013 ID:637455 Share Posted January 21, 2013 OK....................Using ComboFix......1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Open notepad and copy/paste the text in the quotebox below into it:4. If ComboFix wants to update.....please allow it to.File::c:\users\Nicky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmmtqllv.exeFolder::c:\users\Nicky\AppData\Local\lguhgicfRegistry::[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"Userinit"="c:\windows\system32\userinit.exe,"[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TmmTqllv"=-ClearJavaCache::Save this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeCAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.After reboot, (in case it asks to reboot)......Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.MrC Link to post Share on other sites More sharing options...
steviedm Posted January 21, 2013 Author ID:637479 Share Posted January 21, 2013 Thanks. I've done this but received a warning message:"ComboFix has detected the following real time scanner to be active:antivirus: avast! Antivirusantispyware: avast! AntivirusAntivirus and intrusion prevention programmes are known to interfere with ComboFix's running. This may lead to unpredictable results or possible machine damage.Please disable these scanners before clicking "OK"."However we no longer have avast on this machine as it was uninstalled yesterday. Any ideas?? Link to post Share on other sites More sharing options...
MrCharlie Posted January 21, 2013 ID:637487 Share Posted January 21, 2013 As long as it's gone you can run ComboFix.....MrC Link to post Share on other sites More sharing options...
steviedm Posted January 21, 2013 Author ID:637522 Share Posted January 21, 2013 All done - here's the logComboFix.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 21, 2013 ID:637528 Share Posted January 21, 2013 Download and unzip the attached fixit.zip to your desktop.Now double click on it and allow it to merge into the registry.Delete these files/folders if found:You may have to enable hidden files to see them:http://www.howtogeek...-windows-vista/c:\users\Nicky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmmtqllv.exe <---fiec:\users\Nicky\AppData\Local\lguhgicf <---folderThen......Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.Make sure that everything is checked, and click Remove Selected.MrC Link to post Share on other sites More sharing options...
steviedm Posted January 21, 2013 Author ID:637537 Share Posted January 21, 2013 Found them, but they won't delete.the file tmmtqllv.exe gives a message saying "This action can't be completed because the file is open in Host Process for Windows Serives. Close the file and try again." The folder lguhgicf gives this message: "An unexpected error is keeping you from deleting the folder. If you continue to receive this error, you can use the error code to search for help with this problem. Error 0x80070091: The directory is not empty.How do I delete them? Link to post Share on other sites More sharing options...
steviedm Posted January 21, 2013 Author ID:637538 Share Posted January 21, 2013 Sorry - Windows Services! Link to post Share on other sites More sharing options...
MrCharlie Posted January 21, 2013 ID:637541 Share Posted January 21, 2013 Please download OTL from one of the links below:http://oldtimer.geekstogo.com/OTL.exehttp://www.itxassoci...T-Tools/OTL.exehttp://oldtimer.geekstogo.com/OTL.com (<---renamed version)Save it to your desktop.Run OTL[*]Under the Custom Scans/Fixes box at the bottom, paste in bold::Filesc:\users\Nicky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmmtqllv.exec:\users\Nicky\AppData\Local\lguhgicf [*]Then click the Run Fix button at the top[*]Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"[*]Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.MrC Link to post Share on other sites More sharing options...
steviedm Posted January 21, 2013 Author ID:637551 Share Posted January 21, 2013 Says it can't find them.Feel like I'm banging my head against a brick wall!!01212013_210602.log Link to post Share on other sites More sharing options...
MrCharlie Posted January 21, 2013 ID:637578 Share Posted January 21, 2013 Can you actually take a look and see if they're gone, MrC Link to post Share on other sites More sharing options...
steviedm Posted January 21, 2013 Author ID:637586 Share Posted January 21, 2013 Definitely still there. Link to post Share on other sites More sharing options...
Recommended Posts