Jump to content

Infected


Recommended Posts

I'm infected and can run Malwarebytes as a chameleon. It identifies six infected files but is unable to delete them. It requests a restart when I click 'Remove Selected' but they are still there when the restart has finished and can be found again by running the program in chameleon mode. FYI I've also uploaded a screenshot of the Malwarebytes screen listing the infected files. Advice would be appreciated.

dds.txt

attach.txt

post-125723-0-20158300-1358703668.png

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

I don't like the looks of this but we'll give it a try.............

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKCU\[...]\Run : TmmTqllv (C:\Users\Nicky\AppData\Local\lguhgicf\tmmtqllv.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1893289570-2574008403-2770631692-1003[...]\Run : TmmTqllv (C:\Users\Nicky\AppData\Local\lguhgicf\tmmtqllv.exe) -> FOUND

[sHELL][sUSP PATH] HKLM\[...]\Winlogon : Userinit (userinit.exe,,C:\Users\Nicky\AppData\Local\lguhgicf\tmmtqllv.exe) -> FOUND

Now click Delete on the right hand column under Options

-------------

Next click on the Processes tab and put a check next to these and uncheck the rest. (if found)

[sVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]

Now click Delete on the right hand column under Options

---------------

Next click on the Driver tab and put a check next to these and uncheck the rest. (if found)

SSDT[70] : NtCreateKey @ 0x81E6E917 -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB1746AC)

SSDT[72] : NtCreateKeyTransacted @ 0x81ED7F31 -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB174708)

SSDT[182] : NtOpenKey @ 0x81E9AEC9 -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB174562)

SSDT[183] : NtOpenKeyEx @ 0x81E96E59 -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB1745B2)

SSDT[185] : NtOpenKeyTransacted @ 0x81ED34FD -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB174604)

SSDT[186] : NtOpenKeyTransactedEx @ 0x81ED38D8 -> HOOKED (\??\C:\Users\Nicky\AppData\Local\Temp\bxnetihi.sys @ 0xAB174656)

Now click Delete on the right hand column under Options

Post the new log from RogueKiller, MrC

Link to post
Share on other sites

Please read the directions carefully so you don't end up deleting something that is good!!

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

No cure option offered on three suspect files so used skip.

That's what you were supposed to do.

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

I think you have an polymorphic file infector infection:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

Click Start

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

Link to post
Share on other sites

OK....................

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\users\Nicky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmmtqllv.exe

Folder::

c:\users\Nicky\AppData\Local\lguhgicf

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TmmTqllv"=-

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

Thanks. I've done this but received a warning message:

"ComboFix has detected the following real time scanner to be active:

antivirus: avast! Antivirus

antispyware: avast! Antivirus

Antivirus and intrusion prevention programmes are known to interfere with ComboFix's running. This may lead to unpredictable results or possible machine damage.

Please disable these scanners before clicking "OK"."

However we no longer have avast on this machine as it was uninstalled yesterday. Any ideas??

Link to post
Share on other sites

Download and unzip the attached fixit.zip to your desktop.

Now double click on it and allow it to merge into the registry.

Delete these files/folders if found:

You may have to enable hidden files to see them:

http://www.howtogeek...-windows-vista/

c:\users\Nicky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmmtqllv.exe <---fie

c:\users\Nicky\AppData\Local\lguhgicf <---folder

Then......

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

MrC

Link to post
Share on other sites

Found them, but they won't delete.

the file tmmtqllv.exe gives a message saying "This action can't be completed because the file is open in Host Process for Windows Serives. Close the file and try again."

The folder lguhgicf gives this message: "An unexpected error is keeping you from deleting the folder. If you continue to receive this error, you can use the error code to search for help with this problem. Error 0x80070091: The directory is not empty.

How do I delete them?

Link to post
Share on other sites

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassoci...T-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in bold:

:Files

c:\users\Nicky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmmtqllv.exe

c:\users\Nicky\AppData\Local\lguhgicf

[*]Then click the Run Fix button at the top

[*]Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"

[*]Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.