Jump to content

So far 9 trojans found, dds.txt attached

RodTucan
 Share

Recommended Posts

RodTucan

RodTucan

Posted
Posted

Hi there,

Bought a used Acer laptop.  Sad to say, I found it massively infected.  I have not yet done a reinstall.  I've been trying to get the hard drive clean before making any backups for installing.  I've run scans by Kaspersky, Malwarebytes, SpyBot S&D, and Hijack this.  Just when I think it is clean, another trojan or badstuff gets found.

 

I've attached dds.txt.  Any help appreciated.

 

One other question -- the hard drive is 750 gigs.  The original owner had a copy of Windows 8 on a partition, and I deleted the partition and the Windows 8, but the machine is not recognizing the full hard drive.  Maybe some of the badguys are hiding there?  How do I restore the full hard drive space?

 

Thanks for any and all help.  What other info do you need?  Would like to get this cleared up at least enough to do a reinstall.  Does formatting get ride of malware?

 

Many thanks in advance!  

 

Rodattach.txtdds.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

There are two security systems with AV components active on your system, one must be removed. As Kaspersky is a full suite it is recommended to remove Microsoft Security Essentials.

Go here: http://www.bleepingcomputer.com/download/microsoft-security-essentials-removal-tool/ for instructions.

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review



****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

*EXTRA NOTES*


  •    
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
       
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
       
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)



Post the log in next reply please...

Kevin

Link to post
Share on other sites
RodTucan

RodTucan

Posted
  • Author
Posted

Hi Kevin,

 

OK, I ran ComboFix and have the log file.  The forum software wouldn't let me "attach" the file of that type to my reply.  When I tried to copy and paste the text file onto the page, Chrome hung twice.

 

What to do?  How do I get these ComboFix program printouts to you?

 

Also, I ran ComboFix twice and saved both files (one marked as old_), as the first time it downloaded it automatically saved to the downloads folder.  So redownloaded onto the desktop and ran again.

 

Thanks in advance!

Rod

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

That log is from the second run of Combofix, can I see the log from the first run. It will be here:

 C:\QooBox\ComboFix2.txt

Also post the following Quarantine list:

 C:\QooBox\ComboFix-quarantined-files.txt

I see that you still appear to have two security systems running with AV components, that is not good, one of them has to be removed.

If you are having issues attaching logs, maybe better to use FireFox or even Internet Explorer. I never use Chrome, too many issues for my liking....

Thanks,

Kevin...

Link to post
Share on other sites
RodTucan

RodTucan

Posted
  • Author
Posted

ComboFix2.txt

 

ComboFix-quarantined-files.txt

 

Hi Kevin,

 

Thanks for the reply.  I did see that two AV programs are still running, but wanted to wait until you had a chance to go over the file and ok changes.  Not sure why it is still there, because I did run the MS remove file program from the link you included in your first reply, before I ran ComboFix.  I will remove it again.

 

Rod

 

 

 

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Run an online AV scan to ensure system is definitely clean, If that log is clean follow the instructions at the following link to merge partitions, quite simple procedure..

 

http://helpdeskgeek.com/how-to/merge-two-partitions-in-windows-7/

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

copy and paste the report here

 

Kevin..

Link to post
Share on other sites
RodTucan

RodTucan

Posted
  • Author
Posted

ESET scan.txt

 

Hi Kevin,

 

1. Attached is the ESET Scan file.  At least the list is shorter, this time.

 

2. The pre-scan recognized Kaspersky and something called ALWIL Software as AV programs.

 

3.  Prior to my original post, I had tried several ways to restore the HOSTS file, but it seems it still has bogus files in it.  How to fix?

 

I will look next at the partition info.

 

Thanks -

 

Rod

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

ALWIL Software is related to Avast, we can deal with that later....

 

Next,

 

Download OTM from either of the following links and save to your Desktop:

 

http://oldtimer.geekstogo.com/OTM.exe.

http://www.itxassociates.com/OT-Tools/OTM.com

http://www.itxassociates.com/OT-Tools/OTM.exe 

 

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....

 

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
     
    :Filesipconfig /flushdns /cC:\Users\Rod\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\stub_data\stubinst_pkg_en-us.cab:Commands[ResetHosts][EmptyTemp]
     
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

If the machine reboots, the Results log can be found here:

 

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

Post that log....

 

Next,

 

Give me an update on any remaining issues or concerns...

 

Kevin..

Link to post
Share on other sites
RodTucan

RodTucan

Posted
  • Author
Posted

07132013_104910.log

 

Hi Kevin,

 

Attached is the .txt file produced by the OTMoveit procedure.

 

Thank you for helping me clean up this computer.  I haven't done anything on removing the partition - should I wait?  I keep wondering if there might be something lurking on the other part of the hard drive that is apparently not being scanned during these procedure.

 

Rod

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Use the link I gave previously to merge the two partitions, if tha is done successfully run the following scan and post the two logs...

 

Download OTL from any of the following links and save to your desktop.

 

http://itxassociates.com/OT-Tools/OTL.com

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassociates.com/OT-Tools/OTL.scr

 

Double click the OTL icon to start the tool. (Note: If you are running on Vista or Windows 7 accept UAC alert)

 


  When the window appears, underneath Output at the top, make sure Standard output is selected.
Select Scan all users
Change Drivers to All
Under the Extra Registry section, check Use SafeList
In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
Click Run Scan and let the program run uninterrupted.
When the scan is complete, two text files will be created on your Desktop.
OTL.Txt <- this one will be opened
Extras.txt <- this one will be minimized

 

Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTL.Txt and the Extras.txt in your next reply.

Can you also confirm that you are keeping Kaspersky as you main security system for now...

 

Kevin

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Re-Run otlDesktopIcon.png  by double left click, Vista and Widows 7 users accept UAC alert.

  • Under the customFix.png box at the bottom, paste in the following, start with and include the colon plus OTL . :OTL

    :OTLDRV:[b]64bit:[/b] - [2012/04/20 17:40:58 | 000,196,440 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HipShieldK.sys -- (HipShieldK)IE - HKU\S-1-5-21-3304482078-3672138886-1531185022-1000\..\SearchScopes\{0AE1A29B-DE8F-438F-95ED-4DB32B086CD6}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files (x86)\McAfee\SiteAdvisor[2012/11/29 23:28:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rod\AppData\Roaming\mozilla\Firefox\extensionsCHR - plugin: AVG SiteSafety plugin (Enabled) = C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\15.0.0\\npsitesafety.dllO3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)O18:[b]64bit:[/b] - Protocol\Handler\belarc - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not foundO18:[b]64bit:[/b] - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not foundO18:[b]64bit:[/b] - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not foundO18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not foundO18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not foundO18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not foundO20:[b]64bit:[/b] - HKLM Winlogon: Shell - (Explorer.exe) -  File not foundO20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -  File not foundO20 - HKLM Winlogon: Shell - (explorer.exe) -  File not foundO20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -  File not foundO21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.O29:[b]64bit:[/b] - HKLM SecurityProviders - (credssp.dll) -  File not foundO29 - HKLM SecurityProviders - (credssp.dll) -  File not found:FilesC:\Program Files (x86)\McAfeeC:\Users\Rod\Desktop\aswclear5.exeC:\Windows\SysNative\%APPDATA%C:\ProgramData\AVAST SoftwareC:\Program Files\AVAST SoftwareC:\Windows\SysWow64\%APPDATA%C:\Windows\SysNative\drivers\HipShieldK.sys:Commands[emptytemp][CREATERESTOREPOINT]
  • Then click runFixbutton.png button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply.



Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start > All Programs > Accessories > Notepad), click File > Open, in the File Name box enter  *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

Let me see that log, also give update on current issues/concerns...

 

Kevin

 

Link to post
Share on other sites
RodTucan

RodTucan

Posted
  • Author
Posted

07142013_133113.log

 

Hi Kevin,

Thank you for the additional help.  I have run the OTL scan with the parameters you defined.  The file is attached.

 

IE seems to be corrupted.  I am going to install a fresh version of it.  It will come up but won't open websites unless I click on a link  (for example, from a google search page).

 

If there are any other scans you think I should run, please let me know.  Your help has been greatly appreciated.

 

Thank you,

Rod

 

 

 

 

Link to post
Share on other sites
RodTucan

RodTucan

Posted
  • Author
Posted

By Jove, I think you've done it!  I've run a few scans, and everything has come up clean.  Unless you have a suggestion for some additional technical scan, just to do a final double-check, maybe the bad nasties are gone!  yay

 

I tried to reinstall IE, but it wouldn't let me install v. 9 or v. 10, even after the MS uninstaller was run, because "there was a newer version on my hard drive".  So anyway, this morning MS had downloaded a large 'security update' to IE 9, which installed, and it seems to be functioning now.

 

I have appreciated your help all along and your technical knowledge.  Thank you, Kevin.  Blessings on your head.

 

Rod

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for the update Rod, good t hear that all is well. We still need to clean up:

 

Remove Combofix now that we're done with it..

 


Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
CF_Uninstall-1.jpg
 
Please follow the prompts to uninstall Combofix.
You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:


    ComboFix and its associated files and folders.
    VundoFix backups, if present
    The C:_OtMoveIt folder, if present
    Reset the clock settings.
    Hide file extensions, if required.
    Hide System/Hidden files, if required.
    Reset System Restore.

 

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

 

If you have already removed Combofix from your Desktop d/l and save to the Desktop again, then run Combofix /Uninstall command. Available from following link: 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Next,

 

Remove ESET online scanner  (Only If installed):

 


Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.

 

Next,

 

  • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
  • Double click OTC_Icon.jpg icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.

 

Any tools/logs remaining on the Desktop can be deleted.

 

Let me know if those steps complete OK, also if any remaining issues or concerns..

 

Thank you,

 

Kevin...

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept