Jump to content

Recommended Posts

Hello, I did a full scan with Malwarebytes last week and it showed over 200 issues. All of them seemed to be in my Admin account. I don't use my admin account. It has probably been over a year since I have gone into it.

I made sure all issues were checked and clicked remove. I rebooted per instructions. When windows rebooted I was only able to see my wallpaper. My desktop icons were not showing and I had no mouse cursor. I rebooted with debugging and was able to boot up normally.

Today when I scanned with quick scan it showed 10 more issues than last week, all in the admin account. I have not been experiencing computer issues, I just scanned both times to try malwarebytes.

The only thing "new" is that I had issues with uninstalling Internet Explorer 8. I had Microsoft tech take control of my computer and they had me disable Mcafee firewall and virus while they tried to fix the IE issue.

Below is the first scan from last week and today's scans.

Thanks,

Joseph

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Thanks,

Here are the two logs.

Joseph

Also, I'm getting this McAfee popup now...

McAfee has automatically blocked and removed a Trojan.

About this Trojan

Detected: Artemis!3BAFF46CFABF (Trojan), Artemis!3BAFF46CFABF (Trojan)

Location: C:\Documents and Settings\JonesGroot\Desktop\ComboFix.exe

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer.

Link to post
Share on other sites

No sir,

I disabled McAfee firewall, virus and the other things in McAfee before the scan like you instructed.

After the Combofix log was created I ran hijackthis and saved that log.

I then reactivated McAfee before I went online to post the two new logs.

As I was completing the new post the McAfee pop up occured. That is why I included it in the post.

Lines 4 and 5 of the combofix log show that virusscan and firewall were disabled:

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

Thank you

Link to post
Share on other sites

  • Root Admin

No problem. Sorry about that I thought you meant that it was on while you downloaded and ran it.

Well it has Malware that is attacking Combofix as well and hiding stuff from it.

Let's try this tool and see if we can remove some of it to get a handle on it.

STEP 01

Please download Avenger 2.0 from here

Open and copy the program file avenger.exe to your Desktop then double click to start it.

Copy and paste the following text from the code box below into the main window of Avenger.

Drivers to delete:
dijzbk
C0A1D9E695482784

Files to delete:
c:\windows\system32\drivers\ihqmdfqj.sys
c:\documents and settings\JonesGroot\Desktop\C0A1D9E695482784\C0A1D9E695482784
  • Do not check any other boxes, uncheck Scan for Rootkits if it's checked
  • Close all other running applications
  • After pasting the text into the main window, click on Execute

Once Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.

Fix anything found and reboot the computer. Then run a new HJT log and post back all logs when done with all steps.

STEP 02

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

Ok, I've been scanning all day.

Attached is:

Log from avenger avenger.txt

Log from MBAM mbam-log-2009-06-18 (13-36-00).txt

I just realized that I didn't do a HJT scan at the end of STEP 01. I hope this doesn't mess things up.

Log from Dr. Web CureIt DrWeb.csv

HJT log done after Dr. Web CureIt hijackthislog3.txt

After the MBAM scan it took 1/2 hour to boot up and 1/2 hour to go from just wallpaper to all desktop icons.

Thanks,

Joseph

Link to post
Share on other sites

  • Root Admin

Please reboot the box and UPDATE MBAM again and do another Quick Scan.

Then run this scanner.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Ron,

Before I read your post this morning, I did a full scan last night with MBAM. If it has to be quick scan, I don't have time before I leave and will have to do it when I get back on Sunday.

So attached is the full scan I did with MBAM after reboot last night.

I ran dds.scr today. It does not give me a prompt for Optional Scan. When I ran dds.scr it just runs on it's own and generates the logs. Here they are. Talk to you on Sunday.

Joseph

Link to post
Share on other sites

  • Root Admin

Hi Joseph,

Please run the following and let's see how it goes.

STEP 01

Please uninstall the following programs

Coupon Printer for Windows

CouponBar

STEP 02

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Java 2 Runtime Environment, SE v1.4.1_02

Java 2 Runtime Environment, SE v1.4.2

Java Web Start

Java™ 6 Update 11

Java™ 6 Update 5

Java™ 6 Update 7

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

STEP 03

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup220_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 04

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Reboot the computer now

STEP 05

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 14.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 14 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u14-windows-i586.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

STEP 06

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Ron,

I installed Coupon Printer for Windows and CouponBar from my local grocer so that I could print coupons at home.

STEP 1

I uninstalled Coupon Printer for Windows.

I tried to uninstall CouponBar but the curser flickers to the hourglass for a second after clicking Change/Remove and then nothing happens.

STEP 2

Done

I did notice however that in C:\Documents and Settings the Administrator folder no longer has sub folders and when I click on the administrator folder it says: The disk in drive C is not formatted. Do you want to format it now? This is the folder that Malwarebytes said all the malware was.

STEP 3

Done

STEP 4

Done. After reboot, I checked CouponBar and it is still listed under Add/Remove programs.

STEP 5

Done

STEP 6

Done

I ran malwarebyte just on the C:\Documents and Settings\Administrator folder and it found no issues. CouponBar is still listed under Add/Remove programs.

Joseph

Link to post
Share on other sites

Ron,

Here is the log plus a hijack log also.

Do you know why malwarebytes shows infected files that according to windows the files don't exist?

The C:\Documents and Settings\Administrator folder that malwarebytes says is full of infected files shows no subfolders nor files when viewed with windows explorer.

Confusing

Joseph

Link to post
Share on other sites

  • Root Admin

They hide on purpose from normal windows, that's why it takes advanced tools to find and stop it. The parent process that is creating this has so far eluded us.

Please run the following.

STEP 01

Please download a NEW fresh copy of Combofix. Disable your Anti-Virus and run it.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

STEP 02

    Please create a BOOTLOG
  • Delete the following file if it exists. C:\Windows\ntbtlog.txt
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

Ron,

STEP 1

Done. File attached - ComboFix.txt

I turned off anti virus and firewall. While Combofix was running it reactivated firewall then turned it off.

STEP 2

Done. File attached - ntbtlog.txt

STEP 3

Done. File attached - SIGVERIF.TXT

STEP 4

Done. File attached - Joseph Torgg2 RootRepeal Log.txt

Errors were reported. File attached - Joseph Torgg2 RootRepeal Errors.txt

Joseph

Link to post
Share on other sites

  • Root Admin

Strange... Logs look pretty clean. Let's run the following please. This may disable your mouse but these are very old drivers and any modern mouse should not require them.

If it does break then let me know the exact model of your mouse and we'll see if we can get some newer drivers for it but from what I can tell these are from almost 10 years ago. At worst you should be able to plug in any USB mouse and have it find and use it.

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mouse Suite 98 Daemon"=-
Driver::
pelmouse
pelusblf

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

STEP 03

Please start HJT and click on Open the Misc Tools section

If you need to, scroll down a little to the Advanced Settings (these will not be saved)

Find and click on Calculate MD5 of files if possible

Then click back to the Main Menu and select Do a system scan and save a logfile

When done please post back that log file.

STEP 04

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log on your next reply.

Link to post
Share on other sites

Ron,

It looks like the check disk command did the trick. After it ran I noticed that the administrator folder in c:\doc & settings was completely rebuilt.

The MBAM quick scan only took 8 minutes to complete. It had taken 2 1/2 hours before. It came up clean. All logs attached.

Thanks for your help.

Joseph

Link to post
Share on other sites

  • Root Admin

Excellent... Please run the following and hopefully we should be about done.

STEP 01

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

STEP 02

Please disable your McAfee Anti-Virus and run this AV scanner.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Link to post
Share on other sites

Ron,

Did STEP 1

STEP 2

Ran scan but it did not save log. I saw that it found no issues before I closed it.

I went to c:\program files\ESET\ESET Online Scanner. There were only the two files:

OnlineScanner.ocx

OnlineScannerUninstaller.exe

Joseph

Link to post
Share on other sites

Actually Friday night McAfee did it's scheduled scan and it found Adware-xplus.

Registry:HKU\S-1-5-21-1275210071-2139871995-725345543-1004\Software\Harmony Hollow

I removed it.

Then last night I ran MBAM full scan and it found two issues which I removed. Log attached.

I go out this afternoon and will start another full MBAM scan and attach it in anoter reply.

Joseph

Link to post
Share on other sites

  • Root Admin

Hi Joseph,

Those look like the ones that I had CF try to remove. Perhaps it removed file that was blocking MBAM from seeing it.

Just to be sure though please run the following Kaspersky scan to confirm. This will take between 5 to 10 hours depending on the speed of your computer and the amount of data you have. Make sure you disable McAfee so that it won't block Kaspersky.

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.