Jump to content

Recommended Posts

Hi,

I'm using AVG Antivirus scanning on my home computer. I was updating and running regular scans. However, the PC began to randomly launch an invisible instance of IE (no browser window, visible only in the list of processes in the Windows Task Manager) and play commercials (audio). Based on some research, I attempted to install MalwareBytes Anti-Malware. With some persistence, I was able to finally get it to install (by renaming mbam.exe file to "renamed.exe") and run. Now it runs fine and successfully removed some malware, with the exception of two entities

  • Trojan.Agent c:\windows\system32\uacinit.dll
  • Rootkit.Trace HKEY_LOCAL_MACHINE\SOFTWARE\UAC

I have followed the instructions in the pinned posts at the top of this forum, namely

  • Updated and ran AVG Anti-virus
  • Updated and ran MalwareBytes Anti-Malware
  • Removed the two entities above and rebooted
  • Re-ran Anti-malware and verified the two entities are still present
  • Insalled HiJackThis, ran scan with logfile

Attached are the AVG, Anti-Malware, and HijackThis log files.

Thanks in advance for any help you can provide.

RK

P.S. I'm only a part-time Geek-in-Training, so I don't know how to do things like "Disable scripting...something, something." Some explicit instructions may be needed. I'm just sayin'. :)

avg_logfile_6_17_2009.txt

mbam_log_2009_06_18__08_01_29_.txt

hijackthis_log.txt

avg_logfile_6_17_2009.txt

mbam_log_2009_06_18__08_01_29_.txt

hijackthis_log.txt

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Hi Mike,

I was able to download ComboFix. I disabled my AVG Resident Sheild and shut off the Windows Firewall. When I tried to launch ComboFix, it just hangs. (There is a process listed in the Task Manager, but it's not using any CPU resources.) It appears to me that the virus is preventing the program from running. This is the same problem I encountered when trying to launch MalwareBytes Anti-Malware, so I tried renaming the executable, and also tried changing the name to a .bat file to see if I could get it to run. I also tried using the Run... command from the Start menu, but no success. :)

Any ideas on how I can get ComboFix to launch? Safe mode, maybe?

Thanks,

RK

Link to post
Share on other sites

  • Staff

Hi,

Please delete Combofix and all renamed ones.

Then redownload it, but follow the exact steps as described below:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

Link to post
Share on other sites

Thanks. I followed your instructions and they seemed to have worked. Shut down anti-virus and firewall, downloaded ComboFix, and ran it. I just did a quick scan with my AVG software and the two problems seem to have been removed.

Attached are the ComboFix and HijackThis logs as requested.

Thank you very much for your help.

RK

2009_Jun_23_ComboFix_log.txt

hijackthis_2009_Jun_23.txt

2009_Jun_23_ComboFix_log.txt

hijackthis_2009_Jun_23.txt

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

I still want you to perform an extra scan though, so..

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Link to post
Share on other sites

  • Staff

This looks OK as well :D

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.