Jump to content

Recommended Posts

Malwarebytes found Trojan.banker located in c:/windows/system32/acroiehelpe.dll. I deleted it and it keeps coming back - there is also a file c:/windows/system32/acroiehelpe.txt that comes back with it. Here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:36:48 PM, on 9/22/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

c:\windows\system32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

c:\program files\synaptics\syntp\syntpenh.exe

c:\windows\stsystra.exe

c:\program files\dell\mediadirect\pcmservice.exe

c:\program files\hp\hp software update\hpwuschd2.exe

c:\windows\system32\wltray.exe

c:\program files\roxio\drag-to-disc\drgtodsc.exe

c:\program files\common files\installshield\updateservice\issch.exe

c:\windows\system32\ctfmon.exe

c:\program files\digital line detect\dlg.exe

C:\WINDOWS\System32\svchost.exe

c:\program files\microsoft office\office12\outlook.exe

c:\program files\internet explorer\iexplore.exe

c:\program files\trend micro\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {050C8642-C1A9-480b-95A1-55FECB2B8C9A} - (no file)

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: printer.bat

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{78983312-7C79-417F-A22D-D0448F12B210}: NameServer = 4.2.2.2

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LiveUpdate - Symantec Corporation - c:\progra~1\symantec\liveup~1\lucoms~1.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - SmithMicro Inc. - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 6032 bytes

Malwarebytes log:

Malwarebytes' Anti-Malware 1.41

Database version: 2837

Windows 5.1.2600 Service Pack 2

9/22/2009 1:53:24 PM

mbam-log-2009-09-22 (13-53-20).txt

Scan type: Quick Scan

Objects scanned: 102117

Time elapsed: 1 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\AcroIEHelpe.dll (Trojan.Banker) -> No action taken.

While this says no action taken, i have run Malwarebytes several times and deleted this file - it keeps coming back.

Thanks!

Link to post
Share on other sites

  • Replies 61
  • Created
  • Last Reply

Top Posters In This Topic

Hi and Welcome to the Malwarebytes' forum,

I can see this in your HJT log:

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

First, you need to disable Ad-Watch an keep it off until you are clean, because it can reverse changes we make to remove malicious startups. You can re-enable it once we are completely done

For Ad-Aware --- Not Ad-Aware 2007 versions:

Open Ad-Aware

Go to AdWatch User Interface

Go to Tools and Preferences

At the bottom of the screen you will see 2 options Active and Automatic:

Active: This will turn Ad-Watch On\Off without closing it

Automatic: Suspicious activity will be blocked automatically

Uncheck both options. You can enable these after resolving your problem.

For Ad-Aware 2007:

On the Real-time protection status screen --> Go to Settings --> Uncheck "Load Ad-Watch at startup"

Reboot.

---

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Normally, I would ask you to disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

However, I don't see an AV running in your log. After you follow all the directions in my reply you must install one.

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard and paste it in a reply back here
  • Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Note: If you have trouble completing a full Rootkit/Malware scan with the ARK program then just copy/paste the "Quick scan" results into your reply. Often that alone provides enough information to troubleshoot your situation..

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as stewarteli.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (stewarteli.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Please post C:\ComboFix.txt, the ARK quick scan results, and ARK.txt in your next reply.

Now, since you need an antivirus - please download, install and run this highly rated antivirus called Antivir by Avira:

http://www.free-av.com/en/trialpay_downloa..._antivirus.html

Link to post
Share on other sites

Negster22, thank you for replying. I disabled Adwatch from running at start up and then downloaded the Antiroot Program. When I attempted to run it, i got the following error message:

c:\ARK\8ruruzyw.exe is not a valid Win32 application.

Then i downloaded Combofix and when i attempted to run it got these messages:

Windows cannot find 132788R22FWJFW/iexplorer.exe'. Make sure you typed the name correctly and then try again. To search for a file, click the start button and then click search.

I got the same error messages with /hidec.exe' and n.pif' and nircmd.cfxxe

any idea what i should do next?

Link to post
Share on other sites

Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate.

Please open it with notepad and post the contents here. If the log generated OK then ignore the rest of the directions.

_______________

Only if win32kdiag.exe doesn't run, then download the program to a clean PC and transfer it to removable media (USB drive, CDROM) as follows

  • I want you to rename win32kdiag.exe as you download it to suze.pif
  • Then copy it to removable media and copy that file (suze.pif) to the desktop of the infected PC.

Notes:

  • It is very important that save the newly renamed PIF file to your desktop.
  • You must rename win32kdiag.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename it as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Now launch the program suze.pif on the infected PC:

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\suze.pif" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate - be sure to let it finish.

Please open it with notepad and post the contents here.

If this is not clear tell me and I will expand upon it.

Link to post
Share on other sites

Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate.

Please open it with notepad and post the contents here. If the log generated OK then ignore the rest of the directions.

_______________

Only if win32kdiag.exe doesn't run, then download the program to a clean PC and transfer it to removable media (USB drive, CDROM) as follows

  • I want you to rename win32kdiag.exe as you download it to suze.pif
  • Then copy it to removable media and copy that file (suze.pif) to the desktop of the infected PC.

Notes:

  • It is very important that save the newly renamed PIF file to your desktop.
  • You must rename win32kdiag.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename it as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Now launch the program suze.pif on the infected PC:

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\suze.pif" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate - be sure to let it finish.

Please open it with notepad and post the contents here.

If this is not clear tell me and I will expand upon it.

Link to post
Share on other sites

ok - here is the result of that:

Running from: C:\Documents and Settings\Beth Stewart\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Beth Stewart\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

thanks for responding to my post so quickly this morning

Win32kDiag.txt

Link to post
Share on other sites

ok - here is the result of that:

Running from: C:\Documents and Settings\Beth Stewart\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Beth Stewart\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

thanks for responding to my post so quickly this morning

I also ran Spybot S&D and found virtumonde.zip

23.09.2009 17:33:11 - ##### check started #####

23.09.2009 17:33:11 - ### Version: 1.5.2

23.09.2009 17:33:11 - ### Date: 9/23/2009 5:33:11 PM

23.09.2009 17:33:15 - ##### checking bots #####

23.09.2009 17:44:09 - found: Microsoft.WindowsSecurityCenter_disabled Settings

23.09.2009 17:53:25 - found: Virtumonde Library

23.09.2009 18:48:15 - ##### check finished #####

Link to post
Share on other sites

I ran a Kaspersky scan from the internet and it found no threats or infections. Malwarebytes is the only program finding this trojan.banker file and it only shows up during the heuristics and extra part of the scan at the end. But - the file acroiehelpe.dll and acroiehelpe.txt are still there, and if I delete them, they come back.

Link to post
Share on other sites

If AcroIEHelpe.dll is located in TEMP then it's a threat but yours is in system32:

http://www.threatexpert.com/files/acroiehelpe.dll.html

Make sure you can view hidden files and folders

Please upload these files to theVirus Total Scanner by browsing to each files folder location, and then click "Send":

C:\WINDOWS\system32\AcroIEHelpe.dll

C:\WINDOWS\system32\AcroIEHelpe.txt

Please post back the url's to the scan report results.

Next, open a command prompt by doing the following :

  • Click start -> run, type cmd and hit Enter
  • Copy/paste the following command in bold at the command prompt exactly as written
  • Type C:\WINDOWS\system32\AcroIEHelpe.txt > C:\results.txt && notepad C:\results.txt
  • A TXT file called results.txt will open in Notepad
  • Please copy/paste the content of that file in your next reply

Link to post
Share on other sites

If AcroIEHelpe.dll is located in TEMP then it's a threat but yours is in system32:

http://www.threatexpert.com/files/acroiehelpe.dll.html

Make sure you can view hidden files and folders

Please upload these files to theVirus Total Scanner by browsing to each files folder location, and then click "Send":

C:\WINDOWS\system32\AcroIEHelpe.dll

C:\WINDOWS\system32\AcroIEHelpe.txt

Please post back the url's to the scan report results.

Next, open a command prompt by doing the following :

  • Click start -> run, type cmd and hit Enter
  • Copy/paste the following command in bold at the command prompt exactly as written
  • Type C:\WINDOWS\system32\AcroIEHelpe.txt > C:\results.txt && notepad C:\results.txt
  • A TXT file called results.txt will open in Notepad
  • Please copy/paste the content of that file in your next reply

Hi Nester22 -

Thanks for replying -

ok - i can view hidden files and folders

I uploaded the two files to VirusTotal and here are the urls -

the url for the .txt file is: http://www.virustotal.com/reanalisis.html?...7181-1253882996

the url for the .dll file is: http://www.virustotal.com/reanalisis.html?...7181-1253883408

Below are the results from running the cmd on acroiehelpe.txt

{050C8642-C1A9-480b-95A1-55FECB2B8C9A}

dl/AcroIEHelpe16.dll

006

Thanks again for your help -

Link to post
Share on other sites

ok - let me try those urls again

http://www.virustotal.com/analisis/e2d8554...7181-1253173369

http://www.virustotal.com/analisis/1ea5766...2e90-1253884032

Hi Nester22 -

Thanks for replying -

ok - i can view hidden files and folders

I uploaded the two files to VirusTotal and here are the urls -

the url for the .txt file is: http://www.virustotal.com/reanalisis.html?...7181-1253882996

the url for the .dll file is: http://www.virustotal.com/reanalisis.html?...7181-1253883408

Below are the results from running the cmd on acroiehelpe.txt

{050C8642-C1A9-480b-95A1-55FECB2B8C9A}

dl/AcroIEHelpe16.dll

006

Thanks again for your help -

Link to post
Share on other sites

I believe this is a false positive. I'll get back to you later - I've got to go to work.

I'd love for that to be the case! is there a reasonable explanation for the acroiehelpe.dll and acroiehelpe.txt returning everytime they're deleted if it is a false positive?

Thanks for your help - hope work goes well!

Link to post
Share on other sites

Let's try this to capture and submit the file to confirm its status:

Go to the upload page here

http://www.bleepingcomputer.com/submit-mal....php?channel=75

Click Browse to this file

C:\WINDOWS\system32\AcroIEHelpe.dll

Select the file, then click Open

Click Send File

ok - i have submitted it. yesterday i wiped the free space and when i turned on the computer this morning, malwarebytes didn't find it. i looked in c:\windows\system32 and the files were not there. then i looked again in a few minutes and they had returned - ran malwarebytes again and it found it that time.

Link to post
Share on other sites

You're welcome!

This is most definitely malware but it has very low detection rates among the antiviruses.

Something is blocking Combofix from downloading or running properly. It could be your security programs or the malware.

I need you to disable all your antimalware applications including your antivirus and firewall plus Ad-Watch.

I need you to delete your current copy of your renamed Combofix on your desktop and redownload it, renaming as you download like before. If it still doesn't work.

Then delete the renamed Combofix again and download it again as follows. Either:

1. Download it from a clean machine again by renaming it as you download and transfer it to your infected PC's desk top using removable media (CD, floppy or flash drive).

OR

2. You can try downloading it in "safe mode with networking" from the infected PC (this is not the safest configuration, however) - still renaming as you go.

To boot into Safe Mode with Networking:

1. Restart the computer

2. Watch the screen while it is black. After the BIOS memory check is done,

start tapping the F8 key. If done right, the Windows Advanced Options Menu will

appear.

3. Select Safe Mode with Networking from the menu.

Starting Windows in Safe Mode may take several minutes

Next, Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clickOK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::

File::
C:\WINDOWS\system32\AcroIEHelpe.dll
C:\WINDOWS\system32\AcroIEHelpe.txt

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Explorer\Browser Helper Objects\{050C8642-C1A9-480b-95A1-55FECB2B8C9A}]

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdskor any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into your renamed ComboFix.exe

This will cause ComboFix launch and run. It normally reboots at the end of its cycle.

Please post back the log that opens when it finishes - C:\Combofix.txt.

Link to post
Share on other sites

i turned off my firewall, adwatch, spybot - then deleted combofix and downloaded it again and it still will not run. I will have access to a clean computer on Tuesday morning and will download it and try using it from a flashdrive. thanks - will get back to you tuesday am with my results.

Hi Negster -

nothing worked - not safemode, not downloading to a clean computer and using a usb drive...combofix will not run. any other ideas? Thanks!

Link to post
Share on other sites

Download The Avenger by Swandog46:

http://swandog46.geekstogo.com/avenger2/download.php

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to launch Avenger.
  • Click OK.
  • Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Files to delete:
C:\WINDOWS\system32\AcroIEHelpe.dll
C:\WINDOWS\system32\AcroIEHelpe.txt

Registry keys to delete::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Explorer\Browser Helper Objects\{050C8642-C1A9-480b-95A1-55FECB2B8C9A}]

  • Click the Execute button.
  • You will be prompted with "Are you sure you want to execute the current script?"
  • Click "Yes"
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click "Yes".
  • Your PC will reboot.
  • After your PC has completed the necessary reboot, a log should automatically open.
  • If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)
  • Please post the Avenger log, along with a new HijackThis log, and the ESET scan report in your next reply.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard and paste it in a reply back here
  • Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Link to post
Share on other sites

I downloaded avenger - here is the text from the scan:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "C:\WINDOWS\system32\AcroIEHelpe.dll" deleted successfully.

File "C:\WINDOWS\system32\AcroIEHelpe.txt" deleted successfully.

Error: file "Registry keys to delete::" not found!

Deletion of file "Registry keys to delete::" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Explorer\Browser Helper Objects\{050C8642-C1A9-480b-95A1-55FECB2B8C9A}]"

Deletion of file "[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Explorer\Browser Helper Objects\{050C8642-C1A9-480b-95A1-55FECB2B8C9A}]" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Completed script processing.

*******************

Finished! Terminate.

Then I ran ATF cleaner, downloaded the antiroot kit and it started running, then i got an error "Ark has encountered problems and needs to close" - i tried several times and got hte same error msg.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.