Jump to content

Recommended Posts

Wife installed some "free to play!" thing, now her IE is messed up. All link-clicks go to google search results, where the link targets are all either search-link-referrals or random Youtube videos. Read through some posts here, and have tried running (sorry!) RootRepeal, MBAM, HijackThis. All install (or start) fine, but when they get started actually running they shut down before finishing. Installed Avira too late, and it shows no problems on multiple scans. I even tried the Avira boot CD, which detected a few things and deleted them. Problem still persists.

Unfortunately my windows home server backups of her laptop don't work (!!!!), so I come begging for help. I can easily remove her HD (it's a laptop) and dock it to another machine for analysis.

For reference, laptop is a Sony Vaio with Vista x86 SP2 just installed.

Rootrepeal dies during a scan of C:.

MBAM installs but dies before scan starts.

HJT gets through a few items and then dies.

Thank you malwarebytes, you're my only hope!

Link to post
Share on other sites

MBAM installs but dies before scan starts.

Yay for SATA-to-USB docks! I got the disk hooked up to another system and was able to MBAM it. Here's what I turned up (and cleaned):

E:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Windows\System32\cngaudit.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.

Running RootRepeal on it shows:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/28 09:13
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Hidden/Locked Files
-------------------
Path: Volume E:\
Status: MBR Rootkit Detected!

Path: Volume E:\, Sector 1
Status: Sector mismatch

Path: Volume E:\, Sector 2
Status: Sector mismatch

Path: Volume E:\, Sector 3
Status: Sector mismatch

Path: Volume E:\, Sector 4
Status: Sector mismatch

Path: Volume E:\, Sector 5
Status: Sector mismatch

Path: Volume E:\, Sector 6
Status: Sector mismatch

Path: Volume E:\, Sector 7
Status: Sector mismatch

Path: Volume E:\, Sector 8
Status: Sector mismatch

Path: Volume E:\, Sector 9
Status: Sector mismatch

Path: Volume E:\, Sector 10
Status: Sector mismatch

Path: Volume E:\, Sector 11
Status: Sector mismatch

Path: Volume E:\, Sector 12
Status: Sector mismatch

Path: Volume E:\, Sector 13
Status: Sector mismatch

Path: Volume E:\, Sector 14
Status: Sector mismatch

Path: Volume E:\, Sector 15
Status: Sector mismatch

Path: Volume E:\, Sector 16
Status: Sector mismatch

Path: Volume E:\, Sector 17
Status: Sector mismatch

Path: Volume E:\, Sector 18
Status: Sector mismatch

Path: Volume E:\, Sector 19
Status: Sector mismatch

Path: Volume E:\, Sector 20
Status: Sector mismatch

Path: Volume E:\, Sector 21
Status: Sector mismatch

Path: Volume E:\, Sector 22
Status: Sector mismatch

Path: Volume E:\, Sector 23
Status: Sector mismatch

Path: Volume E:\, Sector 24
Status: Sector mismatch

Path: Volume E:\, Sector 25
Status: Sector mismatch

Path: Volume E:\, Sector 26
Status: Sector mismatch

Path: Volume E:\, Sector 27
Status: Sector mismatch

Path: Volume E:\, Sector 28
Status: Sector mismatch

Path: Volume E:\, Sector 29
Status: Sector mismatch

Path: Volume E:\, Sector 30
Status: Sector mismatch

Path: Volume E:\, Sector 31
Status: Sector mismatch

Path: Volume E:\, Sector 32
Status: Sector mismatch

Path: Volume E:\, Sector 33
Status: Sector mismatch

Path: Volume E:\, Sector 34
Status: Sector mismatch

Path: Volume E:\, Sector 35
Status: Sector mismatch

Path: Volume E:\, Sector 36
Status: Sector mismatch

Path: Volume E:\, Sector 37
Status: Sector mismatch

Path: Volume E:\, Sector 38
Status: Sector mismatch

Path: Volume E:\, Sector 39
Status: Sector mismatch

Path: Volume E:\, Sector 40
Status: Sector mismatch

Path: Volume E:\, Sector 41
Status: Sector mismatch

Path: Volume E:\, Sector 42
Status: Sector mismatch

Path: Volume E:\, Sector 43
Status: Sector mismatch

Path: Volume E:\, Sector 44
Status: Sector mismatch

Path: Volume E:\, Sector 45
Status: Sector mismatch

Path: Volume E:\, Sector 46
Status: Sector mismatch

Path: Volume E:\, Sector 47
Status: Sector mismatch

Path: Volume E:\, Sector 48
Status: Sector mismatch

Path: Volume E:\, Sector 49
Status: Sector mismatch

Path: Volume E:\, Sector 50
Status: Sector mismatch

Path: Volume E:\, Sector 51
Status: Sector mismatch

Path: Volume E:\, Sector 52
Status: Sector mismatch

Path: Volume E:\, Sector 53
Status: Sector mismatch

Path: Volume E:\, Sector 54
Status: Sector mismatch

Path: Volume E:\, Sector 55
Status: Sector mismatch

Path: Volume E:\, Sector 56
Status: Sector mismatch

Path: Volume E:\, Sector 57
Status: Sector mismatch

Path: Volume E:\, Sector 58
Status: Sector mismatch

Path: Volume E:\, Sector 59
Status: Sector mismatch

Path: Volume E:\, Sector 60
Status: Sector mismatch

Path: Volume E:\, Sector 61
Status: Sector mismatch

Path: Volume E:\, Sector 62
Status: Sector mismatch

Path: E:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: E:\System Volume Information\{c253a981-ab41-11de-8824-001a80413d1d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

I've got a Vista boot CD (with recovery console, for 'fixmbr') sitting around. Would that be sufficient? I guess I then need to use "inherit.exe" to unlock the files? The rootrepeal log is partial - on this system, RR eventually consumes 1.5gb of RAM which causes tons of paging, effectively stopping the scan in \windows\winsxs\manifests. I let it run for an hour or two last night and it was still wedged, but there were a handful of other "locked to the API!" hits (but none in \windows\system32\drivers).

Link to post
Share on other sites

Yes you need to Fixmbr on her laptop. Afterwards, i would like you to run this program

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

Sorry for the delay, i must of missed your post.

Download the attached file CFScript.txt to your Desktop

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!

====================================================

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    KasReport.png

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

CFScript.txt

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.