Jump to content

Recommended Posts

I'm running Windows XP Media center (SP 3) on a Dell Inspiron. I recently was infected with PC Defender and, after a long struggle, managed (with the help of Malwarebytes) to get most of it off. I now have most functionality back, but still have significant problems with the internet (I'm running Windows Internet Explorer).

Whatever remains from the infection prevents me from linking to Malwarebytes or any other, similar site. I have therefore been unable to update the mbam program. I had to use a series of back paths, through other sites, to download HijackThis, but have been unable to do the same to get the needed updates. I was finally able to run a log, which I had to download to a USB key and transfer to another computer to send to you now. The log, copied and pasted, is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:50:20 PM, on 2/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Intel\IntelDH\Intel

Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

You may want to download and install Firefox to see if that helps during the cleanup period.

http://www.mozilla.com/en-US/firefox/upgrade.html

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here
  • Only if the ARK program alerts you to rootkit activity and invites you to complete a complete scan - click the Rootkit/Malware tab,and then select the Scan button.
  • Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as rayman.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your Symantec antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (rayman.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Please post C:\ComboFix.txt and ARKQ.txt in your next reply.

Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

You may want to download and install Firefox to see if that helps during the cleanup period.

http://www.mozilla.com/en-US/firefox/upgrade.html

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here
  • Only if the ARK program alerts you to rootkit activity and invites you to complete a complete scan - click the Rootkit/Malware tab,and then select the Scan button.
  • Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as rayman.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your Symantec antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (rayman.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Please post C:\ComboFix.txt and ARKQ.txt in your next reply.

OK. I've tried what you suggested and I still cannot access the internet unimpeded. I THINK I followed the instructions completely, but it's difficult to say for sure as I'm obliged to use the thumb drive to suffle between an unifected Mac laptop and the infected PC.

I've activated Firefox and that produces the same result as Internet Explore when I try to reach Malwarebytes. By way of additional information, Internet Explorer provides me with a succinct error box when I try to 'update' Malwarebytes. It says:

An error has occurred. Please report the following error code to Malwarebytes Anti-Malware support team:

Error code: 732 (12007, 0)

Firefox just tells me that the site cannot be found and suggests that I check my spelling.

I've attached the logs that I ran using ComboFix and ARK. I think. I had to do some creative (for a techno-challenged history major) manipulating of the files to get them to where I am now, so please tell me if this is not what you're looking for.

And please accept my thanks for your time and effort onmy behalf.

602

ComboFix.txt

ComboFix_logrun.doc

Link to post
Share on other sites

It's very important that I see the Antirootkit log you should have saved as ARKQ.txt. The logs you gave me are helpful but I need to see if you have any hidden infections one of which is know to cause the browser redirection your describing.

Your Combofix log indicates your Symantec antivirus was NOT disabled during your Combofix scan so it may have impeded Combofix from removing and detecting as much as it is capable of doing:

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

Can you see and follow these directions:

http://www.bleepingcomputer.com/virus-remo...malware-defense

Please post an updated HJT log.

Link to post
Share on other sites

It's very important that I see the Antirootkit log you should have saved as ARKQ.txt. The logs you gave me are helpful but I need to see if you have any hidden infections one of which is know to cause the browser redirection your describing.

Your Combofix log indicates your Symantec antivirus was NOT disabled during your Combofix scan so it may have impeded Combofix from removing and detecting as much as it is capable of doing:

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

Can you see and follow these directions:

http://www.bleepingcomputer.com/virus-remo...malware-defense

Please post an updated HJT log.

ARKQ.txt

Link to post
Share on other sites

OK, I ran the scans and I'm attaching the files. I continue to have the problem though and I'm navigating between the infected PC and the uninfected Mac, so I HOPE that these are the correct files. Having run the ComboFix, I still am unable to access Malwarebytes. My next step will be to download the ATF cleaner and try that.

602

ComboFix_10.doc

ARKQ.txt

Link to post
Share on other sites

Your successive Combofix runs indicate that this infected file is being recreated, and thus the infection is not being completely removed!

c:\docume~1\Jan\LOCALS~1\Temp\IadHide4.dll

c:\documents and settings\Jan\Local Settings\temp\IadHide4.dll

In the future, please post the Combofix log as a TXT (openable with Notepad) file and not as a DOC (Word) file.

Please visit this page and perform the steps indicated to remove this infection. Your HJT log indicates you ave a proxy server installed but this can also be a symptom of infection unless you set your network connections that way. So please verify that, because removing the proxy that the infection sets is one of the steps in this semi-manual removal procedure.

http://www.bleepingcomputer.com/virus-remo...malware-defense

You'll also notice that you must download and rename the MBAM installer to explorer.exe.

You may also have to download a randomly renamed main executable if running MBAM still results in an error.

Link to post
Share on other sites

Your successive Combofix runs indicate that this infected file is being recreated, and thus the infection is not being completely removed!

c:\docume~1\Jan\LOCALS~1\Temp\IadHide4.dll

c:\documents and settings\Jan\Local Settings\temp\IadHide4.dll

In the future, please post the Combofix log as a TXT (openable with Notepad) file and not as a DOC (Word) file.

Please visit this page and perform the steps indicated to remove this infection. Your HJT log indicates you ave a proxy server installed but this can also be a symptom of infection unless you set your network connections that way. So please verify that, because removing the proxy that the infection sets is one of the steps in this semi-manual removal procedure.

http://www.bleepingcomputer.com/virus-remo...malware-defense

You'll also notice that you must download and rename the MBAM installer to explorer.exe.

You may also have to download a randomly renamed main executable if running MBAM still results in an error.

Link to post
Share on other sites

I was in the process of running the malware/rootkit scan when the computer shut down with an error message saying that it had encountered a problem and quit to protect Windows. The code given was:

Awloapob.sys 'page in non-paged area'

awloapob.sys - address A581BFA6 base at A5810000, datestamp 46274f8d

should I start over, or is there something else that I need to be aware of?

602

Link to post
Share on other sites

There is a conflict between the antirootkit (ARK) program driver and another driver loaded on your system. It may be your antimalware active protection or it may be a malicious driver.

Did you disable your antivirus guard and any other active protection you're running before launching the ARK program?

You need to do that!

Also, I do not need you to perform the longer scan that you obtain from pressing the scan button. All I need is the very short scan that happens automatically when you launch the program. That takes 30 sec or less to complete. Just save that as ARKQ.txt and post it back. If you cannot even get that, then we'll have to take another approach such as trying it in safe mode.

Link to post
Share on other sites

There is a conflict between the antirootkit (ARK) program driver and another driver loaded on your system. It may be your antimalware active protection or it may be a malicious driver.

Did you disable your antivirus guard and any other active protection you're running before launching the ARK program?

You need to do that!

Also, I do not need you to perform the longer scan that you obtain from pressing the scan button. All I need is the very short scan that happens automatically when you launch the program. That takes 30 sec or less to complete. Just save that as ARKQ.txt and post it back. If you cannot even get that, then we'll have to take another approach such as trying it in safe mode.

ARKQ.txt

Link to post
Share on other sites

I think you may be having problems because your network connections are set to use a proxy server.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

If you did NOT intentionally set them that way, then try the following:

  • Go to Control Panel > Internet options.
  • Click on the "Connections" tab, then the "LAN settings" button.
  • Uncheck "use a proxy server" and check "automatically detect settings."
  • Click Ok/Apply and exit.

See if browsing is improved now, and if Malwarebytes no longer gives you an error.

Link to post
Share on other sites

I think you may be having problems because your network connections are set to use a proxy server.

If you did NOT intentionally set them that way, then try the following:

  • Go to Control Panel > Internet options.
  • Click on the "Connections" tab, then the "LAN settings" button.
  • Uncheck "use a proxy server" and check "automatically detect settings."
  • Click Ok/Apply and exit.

See if browsing is improved now, and if Malwarebytes no longer gives you an error.

Link to post
Share on other sites

I just verified the proxy settings on the internet connections tab and that option was NOT checked. 'Automatically Detect Settings' was checked, so I again attempted to access the Malwarebytes update and got the same error message.

You had mentioned that "You'll also notice that you must download and rename the MBAM installer to explorer.exe". Is that a next step for me? I am still downloading programs to a Mac laptop, transfering them to a thumb drive, then uploading them to the infected PC. Will the MBAM installer be influenced by downloading to a Mac?

Link to post
Share on other sites

These are the bleeping computer removal instructions for PC Defender:

http://www.bleepingcomputer.com/virus-remo...essentials-2010

You had mentioned that "You'll also notice that you must download and rename the MBAM installer to explorer.exe". Is that a next step for me?

However, since you're having infection fallout problems still (unable to connect to Malwarebyte's servers among other things), I would substitute the steps in this guide regarding rkill usage and MBAM:

http://www.bleepingcomputer.com/virus-remo...essentials-2010

I am still downloading programs to a Mac laptop, transfering them to a thumb drive, then uploading them to the infected PC. Will the MBAM installer be influenced by downloading to a Mac?

Highly doubtful as this is just a file transfer to media and there is no file editing going on.

Link to post
Share on other sites

These are the bleeping computer removal instructions for PC Defender:

http://www.bleepingcomputer.com/virus-remo...essentials-2010

However, since you're having infection fallout problems still (unable to connect to Malwarebyte's servers among other things), I would substitute the steps in this guide regarding rkill usage and MBAM:

http://www.bleepingcomputer.com/virus-remo...essentials-2010

Highly doubtful as this is just a file transfer to media and there is no file editing going on.

Link to post
Share on other sites

This is getting crazy. OK. I downloaded both of the .exe programs. The Malwarebytes main download went with no problem, but the second, smaller one, to replace the missing or blocked files, was difficult. Initially I got an error code - 707 (3,0) - that prevented me from remaining it or running it from the desktop. I had to go to My Computer, open the C drive, open Program FIles, and drag and drop it into the Malwarebytes file that I had just down loaded. Then when I opened the program, it went all the way through to the last (update) page, but there I again got the error code, but a different one this time - 732 ( 12007, 0).

I suspect this one is operator error, but what did I do wrong?

602

Link to post
Share on other sites

Apologies for the delay - I've had additional - non-computer - problems to deal with. I followed the instructions and still have the problem. Anti-virus protection and malware that I'm aware of is turned off and Malwarebytes is 'ignored.' As the problem remains, I scanned again and I'm attaching those files here. I'm about at wits' end here. Any other thoughts?

6032

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.