Jump to content

Recommended Posts

Dear malwarebytes assistant,

I have a virus, please help, thank you! The following is a description of what Ive done an attached are the DDS, DDSATTACH, GMER (ADK) and makwarebytes scans (3).

Yesterday, I got bombarded with pop ups all of a sudden yelling about infection. I naturally tried to fix the problem myself. I am however now lost. Before wiping the hard drive clean I thought Id try this.

Initially, I tried to get symmantec live update to tell me what the problem was but everytime it started its scan it stopped after one second.

THen I downloaded Malwarebytes free software while in safe mode, ran it, found viruses and deleted/quarantined them (reports attached) Upon Restart the computer took me to the login screen and then started a cycle of shutting down and rebooting continuously (the first instance gave the blue screen, the rest were just black)

I started in Safe mode again, downloaded AVG, ran it, nothing. then deleted AVG.

Then I found a way to get symmantec to update using a link on their site to current definition files. I updated, ran a full scan which deleted and quarantined some trojans and a rootkit i think. restarted only to find the same cycle of bootup, shutdown , restart automatically.

Finally I found this forum!!!!! :angry: Ran malware bytes a few times. Initiallly more trojans and a rootkit....runnning it again said clean.....waiting for some time and rerunning found more trojans which were then cleaned. I guess this is the nature of the beast from what Ive read.

I followed the initial instructions in the tutorial ran defogger and have attached the files for, DDS and GMER.

Ill wait a while before wiping the hard disk, Im writing a PhD dissertation and cant afford to wait weeks and Im not sure how long this typically takes. Ill be patient though but am asking for any expidition possible. I know Im noone special however I appreciate your kind help and give you my word that Ill buy your full version if this works quickly.

Best regards and many thanks for your help,

labuke

The DDS text is below, ALSO- the DDS, the malwarebytes (3), DDSattach , and gmer (ark.txt) are all added as attachments

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK

Run by Joe at 18:04:55.67 on Wed 05/05/2010

Internet Explorer: 8.0.6001.18904

Microsoft

mbam_log_2010_05_05__17_26_43_.txt

mbam_log_2010_05_04__23_21_59_.txt

mbam_log_2010_05_05__01_18_56_.txt

ddsAttach.txt

DDS.txt

ark.txt

Link to post
Share on other sites

  • Staff

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • 1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Can you tell me if you made these folders?

C:\K

C:\J

C:\I

C:\H

C:\G

C:\F

C:\E

C:\D

C:\C

C:\B

C:\A

:run combofix:

  • Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the report in your next post:

C:\ComboFix.txt

"information and logs"

  • In your next post I need the following
  1. Log From Combofix
  2. let me know about those folders please
  3. let me know of any problems you may have had
  4. How is the computer doing now?

Gringo

Link to post
Share on other sites

Gringo,

Thank you for the prompt response. I turned off the run automatically of windows defender and disabled symantec. ( I ran combo fix twice, the first time i did not have the run automaticaly option off and the combofix lig contained nothing. I deleted comb fix, re downloaded it and ran it after diabling symantec and un clicking the auto run box in defender. After running combofix the computer restarts and shuts down repeatedly again. The fisrt time it does this I see a combofix window and a diskeeper notice window then the machine shits down and restarts again and again. Each time before it shuts down a blue window with white letters shows up for a few seconds. Its gone before I can write much down.....there is one thing i saw amongst all of the text on this screen.....SRTSPL.SYS and an address after it that changes each time the computer shuts down.

I also noticed my desktop now has an emptied recycle bin and an internet explorer icon that was not there previously.

Below is the combofix log.

ComboFix 10-05-05.0D - Joe 05/06/2010 11:34:16.1.2 - x86 NETWORK

Microsoft

Link to post
Share on other sites

I ran combo fix again. First made sure the firewalls were off, then symantec and then defender. Ran combofix by clicking the same icon on the desktop....

Some things I noticed.....

In the blue combofix box it said

" Access denied, administrator permissions are needed to use the selected options. Use an administrator command prompt."

then

"Creating a restore point"

then the scan starts.

As it is scanning...between command stage 38 and 39, it again says "" Access denied, administrator permissions are needed to use the selected options. Use an administrator command prompt."

It stops at stage 50 and says restarting

then again

Access denied, administrator permissions are needed to use the selected options. Use an administrator command prompt."

The computer restarts. and goes through the start close start close routine over and over again.

Just a raminder Im doing all of this from my laptop in safemode with networking.

Upon reboot I noticed a window pop up briefly that said something about "catchme" failed to initialize. Also, A combofix window and then the computer shuts down.....giving the blue screen with white writing first then restarts.

Upon starting in safe mode again I get a window that says windows has recovered from an unexpected shutdown..I can check for a solution, cancel, or x out. I simply click x, turn on my wireless router, go to this site and report to ypu

Here is the combo fix log

ComboFix 10-05-05.0D - Joe 05/06/2010 13:38:40.1.2 - x86 NETWORK

Microsoft

Link to post
Share on other sites

Gringo,

Do you think its a rootkit infection? If so can you ever guarantee that it is gone? Im considering the possibility of upgrading to Windows 7, scanning my external HD, transferring my files manually if it is indeed a rootkit that may always be in the background.

For now though, Ill keep following your instructions.

Link to post
Share on other sites

  • Staff

Greetings

I would like you to rerun GMER but please use these settings for it

Gmer

Download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    GMER_2.png
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Then click the Scan button & wait for it to finish

    [*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file

    [*]Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

Gringo

Link to post
Share on other sites

here ia the Gmer log

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-06 19:05:18

Windows 6.0.6002 Service Pack 2

Running: 57f4rqzm.exe; Driver: C:\Users\Joe\AppData\Local\Temp\kfrdypog.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Gringo,

Ive tried to remove Symantec two ways. Im in safe mode because that is all I can do.

First I went to control panel>programs and features> Symantic endpoint protection> right click uninstall

I received this message after selecting yes I am sure I want to uninstall....

"The windows installer service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

Second I went to the Start taskbar, went to all programs, right clicked Symantec Endpoint Protection, clicked delete, and the file disappeared. However, the program remains in the "programs and features" folder of the control panel. When I try to uninstall it again there, it gives the same message as above.

regards,

labuke

Link to post
Share on other sites

Gringo,

Ive tried to remove Symantec two ways. Im in safe mode because that is all I can do.

First I went to control panel>programs and features> Symantic endpoint protection> right click uninstall

I received this message after selecting yes I am sure I want to uninstall....

"The windows installer service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

Second I went to the Start taskbar, went to all programs, right clicked Symantec Endpoint Protection, clicked delete, and the file disappeared. However, the program remains in the "programs and features" folder of the control panel. When I try to uninstall it again there, it gives the same message as above.

regards,

labuke

Link to post
Share on other sites

Ok right now I am out of safe mode but symantec will not install. After restarting the system started in normal mode, windows was trying to configure symantec, it was having a lot of trouble. The progress bar was advancing and then moving backward over and over. A few tings popped up. one window saying windows blocked some programs from installing, the combo fix window popped up. I went right to start, control panel and right clicked endpoint to uninstall. It began uninstalling, then I got a message saying preparing to remove and then.........another popup

user account control- telling me an unidentified program wants to access my computer.

The program is from an Unidentified publisher, the details of which are "Update, 11.0.4000.2295, Symantec Corporation" Should I allow or Cancel?

Also, Do I need to reinstall Symantec right now if we get it uninstalled? I get the program free from my academic institution and would have to go to campus and download the program from their system. Cant I use some other antivirus for now?

Link to post
Share on other sites

  • Staff

Hello

at least we are moving forward

OK go here and download the removal tool for norton - we will removal all of norton and install another antivirus for now

Remove Norton

Note : You should first attempt to remove your Norton product using Add/Remove Programs in the Windows Control Panel (Programs and Features, in Windows Vista). This is the best method. After uninstalling using Windows Add/Remove Programs, run the Norton Removal Tool to ensure successful removal of all Norton references.

  • Please go to this
-page- and select the product you have
  • 1 Download the Norton Removal Tool.
    Save the file to the Windows desktop.
    2 On the Windows desktop, double-click the Norton Removal Tool icon.
    3 Follow the on-screen instructions.
    Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.

let me know when we are up to this point

gringo

Link to post
Share on other sites

  • Staff

Greetings

those look good, but I would like to make sure that combo will still run. You will need to turn off antivir before you download it and while you run it.

update combofix

I would like you to download an updated version of combofix.

  • Delete the version of combofix you have now on your desktop and download a new one from here
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

let me have this report.

gringo

Link to post
Share on other sites

Gringo,

Here is the combofix log, The files labeled C:\A through R are still there can I delete them?

should I turn Antivir back on? Whats next and how best to protect myself?

Thank you,

labuke

ComboFix 10-05-07.05 - Joe 05/07/2010 22:53:03.1.2 - x86

Microsoft

Link to post
Share on other sites

  • Staff

greetings

good so far - please run this script

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

DirLook::
C:\32788R22FWJFW

Folder::
C:\W
C:\V
C:\U
C:\T
C:\S
C:\R
C:\Q
C:\P
C:\O
C:\N
C:\M
C:\L
C:\K
C:\J
C:\I
C:\H
C:\G
C:\F
C:\E
C:\D
C:\C
C:\B
C:\A

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

let me have this report

gringo

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.