Terryjann Posted June 10, 2010 ID:264889 Share Posted June 10, 2010 My computer appears to be infected by antimalware doctor. I have run malwarebytes anti-malware version 1.46 three times. It finds 17 infected files, removes them, but the virus keeps coming back. I tried to download hijackthis, but it won't let me go to the site tro download.Any help would be appreciated! Link to post Share on other sites More sharing options...
Elise Posted June 10, 2010 ID:265075 Share Posted June 10, 2010 Hello , And My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. -----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.If you have already posted a log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.We need to see some information about what is happening in your machine. Please perform the following scan:Please download OTL from one of the following mirrors:This is THE Mirror[*]Save it to your desktop.[*]Double click on the icon on your desktop.[*]Click the "Scan All Users" checkbox.[*]Push the button.[*]Two reports will open, copy and paste them in a reply here:OTListIt.txt <-- Will be openedExtra.txt <-- Will be minimizedPlease download GMER from one of the following locations and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply.Exit GMER and re-enable all active protection when done.-- If you encounter any problems, try running GMER in Safe Mode.-------------------------------------------------------------In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problemIf you still need help, please include the following in your next replyA detailed description of your problemsA new OTL log (don't forget extra.txt)GMER log Link to post Share on other sites More sharing options...
Terryjann Posted June 10, 2010 Author ID:265323 Share Posted June 10, 2010 Thank you for helping! I've cut and pasted the initial GMER log that came up when it opened. I've attached the GMER scan, the OTC log, and the Extra's to this reply. Every time I cut and pasted, it said the reply was too large.GMER 1.0.15.15281 - http://www.gmer.netRootkit quick scan 2010-06-10 10:54:01Windows 5.1.2600 Service Pack 3Running: 1doskcg1.exe; Driver: C:\DOCUME~1\TERRYJ~1\LOCALS~1\Temp\kwdoakod.sys---- Devices - GMER 1.0.15 ----AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)Device -> \Driver\atapi \Device\Harddisk0\DR0 8A252EC5---- Files - GMER 1.0.15 ----File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification---- EOF - GMER 1.0.15 ----Hello , And My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. -----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.If you have already posted a log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.We need to see some information about what is happening in your machine. Please perform the following scan:Please download OTL from one of the following mirrors:This is THE Mirror[*]Save it to your desktop.[*]Double click on the icon on your desktop.[*]Click the "Scan All Users" checkbox.[*]Push the button.[*]Two reports will open, copy and paste them in a reply here:OTListIt.txt <-- Will be openedExtra.txt <-- Will be minimizedPlease download GMER from one of the following locations and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply.Exit GMER and re-enable all active protection when done.-- If you encounter any problems, try running GMER in Safe Mode.-------------------------------------------------------------In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problemIf you still need help, please include the following in your next replyA detailed description of your problemsA new OTL log (don't forget extra.txt)GMER logExtras.TxtExtras.Txtgmer.txtOTL.Txt Link to post Share on other sites More sharing options...
Elise Posted June 10, 2010 ID:265330 Share Posted June 10, 2010 Hello again,The first thing we need to fix is a nasty rootkit infection. Before starting however, please continue the following.BACKDOOR WARNING------------------------------One or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.COMBOFIX---------------Please download ComboFix from one of these locations:BleepingcomputerForoSpywareDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)Double click on Combofix.exe and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Link to post Share on other sites More sharing options...
Terryjann Posted June 11, 2010 Author ID:265444 Share Posted June 11, 2010 Hi,I ran combofix. The log is attached. When I tried to open IE, I ended up with popups again. So, I am send you this through my other computer.Log is attached.Hello again,The first thing we need to fix is a nasty rootkit infection. Before starting however, please continue the following.BACKDOOR WARNING------------------------------One or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.COMBOFIX---------------Please download ComboFix from one of these locations:BleepingcomputerForoSpywareDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)Double click on Combofix.exe and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.combofixlog.txt Link to post Share on other sites More sharing options...
Elise Posted June 11, 2010 ID:265569 Share Posted June 11, 2010 Hello again, its good to keep this computer disconnected for now, there are still some leftovers and keeping it connected to the internet now, might cause reinfection. Please make sure there is a connection only when you run the CFScript below.Please do not use the Quote button to reply to this topic, instead use the add reply button CF-SCRIPT-------------Open notepad and copy/paste the text in the quotebox below into it:<http://forums.malwarebytes.org/index.php?showtopic=53439&view=findpost&p=265444>AtJob::RenV::c:\program files\McAfee\SpamKiller\MSKAGE~1 .exec:\program files\McAfee.com\Agent\mcagent .exec:\program files\McAfee.com\Agent\MCUPDA~1 .exec:\program files\McAfee.com\Personal Firewall\MpfTray .exec:\program files\McAfee.com\VSO\mcmnhdlr .exec:\program files\McAfee.com\VSO\mcvsshld .exec:\program files\Synaptics\SynTP\SynTPEnh .exec:\windows\ehome\ehtray .exec:\windows\system32\TDispVol .exec:\windows\system32\TPSMain .exeRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"gotnewupdate000 .exe"=-"gotnewupdate000 .exe"=-"gotnewupdate000 .exe"=-"gotnewupdate000 .exe"=-"gotnewupdate000 .exe"=-"gotnewupdate000 .exe"=-"gotnewupdate000 .exe"=-"gotnewupdate000 .exe"=-"gotnewupdate000 .exe"=-"gotnewupdate000 .exe"=-"gotnewupdate000 .exe"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"skb"=-"MChk"=-[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15D3EF19-4C3F-4945-906D-4B5EF8BCDAD6}][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56A49B7D-4AAD-490F-B943-CBE91F464C93}]Collect::c:\windows\system32\iemqd.exec:\windows\system32\remqd.dllc:\windows\system32\vemqd.dllFolder::c:\documents and settings\Terry Jann\Application Data\A8F849579C06DCDCC96D36E5E89A820FSave this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exeWhen finished, it shall produce a log for you. Post that log in your next reply.**Note** When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.Ensure you are connected to the internet and click OK on the message box. Link to post Share on other sites More sharing options...
Terryjann Posted June 11, 2010 Author ID:265732 Share Posted June 11, 2010 Hi,Thanks for the all the help. I've attached the new Combofix log.combofix2.txt Link to post Share on other sites More sharing options...
Elise Posted June 11, 2010 ID:265738 Share Posted June 11, 2010 Now that is looking a lot better, well done One thing we still need to fix:Please run the following as a CFScript (instructions same as in the last post).Registry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"QuickTime Task"=-When done, please post me the log.Please run MBAM, make sure it is updated and run a full scan. Post me the resulting log.Please let me know how things are running and what problems are still left. Link to post Share on other sites More sharing options...
Terryjann Posted June 11, 2010 Author ID:265749 Share Posted June 11, 2010 Here is the new log. I haven't tried to go online yet with that computer. Should I? See new attached log 3.ComboFix3.txt Link to post Share on other sites More sharing options...
Elise Posted June 11, 2010 ID:265753 Share Posted June 11, 2010 Please run first the MBAM scan and post me the results. based on that we'll see if its "safe" now online Link to post Share on other sites More sharing options...
Terryjann Posted June 11, 2010 Author ID:265755 Share Posted June 11, 2010 Full scan or Quick scan? Link to post Share on other sites More sharing options...
Elise Posted June 11, 2010 ID:265757 Share Posted June 11, 2010 Full scan please, lets not take any chances... Link to post Share on other sites More sharing options...
Terryjann Posted June 11, 2010 Author ID:265776 Share Posted June 11, 2010 Hi,Good idea. Here is the full scan. It found 2 EZlife adware and said it deleted them. see attached.mbam_log_2010_06_11__12_25_18_.txt Link to post Share on other sites More sharing options...
Elise Posted June 11, 2010 ID:265780 Share Posted June 11, 2010 Okay, now lets see if things have indeed improved Please enable the internet, make sure McAfee gets updated (if it gives you trouble, let me know) and see how everything is running. Link to post Share on other sites More sharing options...
Terryjann Posted June 11, 2010 Author ID:265788 Share Posted June 11, 2010 It seems to be running fine. Thank you. I restarted the computer, and I'm getting a the following message:"Some McAfee SecurityCenter components might not be installed or launched properly.Restart your computer to fix this. If the message appears again, reinstall."I don't have the reinstall disk. At least I have no idea where it is. Is there something better to install so I don't run into this again?Also - given this occurred on this PC and I've used a removable drive to copy the files back and forth, should I run anything on my "work" PC to make sure nothing transferred to the "work" PC?Again, thank you for all your help. Link to post Share on other sites More sharing options...
Elise Posted June 11, 2010 ID:265796 Share Posted June 11, 2010 Good to hear things are running okay Also - given this occurred on this PC and I've used a removable drive to copy the files back and forth, should I run anything on my "work" PC to make sure nothing transferred to the "work" PC?That sure would be a good idea! I'd say to run MBAM thre and see if something is found. Also, if the PC is not working all right, ask your system Administrator, or if they are not available, you can seek help on the forum for that PC as well.Best is to completely remove McAfee and then install another Antivirus program.Dowload and save McAfee Removal Tool to your desktop. Run it to remove McAfee. After this, please restart your computer.Download and install an antivirus program, and make sure that you keep it updatedNew viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.Three good antivirus programs free for non-commercial home use are Avast!, Antivir and Microsoft Security EssentialsNote: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.Please perform a full system scan with the antivirus program you just installed so we can catch any left over that still might have escaped us. Link to post Share on other sites More sharing options...
Terryjann Posted June 11, 2010 Author ID:265830 Share Posted June 11, 2010 I installed Microsoft Security Essentials, ran a scan and it came back clean. THANK YOU so much for the help! Link to post Share on other sites More sharing options...
Elise Posted June 11, 2010 ID:265833 Share Posted June 11, 2010 Well done ALL CLEAN--------------Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean Please do the following to remove the remaining programs from your PC:Delete the tools used during the disinfection:Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.Delete GMER (this is a random named file) and OTL.Please read these advices, in order to prevent reinfecting your PC:Install and update the following programs regularly:an outbound firewallA comprehensive tutorial and a list of possible firewalls can be found here.an AntiVirus SoftwareIt is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.an Anti-Spyware programMalware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.SUPERAntiSpyware is another good scanner with high detection and removal rates.Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.Spyware BlasterA tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.MVPs hosts fileA tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file[*]Keep Windows (and your other Microsoft software) up to date!I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!![*]Keep your other software up to date as wellSoftware does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.[*]Stay up to date!The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.Some more links you might find of interest:Miekies' prevention suggestionsSo How did I get infected?Microsoft - 'Security at home'Calendar of Updates: See which updates have been released.How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.osalt: Find (free) open source alternatives to known commercial software.Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards. Link to post Share on other sites More sharing options...
Terryjann Posted June 11, 2010 Author ID:265857 Share Posted June 11, 2010 Got it. Thanks again for your help! Link to post Share on other sites More sharing options...
Elise Posted June 11, 2010 ID:265894 Share Posted June 11, 2010 You are welcome I will request this topic to be closed. Link to post Share on other sites More sharing options...
Recommended Posts