Jump to content

Recommended Posts

Hi,

As a precursor I would just like to warn you I am not very tech savvy. My laptop (posting on pc) is infected with malware, specifically malwaredoctor and antivir solution. I viewed two youtube movies (http://www.youtube.com/watch?v=Qk4jgrMYFyc and http://www.youtube.com/watch?v=CM8Oh-mcSz8) on how to remove. I followed the directions and all websites except malwarebytes.org seem to work. Is there a solution for this or will I have to find another program to use? Thank you in advance for your help I really appreciate it. :)

Link to post
Share on other sites

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

Hi,

Sorry for the delay here.

Hello and :D

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Do not install/uninstall anything on your computer unless advised.
  • Do not run any other scanning tools other than those instructed for you to use.
  • Follow the instructions on the order they are given.
  • Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
  • If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
  • If you do not reply within 3 days after my last response, I will be asking you whether you still need assistance and if you still don't reply within 48 hours then the topic will be closed.
  • And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

_________________________________________________

If you are using Vista/Win 7, you will need to right click and choose "Run as Administrator" to run the tools we will use.

Please do the following:

Please download DDS by sUBs from one of the following links and save it to your desktop.

[*]Disable any script blocking protection (How to Disable your Security Programs)

[*]Double click DDS icon to run the tool (may take up to 3 minutes to run)

[*]When done, DDS.txt will open.

[*]After a few moments, attach.txt will open in a second window.

[*]Save both reports to your desktop.

---------------------------------------------------

  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:

  • Under the reply panel is the Attachments Panel.
  • Browse for the attachment file you want to upload, then click the green Upload button.
  • Once it has uploaded, click the Manage Current Attachments drop down box.
  • Click on to insert the attachment into your post

Please post both DDS logs in your next reply.

--Next--

gmer_zip.gif

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

To post in your next reply:

1. DDS logs.

2. GMER log.

Link to post
Share on other sites

Hi,

Your computer appears to have been infected by a rootkit. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to continue with the clean up, please proceed with the following:

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

--Next--

Please read through these instructions to familiarize yourself with what to expect when this tool runs

Download Combofix from either of the links below. You must rename it to Subsfix.exe before saving it.

Save it to your desktop.

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

Link 1

Link 2

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

  • Right click and choose Run as Administrator the renamed ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------

To post in your next reply:

1. Gooredfix log.

2. Combofix log.

Link to post
Share on other sites

GooredFix by jpshortstuff (03.07.10.1)

Log created at 22:16 on 27/07/2010 (standrews)

Firefox version 3.6.3 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{70A5AD0F-402B-4280-9225-16E8FA4A2FBD} -> Success!

Deleting C:\Users\standrews\AppData\Local\{70A5AD0F-402B-4280-9225-16E8FA4A2FBD} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [15:52 24/06/2009]

{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [18:24 01/09/2009]

C:\Users\standrews\Application Data\Mozilla\Firefox\Profiles\rtpktg8y.default\extensions\

{20a82645-c095-46ed-80e3-08825760534b} [18:25 01/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [19:06 22/06/2009]

-=E.O.F=-

ComboFix 10-07-27.01 - standrews 07/27/2010 22:32:43.1.2 - x86

Microsoft

Link to post
Share on other sites

Hi,

Please do the following:

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs

--------------------------------------------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

C:\zrpt.xml

C:\Users\STANDR~1\AppData\Local\Temp\Ilx.exe

c:\users\standrews\AppData\Local\ucihazuyosegefim.dll

c:\users\standrews\AppData\Local\uqixozabocuka.dll

DDS::

uRun: [JDK5SWFMZY] c:\users\standr~1\appdata\local\temp\Ilx.exe

TCP: NameServer = 93.188.164.79,93.188.166.229

TCP: {A272280A-1536-427D-AD0D-5BBCBD26CAF8} = 93.188.164.79,93.188.166.229

TCP: {CEFEBBCC-9292-4C0F-A059-22C076596B8A} = 93.188.164.79,93.188.166.229

Rootkit::

c:\windows\system32\drivers\aomzga.sys

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi,

I still see that you are not disabling Windows Defender as advised earlier before running the fixes.

Do the following:

Download TFC to your desktop

  • Close any open windows.
  • Right click the TFC icon then choose "Run as Administrator" to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

--Next--

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

To post in your next reply:

1. MBAM log.

2. How is your computer?

Link to post
Share on other sites

Hi,

It is installed on your pc. It is this forum's main product and an excellent tool. :)

If you don't see it then please do the following:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Right-click mbam-setup.exe then choose "Run as Administrator" and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post back the log.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

Link to post
Share on other sites

Hi,

This just happened after running TFC?

Try going into safe mode then run MBAM.

To do this,

  • Restart your computer.
  • Keep on tapping f8 when windows starts to boot. Do this before you see the windows screen.
  • When a list of menu appears, scroll to Safe Mode using the arrow keys then press Enter.
  • Log in with an Administrator account.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18928

7/28/2010 1:51:34 AM

mbam-log-2010-07-28 (01-51-34).txt

Scan type: Quick scan

Objects scanned: 134843

Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.121,93.188.161.211 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a272280a-1536-427d-ad0d-5bbcbd26caf8}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.121,93.188.161.211 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a272280a-1536-427d-ad0d-5bbcbd26caf8}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.121,93.188.161.211 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cefebbcc-9292-4c0f-a059-22c076596b8a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.121,93.188.161.211 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Windows\System32\file.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi,

You can go into normal mode without any problems but when you try to run Malwarebytes' Anti Malware it crashes?

Are there any error messages when it does? If so please post it here. Thanks.

Also, try running Windows Defender and see if there are any problems with it.

Link to post
Share on other sites

I can do all things in normal mode with no problems. I enabled window's defender and avg 8.5 and now the program just won't open.

There may be an error message but the screen is only visible for half a second before it shuts down.

Link to post
Share on other sites

Hi,

AVG 8.5 won't open?

Please do the following:

  • Open Control Panel and select All Control Panel Items.
  • Scroll down and select System / Advanced System Settings.
  • In the Startup and Recovery section, select the Settings Button.
  • In the System Failure section, remove the check mark from the Automatically Restart option. Click Apply/OK.

Try running Malwarebytes' Anti Malware again.

The next time you receive a Blue Screen error, it will stay visible until you manually restart the computer.

And please provide the details that are described here (3 red boxes): http://i196.photobucket.com/albums/aa86/rvmv/BSODDetails.jpg

Resource Link: http://social.technet.microsoft.com/Forums...b6-223547b202f5

Link to post
Share on other sites

Yea, so my computer is not crashing anymore now that I turned on avg and windows defender but the malware program doesn't open. I cannot get the computer to crash either anymore.

I am not sure if this is important/relevant but I saved the malwarebytes setup to a usb and used it to download the program since I can't access malwarebytes.org on the laptop.

Link to post
Share on other sites

Hi,

The laptop is the one we are working on, correct?

Please do the following:

  1. Click the Microsoft Start logo in the bottom left corner of the screen
  2. Click All Programs
  3. Click Accessories
  4. RIGHT-click on Command Prompt
  5. Select Run As Administrator
  6. In the command window type the following and then hit enter:


    ipconfig /flushdns


  7. You will see the following confirmation:

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

--Next--

Try accessing this thread with the laptop.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.