Jump to content

windows defence problems


Recommended Posts

Hello

I have just tried running everything in the Im Infected topic, but to no avail. Malwarebytes will run, but not update, and finds nothing. the defogger will download but when opened will close again before anything comes up in its window. dds will download and when opened will come up with t screen saying "this link needs to be opened with an application. Send to file (or) choose an application" both of which fail to do anyhting. GMEr rootkit scanner will download, but when opened closes automatically within 1 second or so. Im stuck, can anybody please help?

Thanks

Link to post
Share on other sites

Hi bennybanana,

:welcome:

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click on Minimal Output at the top
  • Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
  • Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

Link to post
Share on other sites

Download and Run GooredFix

  • Please download GooredFix and save it to your Desktop.
    Alternative Download Mirror #2
  • Ensure all Firefox windows are closed before continuing.
  • Double-click Goored.exe to run it. If you are using Vista, please right-click and select run as administartor
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear.
  • Please post the contents of that log in your next reply. It can also be found on your desktop, entitled GooredFix.txt.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Link to post
Share on other sites

Hi,

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. If it does not, please manually reboot the machine yourself to ensure a complete clean.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Link to post
Share on other sites

Hi,

Please print these instruction out so that you know what you are doing

File details OTLPEStd.exe

Bytes=97,702,766

MB=93.1

MD5=FC1A07D156DE710955032B1CF7891671

File details OTLPENet.exe

Bytes=126,850,486

MB=120.9

MD5=8A7C5BA1C92552ADDCC5E468D0AA069A

  1. Download OTLPEStd.exe to your desktop
  2. Download OTLPENet.exe to your desktop
  3. Ensure that you have a blank CD in the drive
  4. Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
  5. Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  6. Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  7. As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :(
  8. Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
  9. Double-click on the OTLPE icon.
  10. Select the Windows folder of the infected drive if it asks for a location
  11. When asked "Do you wish to load the remote registry", select Yes
  12. When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  13. Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  14. OTL should now start.
  15. Drag and drop this attached scan.txt into the Custom scans and fixes box
  16. Press Run Scan to start the scan.
  17. When finished, the file will be saved in drive C:\OTL.txt
  18. Copy this file to your USB drive if you do not have internet connection on this system.
  19. Right click the file and select send to : select the USB drive.
  20. Confirm that it has copied to the USB drive by selecting it
  21. You can backup any files that you wish from this OS
  22. Please post the contents of the C:\OTL.txt file in your reply.

Link to post
Share on other sites

OK, got it to reload with boot cd, however it wouldn't accept the scan txt wrong file format). Everything else worked. Attached is otl.txt. I cannot run firefox properly at all anymore, when a browser window opens nothing will come up, except for a couple of lines of what i believe is code for the page. Internet explorer works fine. Flash was malfunctioning inside firefox, but works fine inside internet explorer.

OTL.Txt

Link to post
Share on other sites

Sorry for the delay.

Run OTL.exe

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    O4 - HKU\.DEFAULT..\RunOnce: [ShowDeskFix] File not found
    O4 - HKU\Administrator_ON_D..\RunOnce: [ShowDeskFix] File not found
    O4 - HKU\Guest_ON_D..\RunOnce: [ShowDeskFix] File not found
    O4 - HKU\systemprofile_ON_D..\RunOnce: [ShowDeskFix] File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Administrator_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\Administrator_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Guest_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\Guest_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\io.WINDOZE_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\io.WINDOZE_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\io.WINDOZE_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\io.WINDOZE_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\LocalService.NT_AUTHORITY_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\LocalService.NT_AUTHORITY_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService.NT_AUTHORITY_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\NetworkService.NT_AUTHORITY_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\systemprofile_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\systemprofile_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done

Link to post
Share on other sites

The previous step was to remove some restrictions placed on your system by the malware.

Launch Malwarebytes' Anti-Malware

  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Run ESET Online Scan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

      You can refer to this animation by neomage if needed.
Link to post
Share on other sites

Hi bennybanana I will be helping you SpySentinel will be away for a while.

Can you let me know of the current issues?

Please download DDS and save it to your desktop.

  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open as well as attach.txt.
  • Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

attach.txt

Link to post
Share on other sites

You are running an illegal version of Eset it is cracked so please remove it.

Please do this before proceeding.

You can download another free antivirus from any of these choices.

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free 9.0

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

When you say firefox doesn't run correctly please elaborate on that a bit.

What does it do?

Please download Rootkit Unhooker and save it to your desktop.

  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it, typically your desktop. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

I wasn't aware Eset was illegal, it was on my HD when I purchased the computer. I have removed it now. When firefox opens and goes to my homepage (google) it appears unfinished -ie, pictures are shown in code and not as pictures, and when I go to type in the search box, it takes around 30 seconds for the cursor to come up. When I click on a favourite it attempts to display it but freezes, generally with a blank screen, or sometimes with a few lines of text at the top (from the page).

Report.txt

Link to post
Share on other sites

You definitely have a rootkit present strange though that tdsskiller did not see it.

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

===============

  1. Please download mbrcheck from Here
  2. Save that file to your desktop and double click on it to run it.
  3. It will show a Black screen with some data on it then hit any key to continue.
  4. Once it finishes there will be a log produced on your desktop that is labeled mbrcheck*.txt (where the * is date)
  5. Please post the contents of that log in your next reply.

Link to post
Share on other sites

Well I have used passwords on several forums, done internet banking and used ebay...I will go to my other computer and change passwords now. File is attached. i would rather not reformat, it would be a mjor hassle...i have had this trojan for around 2 weeks now, would it be likely that any hacked information would have been used by now?

Thank you

MBRCheck_10.16.10_23.31.07.txt

Link to post
Share on other sites

It is possible still and it may not show but it is also possible that no data was taken.

Your mbr shows clean but I suspect it is not.

Now that the Recovery Console is installed please reboot the system instead of booting normally you will see 2 options one is the Recovery Console.

Select it and then press enter.

Once the Recovery Console loads up, you will have to type in a number that corresponds to your Windows installation. This is normally just 1. Press Enter and then type in the Administrator password.

If no password then leave it blank then hit enter.

It should look like this recoveryconsole-thumb.png

At the next prompt type in Fixmbr and hit Enter and type Y at the next prompt then hit enter again.

Then it will say you have successfully written a new Master Boot Record.

At this point type in exit then the computer will reboot.

After reboot run the rootkit unhooker program again and post the results here.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.