Jump to content

I'm infected and MBAM can't detect


Recommended Posts

Hello,

I'm infected and I know this when I try to search for something in IE, I am redirected to some other unwanted websites after clicking the search links from google.

I've completely scanned my notebook using the updated version of MBAM and surprisingly all logs are clean. I also have the latest version of McAfee installedand that too is unable to detect anything.

However, when I scanned using SuperAntispyware, the logs showed the following Malware which the free version is unable to remove.

Malware.Trace>Registry Keys>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon#Taskman

I have Windows Vista and the Security Center is also disabled.

Any help to get rid of this Trojan would be greatly appreciated.

~A

Link to post
Share on other sites

adityapd:

report.gifP2P - I see you have P2P software (Vuze) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at MBAM are complete.

icon11.gif Download Combofix from either of the links below, and save it to your desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.

.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Thanks RPMcMurphy for your advise against the use of P2P software. I will think about continuing to use this program in future. However, I know how i was infected. I downloaded an .exe. file from one of the websites and tried to run it ( ain't I stupid )

btw I did manage to run combofix and have enclosed the log.

Thanks again,

~A

Combofixlog.txt

Link to post
Share on other sites

adityapd:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://forums.malwarebytes.org/index.php?showtopic=69860
Collect::
c:\windows\system32\ro-ROP.dll
DDS::
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

  • ComboFix log
  • MBAM log

Link to post
Share on other sites

Hello RPMcMurphy,

Here are the latest logs

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5303

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18975

12/12/2010 10:56:14 PM

mbam-log-2010-12-12 (22-56-14).txt

Scan type: Quick scan

Objects scanned: 152181

Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Combofixlog2.txt

Link to post
Share on other sites

adityapd:

icon11.gif Please visit this site

  • In the Link to topic where this file was requested: field, enter the following:
    http://forums.malwarebytes.org/index.php?showtopic=69860
  • In the Browse to the file you want to submit: field, click on browse and navigate to the following file:
    C:\Qoobox\Quarantine\[4]-Submit_,<date>_<time>.zip (the date & time will roughly be the time you last ran ComboFix)
  • In the comments field enter the following:
    Failed submission
  • Press the send file button.

icon11.gif Please run ESET Online Scanner

  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:

  • ESET log
  • How is the computer running?

Link to post
Share on other sites

Hello RPMcMurphy,

The Malware info was submitted successfully following the steps mentioned by you below.

Here are the ESET Online Scanner logs :

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

esets_scanner_update returned -1 esets_gle=53251

C:\Qoobox\Quarantine\C\Windows\System32\ro-ROP.dll.vir a variant of Win32/Kryptik.ISM trojan

C:\SWSetup\AOLIMS\setup.exe probably a variant of Win32/Agent.HZHBURL trojan

The computer is running fine now...I am no longer getting redirected to unwanted sites upon clicking google search results in IE.

Thanks

~A

Link to post
Share on other sites

adityapd:

Your logs look good (those ESET detections were a false positive and an already quarantined bad file). Now I have another update and some very important cleanup for you to take care of:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Clear & Reset System Restore's Cache

  • Open System by clicking the Start button , clicking Control Panel, clicking System and Maintenance, and then clicking System.
  • In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  • To turn off System Protection and clear old points, clear the check box next to the disk, and then click OK.
  • Next, To turn on System Protection, select the check box next to the disk, and then click OK.

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please visit this General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

  • Staff

Glad we could help. :rolleyes:

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.