Jump to content

Can't get malware to run or other virus software


Recommended Posts

I started with the What to do now that I am infected post.

I tried to run Malwarebytes, but it starts and then closes.

I next ran DeFogger, and it appeared to work, but did not ask me to re-boot (I've attached the log)

I then ran DDS, and the DDS text is here

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Run by user at 23:22:29 on 2011-07-05

.

============== Running Processes ===============

.

\\.\globalroot\Device\svchost.exe\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\dcmsvc\dcmsvc.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\McAfee Online Backup\MOBKbackup.exe

C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Documents and Settings\user\Desktop\dds.scr

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe

C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = 192.168.*.*;127.0.0.1;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: {119f2450-e741-4864-bde8-5d6cc7b57c62} - c:\windows\system32\Audio3d32.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll

BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110524184747.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll

TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Network Drive Mapping Utility] "c:\program files\linksys\network storage\Network Drive Mapping Utility.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [Network Drive Mapping Utility] "c:\program files\linksys\network storage\Network Drive Mapping Utility.exe" Z

mRun: [dcmsvc] c:\program files\dcmsvc\dcmsvc.exe

mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [iObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart

mRun: [cleanhtm] %APPDATA%\cleanhtm.exe

IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

LSP: mswsock.dll

Trusted Zone: intuit.com\ttlc

DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235695049980

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553512000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{B2E88B60-41B1-4808-8054-2043AFD9B6C8} : DhcpNameServer = 209.18.47.61 209.18.47.62

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

AppInit_DLLs: c:\windows\system32\l2gpstore32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 67.205.118.181 www.google.com

Hosts: 67.205.118.182 search.yahoo.com

Hosts: 67.205.118.182 www.bing.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\bgh3fmuk.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.steepandcheap.com/|http://www.newsnet5.com/|http://news.yahoo.com/|https://login.secureserver.net/index.php?app=wbe

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\bgh3fmuk.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll

FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll

FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwbe.dll

FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

FF - user.js: browser.sessionstore.resume_from_crash - false

.

============= SERVICES / DRIVERS ===============

.

R? Amazon Download Agent;Amazon Download Agent

R? BTCFilterService;USB Networking Driver Filter Service

R? FileMonitor;FileMonitor

R? IMFservice;IMF Service

R? mfendisk;McAfee Core NDIS Intermediate Filter

R? mferkdet;McAfee Inc. mferkdet

R? motandroidusb;Mot ADB Interface Driver

R? motccgp;Motorola USB Composite Device Driver

R? motccgpfl;MotCcgpFlService

R? Motousbnet;Motorola USB Networking Driver Service

R? motport;Motorola USB Diagnostic Port

R? motusbdevice;Motorola USB Dev Driver

R? osppsvc;Office Software Protection Platform

R? PTHSBUS;PANTECH Handset USB Composite Device Driver (UDP)

R? PTHSMDM;PANTECH Handset Drivers (UDP)

R? PTHSVSP;PANTECH Handset Diagnostic Serial Port (UDP)

R? RegFilter;RegFilter

R? SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver

R? UrlFilter;UrlFilter

S? cfwids;McAfee Inc. cfwids

S? LBeepKE;LBeepKE

S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service

S? McMPFSvc;McAfee Personal Firewall Service

S? McNaiAnn;McAfee VirusScan Announcer

S? McProxy;McAfee Proxy Service

S? McShield;McAfee McShield

S? mfeavfk;McAfee Inc. mfeavfk

S? mfebopk;McAfee Inc. mfebopk

S? mfefire;McAfee Firewall Core Service

S? mfefirek;McAfee Inc. mfefirek

S? mfehidk;McAfee Inc. mfehidk

S? mfendiskmp;mfendiskmp

S? mfetdi2k;McAfee Inc. mfetdi2k

S? mfevtp;McAfee Validation Trust Protection Service

S? MOBKbackup;McAfee Online Backup

S? MOBKFilter;MOBKFilter

S? MotoHelper;MotoHelper Service

S? SASDIFSV;SASDIFSV

S? SASKUTIL;SASKUTIL

.

=============== Created Last 30 ================

.

2011-07-06 03:08:31 -------- d-----w- C:\TDSSKiller_Quarantine

2011-07-06 03:07:57 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 03:07:48 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-06 03:07:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-06 02:50:29 -------- d-----w- C:\remove

2011-07-02 20:30:25 94 ----a-w- c:\windows\system32\swork.bat

2011-07-02 20:30:25 348160 ----a-w- c:\windows\system32\lwxw.exe

2011-07-02 19:39:57 562176 ----a-w- c:\windows\system32\ksuser32.exe

2011-07-02 16:08:12 25984 ----a-w- c:\windows\system32\drivers\1227187334.sys

2011-07-02 15:36:48 0 ---ha-w- c:\documents and settings\user\axduezwxzu.tmp

2011-06-27 21:05:51 172032 --sha-w- c:\windows\system32\l2gpstore32.dll

2011-06-27 21:05:35 562176 ----a-w- c:\windows\system32\Audio3d32.exe

2011-06-27 21:05:33 557568 ----a-w- c:\windows\system32\mcdsrv3232.exe

2011-06-27 21:05:32 359424 ----a-w- c:\windows\system32\Audio3d32.dll

2011-06-25 12:09:05 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-06-25 12:09:04 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-06-24 19:46:27 -------- d-----w- c:\documents and settings\user\application data\IObit

2011-06-24 19:46:24 -------- d-----w- c:\program files\IObit

2011-06-23 16:39:48 -------- d-----w- c:\documents and settings\user\application data\SUPERAntiSpyware.com

2011-06-23 16:39:48 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-06-23 16:39:31 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-06-23 11:23:31 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes

2011-06-23 11:23:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-06-23 10:54:26 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys

2011-06-23 10:54:26 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2011-06-23 10:49:25 86656 ----a-w- C:\atapi.sys

.

==================== Find3M ====================

.

2011-07-06 03:10:17 63744 ----a-w- c:\windows\system32\drivers\cdfs.sys

2011-07-06 02:58:16 59520 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-05-20 13:10:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec

2011-04-22 18:13:00 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-04-22 18:13:00 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr

.

============= FINISH: 23:29:57.67 ===============

I then ran the GMER, it started, but when i pushed Scan, after unchecking the three items, i just closed, and would not let me run it again.

I did also run rkill, then tried my mcafee, and malware bytes again. Mcafee found a number of process and terminated them, but could not remove them, and malware simply starts to run and then terminates.

I'm attaching the other two logs to this post and waiting for suggestions.

attach.zip

defogger_disable.zip

Link to post
Share on other sites

Hello jyoder and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

***Note: In order for ComboFix to run properly McAfee must be uninstalled. Please go here and follow the instructions to uninstall McAfee.

McAfee needs to remain uninstalled until I tell you its safest to reinstall it.

-------------

I see you have IObit installed on your computer.

IObit Security 360 is a rogue security program known to cause system problems and that had stolen material from other computer security companies to use in their own program.

IOBit Steals Malwarebytes’ Intellectual Property

IOBit’s Denial of Theft Unconvincing

The program has also been seen to cause numerous system problems that tend to go away after uninstalling their software.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs:

IObit Security 360

Advanced SystemCare

(or any program from IObit)

T-Tools has created a free program that has been designed specifically to remove every last trace of the entries of IObit programs left behind if and when you had decided to uninstall one or more of these programs. Please download BitRemover from here:

http://www.t-tools.nl/bitremoveren.php

Save the program to your Desktop and double-click on the program to run it.

-------------

Please download maxhandle.exe by noahdfear to your desktop

  • Double click and run the application
  • An active internet connection is required so that maxhandle.exe may download a tool from SysInternals (every time it is run).
  • Log is saved to c:\maxhandle.txt
  • If Max++ is not found Nothing found! is echoed to the screen - no log is produced.

Please post the results for my review

-------------

XP

You must first verify that you can logon to the Windows Recovery Console.

To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console

Now, go back to Normal Mode.

Next, please download maxlook, saving the file to your desktop.

Double click maxlook.exe to run it. Note - you must run it only once!

As instructed when the tool runs, restart the computer and logon to the Recovery Console.

Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

lookXP.gif

You will see 1 file copied many times then return to the x:\windows> prompt.

Type Exit to restart your computer then logon in normal mode.

Please run maxlook.exe again now. Note - you must run it only once!

It will produce looklog.txt on the desktop and open it.

Please post the results here.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
***IMPORTANT: save ComboFix to your Desktop***
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
In your next reply, please include:
  • Maxhandle log (if one is created)
  • Maxlook looklog.txt
  • TDSSKiller log
  • C:\ComboFix.txt

How is your computer running now?

Link to post
Share on other sites

Ok, here is the summary

Tried to uninstall Mcaffee via windows control panel, that did not work, so I downloaded and ran MCPR which appeared to work ok

Downloaded and Ran BitRemover, but it launched and then gave me a problem encountered error and quit

Ran maxhandle, no log produced

Ran Maxlook, then restarted in console mode and ran batch look.bat, which copied many files.

Restared and ran maxlook again and it produced this log file

Run from C:\Documents and Settings\user\Desktop\maxlook.exe on Sun 07/10/2011 at 21:03:43.71

No infected file found

Rogue configuration file = C:\WINDOWS\system32\config\qayvndzo

Downloaded and Ran TDSKiller, No infected files found.

Log is here

2011/07/10 21:08:30.0046 0948 TDSS rootkit removing tool 2.5.9.0 Jul 1 2011 18:45:21

2011/07/10 21:08:30.0531 0948 ================================================================================

2011/07/10 21:08:30.0531 0948 SystemInfo:

2011/07/10 21:08:30.0531 0948

2011/07/10 21:08:30.0531 0948 OS Version: 5.1.2600 ServicePack: 3.0

2011/07/10 21:08:30.0531 0948 Product type: Workstation

2011/07/10 21:08:30.0531 0948 ComputerName: USER-67AE9613E6

2011/07/10 21:08:30.0531 0948 UserName: user

2011/07/10 21:08:30.0531 0948 Windows directory: C:\WINDOWS

2011/07/10 21:08:30.0531 0948 System windows directory: C:\WINDOWS

2011/07/10 21:08:30.0531 0948 Processor architecture: Intel x86

2011/07/10 21:08:30.0531 0948 Number of processors: 2

2011/07/10 21:08:30.0531 0948 Page size: 0x1000

2011/07/10 21:08:30.0531 0948 Boot type: Normal boot

2011/07/10 21:08:30.0531 0948 ================================================================================

2011/07/10 21:08:32.0062 0948 Initialize success

2011/07/10 21:08:41.0718 2508 ================================================================================

2011/07/10 21:08:41.0718 2508 Scan started

2011/07/10 21:08:41.0718 2508 Mode: Manual;

2011/07/10 21:08:41.0718 2508 ================================================================================

2011/07/10 21:08:44.0625 2508 SMSIVZAM5 (1e715247efffdda938c085913045d599) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS

2011/07/10 21:08:45.0281 2508 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/07/10 21:08:45.0406 2508 Boot (0x1200) (73b0d4775ff201fb5828f14a663542c4) \Device\Harddisk0\DR0\Partition0

2011/07/10 21:08:45.0406 2508 ================================================================================

2011/07/10 21:08:45.0406 2508 Scan finished

2011/07/10 21:08:45.0406 2508 ================================================================================

2011/07/10 21:08:45.0421 2480 Detected object count: 0

2011/07/10 21:08:45.0421 2480 Actual detected object count: 0

Should i continue with your original instructions and download combofix, or stop here?

Link to post
Share on other sites

We have some more cleanup to do ;)

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::

1227187334

File::

C:\windows\system32\drivers\1227187334.sys

c:\windows\system32\Audio3d32.exe

c:\windows\system32\l2gpstore32.dll

c:\documents and settings\user\axduezwxzu.tmp

c:\windows\system32\ksuser32.exe

c:\windows\system32\lwxw.exe

c:\windows\system32\swork.bat

Reglock::

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Regnull::

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\*PNPd25c\0000]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now ;)

Link to post
Share on other sites

A few more to take care of:

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::

77059461

File::

C:\WINDOWS\system32\config\qayvndzo

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now ;)

---------

Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

http://www.kernelmode.info/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.

It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.

Link to post
Share on other sites

Glad to hear the system is better! :)

Can i reenable mcafee?

Can i run DeFogger again?

Not yet, we still have some more work to do ;)

Before we move on, let's run some scans to see if there's any traces left:

Please do the following:

  • Download DDS by sUBs from one of the following links. Save it to your Desktop.

    NOTE: Before scanning, make sure all other running programs are closed

    There shouldn't be any scheduled antivirus scans running while the scan is being performed.

    Do not use your computer for anything else during the scan.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your Desktop.

-------

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

-------

Please use the Internet Explorer and run a BitDefender Online scan from Here

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan

Please post the results in your next reply.

-------

Please include both the DDS, ESET and BitDefender reports in your next reply ;).

Link to post
Share on other sites

Looking good ;)

Let's see what programs you have that need updating:

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Before we move on, please take the time to install the following update, as using outdated applications leaves you vulnerable to getting infected again:

Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Download the newest version from here http://www.oracle.com/technetwork/java/javase/downloads/index.html.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.

Go to Start > Control Panel and open Add or Remove Programs.

Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).

They will have this icon next to them: javaicon.gif

Select each in turn and click Remove.

Once old versions are gone, please install the newest version.

--------

Please let me know how the updates go, as failed updates may indicate additional malware ;).

Link to post
Share on other sites

Glad to hear the updates went well! :)

Unless there are any further issues, I will now provide you with some suggestions for security software, but first, ComboFix must be uninstalled ;):

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

**You may now reinstall McAfee AntiVirus if you haven't already.

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :)

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.

AntiVir

AVG

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard

A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

A tutorial on understanding and using firewalls may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Link to post
Share on other sites

One thing comes to mind:

Can you run another Malwarebytes scan and post the log? The slowness might possibly be caused by traces of the infection still on your computer. I'd like to get one last MBAM logfile just to be sure its eradicated ;)

Link to post
Share on other sites

Interestingly enough, the last run i did, found a couple of issues as you can see below

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 7070

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/12/2011 5:12:28 AM

mbam-log-2011-07-12 (05-12-28).txt

Scan type: Quick scan

Objects scanned: 186464

Time elapsed: 12 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I ran another, and it is now clean

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.