29 replies to this topic

[hardwork]

I am still experiencing problems after running malwarebytes and following procedures so I have started a new post and hope that I have attached the right files.
I downloaded and ran DDS and attached those documents (DDs.txt and I attached the attach.txt though they appear to be the same document) ...
I have also attached the hijackthis.log.
I don't really like computers but I need them to perform my job so of course any professional help would be great
Thanks very much for your consideration. This seems like a great forum

Attached Files

•  attach.txt   23.36K   19 downloads
•  hijackthis.log   12.61K   20 downloads
•  DDS.txt   23.36K   17 downloads

[Maurice Naggar]

Hello hardwork and welcome to MalwareBytes forums.

Step 1
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 2
To show all files:

• Go to your Desktop
  
• Double-Click the Computer icon.
  
• From the menu options, Select Tools, then Folder Options.
  
• Next click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders and drives.
  
• Click Apply > OK.

Step 3
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

Download aswMBR.exe ( 511KB ) to your desktop.
On Windows 7 or Vista, RIGHT click on aswMBR.exe and select Run As Administrator to start.
On Windows XP, double click the exe to start.

change the a-v scan to None.

uncheck trace disk IO calls

Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and copy/paste into a reply

Step 4
Please read carefully and follow these steps.

• Delete the prior copies of TDSSKILLER.zip & TDSSKILLER.exe that you may have.
  
• Download TDSSKiller and save it to your Desktop.
  
• If on Windows 7 or Vista, RIGHT-Click on TDSSKiller.exe and select Run As Administrator to run the application.
  If on Windows XP, double-click to start.
  
• Click on "Change parameters" and place a checkmark next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  
• Then press Start Scan

When the scan is done, it will display a summary screen.

• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 5

• Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
  >> from here <<
  
• Quit all programs that you may have started.
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  For Windows XP, double-click to start.
  
• Wait until Prescan has finished ...
  
• Then Click on Scan button at upper right of screen.
  
• Wait until the Status box shows "Scan Finished"
  
• Click on Report and copy/paste the content of the Notepad into a reply.
  
• The log should be found in RKreport[1].txt on your Desktop
  
• Exit/Close RogueKiller

Step 6

RE-Enable your antivirus program.

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

• Double click on RSITx64.exe to run RSITx64.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
  
• Follow the onscreen instructions inside of the command window.
  
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

I will need the following logs:

• the contents of aswMBR report;
  
• the contents of TDSSKILLER log;
  
• the contents of RKreport.txt log;
  
• the contents of Log.txt;
  
• the contents of Info.txt ; and
  
• the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

[hardwork]

Hello Maurice,
I am following the steps you provided and I am up to Step 3.
I was able to download aswMBR.exe
but it will not run or open at all.
Any idea why that may be?
I click yes when windows prompts me if I would like aswMBR to make changes on my computer
but nothing happens after that.
thanks

[Maurice Naggar]

Turn OFF your antivirus and then try one more time.

When everything is all done, then turn antivirus back on.

[hardwork]

I disabled the anti-virus but it still does not work.
What do you advise?
thanks

[Maurice Naggar]

Let;s have you do this:
Please follow my guidance. Ask if you have questions.

I am going to ask you to read very carefully. I am asking you to download to unique folder !!

Step 1. Close and save any open documents, and exit programs that you started.

Step 2. Download aswMBR.exe and SAVE it to a special folder
aswMBR.exe
and be sure to SAVE it in this folder --> C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon

Step 3. Download TDSSKiller.exe and SAVE it to a special folder
http://support.kaspe.&#46;&#46;/tdsskiller.exe
and be sure to SAVE it in this folder --> C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon


Step 4. Install the Chameleon driver by doing the following:
Press the Windows key + R and in the Run box, copy and paste the following command then press Enter. Copy All of the line from beginning to end {from the double-quote ...all the way to the last o ......ALL

"C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" /o

A black DOS prompt will appear with a prompt to press any key to continue, please do.

Step 5 - Running aswMBR
Please read carefully and follow these steps.

• Double-Click on aswMBR.exe in the Chameleon folder to run the application, then on Start Scan.
  If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start aswMBR.
  
  
  change the a-v scan to None.
  uncheck trace disk IO calls
  
  Click the "Scan" button to start scan
  
  
  On completion of the scan click save log, save it to your desktop and post in your next reply. Exit aswMBR.
  
  Please Copy & Paste that log in reply.
  
  NEXT:
  Navigate again to the Chameleon folder - - - C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon
  
• Double-Click on TDSSKiller.exe to run the application, then on Start Scan.
  If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

[hardwork]

Wow Maurice, I printed out your instructions and did everything you said but when I went back in the Chameleon folder to run aswMBR.exe it did not run.
Again, I click yes when windows prompts me if I would like aswMBR to make changes on my computer
but nothing happens after that.
I also tried to run TDSSKiller.exe but that wouldn't run either.
I had both sophos and defender off and was showing all files.
Thanks for helping and of course, I am hoping you might have further advice for me.
I will check back in looking for that wisdom.

[Maurice Naggar]

Hello hardwork,

Using these next customized instructions, for your case & situation, I'd like to have you do the following, and then reply back with a new diagnostic report.
You must first close and save any open work documents !
This will involve booting up into a Command-prompt environment.

If something is not clear, stop and ask.

• Download Farbar Recovery Scan Tool x64 and save it to a USB-flash-thumb drive. Plug the flashdrive into the "problem" PC.
  
  Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:
  
  • Restart the computer.
    
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    
  • Use the arrow keys to select the Repair your computer menu item.
    
  • Choose your language settings, and then click Next.
    
  • Select the operating system you want to repair, and then click Next.
    
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Startup Repair
  
• System Restore
  
• Windows Complete PC Restore
  
• Windows Memory Diagnostic Tool
  
• Command Prompt

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\\frst64.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please Attach it to your reply.

[hardwork]

Hey Maurice,
I plugged in the flashdrive with the .exe file ready and then started the computer and tapped F8.
I got to the boot options page and selected repair your computer.
However, nothing happened. I got a blank screen and waited for 45mins and nothing ever loaded.
So I restarted windows normally and then restarted again pressing F8 and tried again with the repair your computer option.
But the same thing happened again, which was nada.
What do you think I should try next? I was going to try safe mode with command prompt but I decided not to make a move until you advise properly.
thanks

[Maurice Naggar]

Hello hardwork,

Sorry but I had a typo in my earlier instructions when it came to the E drive. Please use the following. There is only 1 forward-slash before FRST64

Using these next customized instructions, for your case & situation, I'd like to have you do the following, and then reply back with a new diagnostic report.
You must first close and save any open work documents !
This will involve booting up into a Command-prompt environment.

If something is not clear, stop and ask.

• Download Farbar Recovery Scan Tool x64 and save it to a USB-flash-thumb drive. Plug the flashdrive into the "problem" PC.
  
  Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:
  
  • Restart the computer.
    
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    
  • Use the arrow keys to select the Repair your computer menu item.
    
  • Choose your language settings, and then click Next.
    
  • Select the operating system you want to repair, and then click Next.
    
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Startup Repair
  
• System Restore
  
• Windows Complete PC Restore
  
• Windows Memory Diagnostic Tool
  
• Command Prompt

• Select Command Prompt
  
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type
  

  Quote

  e:\frst64.exe
  
  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
  
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please Attach it to your reply.

[hardwork]

Hey Maurice,
Thanks for the correction but I did not even get to the point of running the .exe file because was unable to get the the "repair your computer" page after selecting it from the advanced boot options page.
I just got a blank screen.
Sorry if that was not clear from the above post.
Anyway, what do you suggest? Is there another way to enter "system recovery options"?
thanks

[Maurice Naggar]

Hello hardwork,

Yes, if you have your Windows DVD (see below). If you do not have the Windows DVD, stop and let me know. Also advise me if MBAM was installed previously on thic pc .

• For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive. For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive. Plug the flashdrive into the infected PC. Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:
  
  • Restart the computer.
    
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    
  • Use the arrow keys to select the Repair your computer menu item.
    
  • Choose your language settings, and then click Next.
    
  • Select the operating system you want to repair, and then click Next.
    
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[hardwork]

Yes I have MBAM on the PC.
I will check to see if I have the Windows DVD

[hardwork]

Hey Maurice,
No I don't have the Windows DVD.
So to summarize, I was unable to get to the "repair your computer" page after selecting it from the advanced boot options page.
I just got a blank screen.
And now I don't have the Windows DVD.
What do you suggest?
Thanks

[Maurice Naggar]

Hardwork,

Let's pause and regroup. Describe to me the issues you have that lead you to create this help-topic.
and tell me with details, what malware you suspect.

If need be, later, we can re-address the Windows 7 disc.

• Close any/all open internet browsers. Save any open documents you have open & close programs you started.
  
  
• Click on START>All Programs>Malwarebytes' Anti-Malware>Tools>Malwarebytes Anti-Malware Chameleon
  
  On Windows 7, press Windows-key, then start typing in text box

  Malwarebytes

  then select/click Malwarebytes Anti-Malware Chameleon
  
  
• Once the Help file opens, click on a Chameleon button (starting with #1)
  
• If running on Vista, Windows 7, press the Yes button when prompted at the UAC prompt to allow to run.
  
  
  
• You should see a black Command-prompt-window that remains open and says MBAM-chameleon ver. 1.62 at the top
  
• Press any key to continue as it says in the window {space-bar will do}
  
  
• If the Chameleon button you tried does not work, try the next Chameleon button shown. (There are 12 in all).
  
  
• Have infinite patience during this process
  
  
• Malwarebytes Chameleon will proceed to update Malwarebytes Anti-Malware, so ensure that you are connected to the internet if possible
  
• Once the update completes and it says your database is updated, click on OK button so that process can continue
  
  
• Malwarebytes Chameleon will then terminate any threats running in memory, which may take a while, so please be patient.
  
  
• After that, Malwarebytes Anti-Malware will open automatically and perform a Quick scan
  
  
• A quick scan will take a few minutes, possibly 5 or so minutes. Have infinite patience.
  
  
• Once the scan is complete, click on Show Results and remove any threats that are found by clicking Remove Selected
  
• If prompted to restart your computer to complete the removal process, click Yes
  
  
• If no threats are found, press OK button & press EXIT to end MBAM. Press the space-bar (or another key) to exit the command-prompt-window.
  
  
• After your computer restarts, open Malwarebytes Anti-Malware and perform one last Quick scan to verify that there are no remaining threats

Copy and Paste the MBAM scan logs for review.

[hardwork]

Hi there,
The reason I created this help topic is that I have ads opening up when the brower is closed (or open) and the internet is moving at a very slow rate.
Thanks for helping and I'll try your suggestion running MBAM.

[hardwork]

Maurice,
I was able to run Chamelon and here below are the MBAM logs. As I ran Chameleon, Sophos quarantined 3 virus/spyware files. Are there any further steps to take now?
thanks


Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.26.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
DeNunzio :: DENUNZIO-HP [administrator]

Protection: Disabled

7/25/2012 9:16:51 PM
mbam-log-2012-07-25 (21-16-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198736
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

---------------------------------------

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.26.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
DeNunzio :: DENUNZIO-HP [administrator]

Protection: Disabled

7/25/2012 9:43:37 PM
mbam-log-2012-07-25 (21-43-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198634
Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

------------------------------

[Maurice Naggar]

Quote

Sophos quarantined 3 virus/spyware files.

Do some research in Sophos a-v and look up what & where (names & folders) for the 3 items.

My guess, at this time, is that Sophos may have been the cause (earlier) of your not being to tie in TDSSKILLER/aswMBR with Chameleon.
These last runs of MBAM are a hopeful sign.

I must know if the rogue-ads are now gone?

Also, start your Sophos, do an Update run, then do a scan of the system, and post the results/log.
and tell me, Overall, how is the system now ?

[hardwork]

Here are the names/locations of the items:

W32/HostInf-A K:\autorun.inf
Troj/Dloader-DPJ C temporary internet files \Content.IE5\P24XEM5X\FPIUTK{1}.htm
Troj/Dloader-DPJ C temporary internet files \Content.IE5\96QZ8N0V\FPIUTK{1}.htm

The results of the Sophos drive was clean. The quarantined files above are still in quarintine, should I leave thm there or clean up/delete?

Overall the system seems fine now, no more rogue ads thus far and internet speed is back to normal.

[Maurice Naggar]

Use Sophos and have the items in quarantine permanently Deleted.

Next, Download TFC by OldTimer and SAVE it to your desktop

• Double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.