77 replies to this topic

[MrCharlie]

Update and run a Full Scan with Malwarebytes, post the log,,,,,Lets see what it finds, MrC

[rysktkr]

Here is the log 8 infections:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.07.01.06
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mark :: MYPC [administrator]
7/1/2012 9:15:18 AM
mbam-log-2012-07-01 (16-40-33).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 583066
Time elapsed: 3 hour(s), 6 minute(s), 52 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 8
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\l0gdw4nUSn3xA4.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\Gomodu\ywnui.exe.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\Isar\pudy.exe.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Local Settings\Application Data\ummcbzl.exe.vir (Trojan.LameShield) -> No action taken.
C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040807.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040808.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040809.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040811.exe (Trojan.LameShield) -> No action taken.
(end)

[rysktkr]

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.07.01.06
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mark :: MYPC [administrator]
7/1/2012 9:15:18 AM
mbam-log-2012-07-01 (09-15-18).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 583066
Time elapsed: 3 hour(s), 6 minute(s), 52 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 8
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\l0gdw4nUSn3xA4.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\Gomodu\ywnui.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\Isar\pudy.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Local Settings\Application Data\ummcbzl.exe.vir (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040807.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040808.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040809.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP179\A0040811.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
(end)

[MrCharlie]

Looks OK, those were just in Quarantine already or in system restore which we'll clear out when we're done.

MrC

[rysktkr]

Sounds good.

[MrCharlie]

OK, that should be it.

A little clean up to do....

Please Uninstall ComboFix:

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below:
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[rysktkr]

MrC,

How confident are you that we have removed all infections? I'm a little concerned that combofix still detects ZA and GMER is unable to run successfully.

[MrCharlie]

I don't know why ComboFix detects it.

Try GMER in safe mode, MrC

[rysktkr]

Unfortunately, GMER doesn't allow you to run it in safe mode even as admin.

[MrCharlie]

It's supposed to be able to run in safe mode, what message does it give you?

MrC

[rysktkr]

Windows dialogue box pops up, "This service cannot be started in Safe Mode".

[MrCharlie]

I guess it just doesn't like your system.

Please do this:
Download and run catchme.exe from the link below (just click scan)
http://www2.gmer.net/catchme.exe

When it's done see if it found anything, MrC

[rysktkr]

Here's the log:

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-02 17:24:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001f81000830]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f81000830]
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

[MrCharlie]

That's clean, MrC

[rysktkr]

Excellent. Just wish we had an explanation for ZA detection with combofix and GMER not being to complete.

[MrCharlie]

GMER sometimes just won't run on a system and I've seen CF repeatedly report ZA and nothing is found.

That's the best I can do for you. MrC

[rysktkr]

MrC,

Truly appreciate your help on this. I have uninstalled combofix and ran OTL cleanup. Also, left you some well deserved feedback. Your a Malware cleanup rockstar!

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!