11 replies to this topic

[imnogeek]

Hi, sorry to jump in on this thread but I have been having EXACTLY the same problem with the same registry entries, therefore hoping you would carry on from this stage.

I have followed the advice given to marcintis and have also run scans with Panda antivirus and AVG Free and tried to delete these entries manualy - I now realize from the information in this thread that there is a file that is re-creating these entries rather than Malware Bytes not removing them.

The only difference with this one is that the file "c:\windows\system32\drivers\omkdsmci.sys" is not present on this system therefore pressume another file is infected.

I am attaching an autoruns.txt file in the hope you can help, I have ran a MB scan this evening with with database version 1841

thank you in anticipation of your help

Attached Files

•  AutoRuns.txt   8.49K   21 downloads

[AdvancedSetup]

Rarely are these infection the exact same thus different solutions are often required per user.

Please run the following.


STEP 01
Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.


STEP 02
[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]



STEP 03

Please create a BOOTLOG

• Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  
• Select "Enable Boot Logging" option and press enter.
  
• Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  
• This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
  
  If you're already running inside Windows you can enable it the following way.
  
  
• Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  
• Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  
• After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  
• From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  
• Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  
• The tab is called BOOT on Vista. Then choose Boot log

STEP 04
RootRepeal - Rootkit Detector
[indent]

• Please download the following tool: RootRepeal - Rootkit Detector
  
• Direct download link is here: RootRepeal.rar
  
• If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  
• Extract the program file to a new folder such as C:\RootRepeal
  
• Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the same location where you ran it from, such as C:\RootRepeal
  
• Save it as your_name_rootrepeal.txt - where your_name is your forum name
  
• This makes it more easy to track who the log belongs to.
  
• Then open that log and select all and copy/paste it back on your next reply please.
  
• Quit the RootRepeal program.

[/indent]

[imnogeek]

Thankyou for your response and I understand your sceticism about being exactly the same, I do believe it is after much research yesterday and following the other thread through - but with a different file infected.
Anyway I will follow you instructions and post as requested.
I enclose the mbam log, I ran malwarebyes twice seeing as a new update had come out overnight to confirm the registry entries were no being deleted and they are not.

Attached Files

•  mbam_log_2009_03_13__09_40_01_.txt   1.28K   33 downloads

[imnogeek]

here are dds.txt and attach.txt

Attached Files

•  DDS.txt   8.38K   19 downloads
•  Attach.txt   12.13K   25 downloads

[imnogeek]

nbtlog attached.
I am afraid root repeal errors on start-up

Quote

could not find kernel file on disk c:\windows\system32\ntoskrnl.exe)!

when a scan is attempted it creates a crash report

awaiting your advice

[AdvancedSetup]

Please try this one then.


Please download the following scanning tool. GMER
[indent]

• Open the zip file and copy the file gmer.exe to your Desktop.
  
• Double click on gmer.exe and run it.
  
• It may take a minute to load and become available.
  
• Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
  
• Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
  
• Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
  
• DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
  
• Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
[/indent]

[imnogeek]

Ok then 2.5 hours later the scan has completed, the log is attached

Attached Files

•  GMERlog.zip   670bytes   13 downloads

[AdvancedSetup]

Where is the ntbtlog.txt file from STEP 3 ?



Did you disable System Restore or did an infection do this?


Adobe Acrobat 5.0 - This program is very old and may have exploit code,check with Adobe and at minimum set to NOT open documents from the Web automatically.
Adobe Flash Player 9 ActiveX - old and exploited, remove and update.
Adobe Reader 7.0.5 Language Support - old and exploited, remove and update.
Adobe Reader 7.0.8 - old and exploited, remove and update.
QuickTime - make sure it is up to date as well, older versions had exploitable code too
RealPlayer - Pretty much not needed these days, but please update if you want it or get an alternate player - old versions exploitable
Symantec Network Driver Update - why is this on the box? I don't see any other Symantec or Norton software, probably un-needed.

[AdvancedSetup]

Well without the BOOTLOG to confirm - you need to at least run and remove the following and then post back the log.

Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::


Driver::
hsfgdevn


File::
c:\windows\system32\drivers\hsfgdevn.sys
c:\windows\system32\audiode.dll

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

[imnogeek]

Quote

Where is the ntbtlog.txt file from STEP 3 ?

sorry forgot to arttach

Quote

Did you disable System Restore or did an infection do this?

I did and deleted all temp files

Attached Files

•  ntbtlog.zip   20.75K   14 downloads

[imnogeek]

I had already manually removed Audiode.dll, the autoruns.txt above reports

Quote

+ {30D30121-0D28-4BD4-9464-C9B315D535F2} File not found: C:\WINDOWS\system32\audiode.dll

attaced is combofix log

Attached Files

•  log.txt   11.77K   16 downloads

[imnogeek]

Malware Bytes scan reports no infections with new database 1848.
Thank you