10 replies to this topic

[chief18]

Malwarebytes Anti-Malware runs for 2 or 3 seconds and then disappears. Likewise, HijackThis starts up but disappears. Problems started with "AntiSpy Protector 2009" showed up. Thanks for any help.

[SpySentinel]

Hi chief18, Welcome to Malwarebytes


Step #1

We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  
  • Zip Mirrors (Recommended)
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
    
    
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
• Extract RootRepeal.exe from the archive.
  
• Open on your desktop.
  
• Click the tab.
  
• Click the button.
  
• Check all seven boxes:
  
• Push Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Step #2

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:



Step #3

Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[screen317]

chief18,

SpySentinel will be away for a bit and I will be taking over for him. Please follow his most recent set of instructions and we'll continue from there.

-screen317

[chief18]

screen317, on Aug 20 2009, 06:46 PM, said:

chief18,

SpySentinel will be away for a bit and I will be taking over for him. Please follow his most recent set of instructions and we'll continue from there.

-screen317

Thanks for your help.....

Step 1
I ran RootRepeal. After running for some time I got the error message "RootRepeal Error","Could not read our index block!". I pressed the Details button and got "Attempt to read from address 0x00000114".

Step 2
Win32kDiag.txt attached

Step 3
ComboFix.txt attached

Thanks,
Jeffrey

Attached Files

•  Win32kDiag.txt   1.79K   22 downloads
•  ComboFix.txt   28.46K   30 downloads

[chief18]

chief18, on Aug 20 2009, 10:08 PM, said:

Thanks for your help.....

Step 1
I ran RootRepeal. After running for some time I got the error message "RootRepeal Error","Could not read our index block!". I pressed the Details button and got "Attempt to read from address 0x00000114".

Step 2
Win32kDiag.txt attached

Step 3
ComboFix.txt attached

Thanks,
Jeffrey

I've since run Malwarebytes Anti-Malware (which wasn't able to run previously) three times. The first two times it found problems and fixed them. The third time (full scan) it didn't find any problems.

Thanks,
Jeffrey

[screen317]

Hi Jeffrey,

Please don't attach logs. Post them here instead.

Please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

After that, please go to VirusTotal, and upload the following file for analysis:
c:\windows\System32\IcnOvrly.dll


Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

[chief18]

screen317, on Aug 21 2009, 04:38 PM, said:

Hi Jeffrey,

Please don't attach logs. Post them here instead.

Please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

After that, please go to VirusTotal, and upload the following file for analysis:
c:\windows\System32\IcnOvrly.dll


Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Thanks for your help....

This is Win32kDiag.txt...


Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\45235788142C44BE8A4DDDE9A84492E5.TMP\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\45235788142C44BE8A4DDDE9A84492E5.TMP\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Cannot access: C:\Windows\bthservsdp.dat

Attempting to restore permissions of : C:\Windows\bthservsdp.dat

[1] 2009-08-21 08:03:03 1660 C:\Windows\bthservsdp.dat ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-08-21 08:04:10 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-08-21 08:03:56 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-08-21 08:03:59 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-08-21 08:03:59 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-08-21 08:05:04 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()



Cannot access: C:\Windows\System32\mrt.exe

Attempting to restore permissions of : C:\Windows\System32\mrt.exe

[1] 2009-07-29 20:49:14 24281536 C:\Windows\System32\mrt.exe (Microsoft Corporation)

[1] 2008-01-20 22:24:53 52696 C:\Windows\winsxs\x86_microsoft-windows-malwareremovaltool_31bf3856ad364e35_6.0.6001.18000_none_d3909ca1dd6bb475\mrt.exe (Microsoft Corporation)





Finished!



These are the Results from VirusTotal...


Srpski | Македонски | العربية | Suomi | ihMdI | | עברית | | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

File has already been analysed:
MD5: dcdec498688092defd9f1729f23e472a
First received: 2009.04.09 15:53:27 UTC
Date: 2009.08.20 18:07:49 UTC [+1D]
Results: 0/41
Permalink: analisis/87482be07bf850e91b3bd7e084413250be99b200bbb2c335ee749ca929bd6fdc-1250791669


VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy


F-Secure Online Scanner....

Scanning Report
Friday, August 21, 2009 21:34:53 - 22:49:11
Computer name: JEFFERSON-PC
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\


--------------------------------------------------------------------------------

20 malware found
TrackingCookie.Questionmarket (spyware)
System (Disinfected)
TrackingCookie.Adinterax (spyware)
System (Disinfected)
TrackingCookie.2o7 (spyware)
System (Disinfected)
TrackingCookie.Advertising (spyware)
System (Disinfected)
TrackingCookie.Atdmt (spyware)
System (Disinfected)
TrackingCookie.Adtech (spyware)
System (Disinfected)
TrackingCookie.Doubleclick (spyware)
System (Disinfected)
TrackingCookie.Revsci (spyware)
System (Disinfected)
TrackingCookie.Specificclick (spyware)
System (Disinfected)
TrackingCookie.Zanox (spyware)
System (Disinfected)
TrackingCookie.Adrevolver (spyware)
System (Disinfected)
TrackingCookie.Adbrite (spyware)
System (Disinfected)
TrackingCookie.Webtrends (spyware)
System (Disinfected)
TrackingCookie.Mediaplex (spyware)
System (Disinfected)
TrackingCookie.Tradedoubler (spyware)
System (Disinfected)
Trojan.Generic.IS (spyware)
System (Disinfected)
TrackingCookie.Statcounter (spyware)
System (Disinfected)
TrackingCookie.Atwola (spyware)
System (Disinfected)
TrackingCookie.Yieldmanager (spyware)
System (Disinfected)
Trojan.Generic.IS.537743 (virus)
C:\PROGRAM FILES\ELECTRONIC ARTS\NEED FOR SPEED - PORSCHE UNLEASHED\PORSCHE.EXE (Not cleaned)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 79677
System: 4993
Not scanned: 27
Actions:
Disinfected: 19
Renamed: 0
Deleted: 0
Not cleaned: 1
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\USERS\JEFFREY\DOCUMENTS\JOM ON JEFFERSON\MALWAREBYTES' ANTI-MALWARE\WINLOGON.EXE
C:\USERS\JEFFREY\DOCUMENTS\JOM\MALWAREBYTES' ANTI-MALWARE\MBAM.EXE
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0158233FE1978641EB4461EA0DD5D49A_3C45C5A8-650E-47F7-870B-0D5EF9056FA4
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FC1E3851F429EA606D6FF1E01A5229F1_3C45C5A8-650E-47F7-870B-0D5EF9056FA4
C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
C:\SYSTEM VOLUME INFORMATION\{4D84CD02-8DF8-11DE-B976-000C78334530}{3808876B-C176-4E48-B7AE-04046E6CC752}
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0158233FE1978641EB4461EA0DD5D49A_3C45C5A8-650E-47F7-870B-0D5EF9056FA4
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FC1E3851F429EA606D6FF1E01A5229F1_3C45C5A8-650E-47F7-870B-0D5EF9056FA4
C:\USERS\JEFFERSON\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\LOW\CONTENT.IE5\JRWRKL4U\1[1].HTM
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\BOOT\BCD

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.




This is checkup.txt...

Results of screen317's Security Check version 0.98.9
Windows Vista Service Pack 1
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Antivirus
AVG Free 8.5
Avira AntiVir Personal - Free Antivirus
Trend Micro Internet Security
Trend Micro Internet Security


Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 14
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashDisp.exe

Windows Defender MSASCui.exe
system32 fsonlinescanner.exe -?-

``````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````


Thanks,
Jeffrey

[screen317]

Hi Jeffrey18,

The infection seems to have been neutralized. Let's see if we can get your security programs to run now.


Navigate to this file:

C:\program files\malwarebytes' anti-malware\mbam.exe

• Right-click it, and click Properties.
  
• Click the Security tab.
  
• Click Edit...
  
• Accept the prompt that pops up.
  
• Click System then click Full Control under Allow.
  
• Click Administrators then click Full Control under Allow.
  
• Click Users then only click on Read & Execute and Read under Allow.
  
• Click OK on both windows.
  
• Restart your computer and see if MBAM will run now.

-screen317

[chief18]

screen317, on Aug 22 2009, 06:50 PM, said:

Hi Jeffrey18,

The infection seems to have been neutralized. Let's see if we can get your security programs to run now.


Navigate to this file:

C:\program files\malwarebytes' anti-malware\mbam.exe

• Right-click it, and click Properties.
  
• Click the Security tab.
  
• Click Edit...
  
• Accept the prompt that pops up.
  
• Click System then click Full Control under Allow.
  
• Click Administrators then click Full Control under Allow.
  
• Click Users then only click on Read & Execute and Read under Allow.
  
• Click OK on both windows.
  
• Restart your computer and see if MBAM will run now.

-screen317

Thanks for your help....

Malwarebytes Anti-Malware ran and found no problems.

This is the log.

Malwarebytes' Anti-Malware 1.40
Database version: 2685
Windows 6.0.6001 Service Pack 1

8/23/2009 10:15:42 PM
mbam-log-2009-08-23 (22-15-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 409672
Time elapsed: 2 hour(s), 12 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks,
Jeffrey

[screen317]

Hi Jeffrey,

Repeat the permissions reset for any program that you cannot open.


I notice that you are using more than one antivirus program (avast!, AVG , AntiVir, Trend Micro Internet Security ). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Also delete Win32kDiag and SecurityCheck.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.


After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):


Java™ 6 Update 14
Java™ 6 Update 7

Restart your computer.

Get the latest version of Java.


Restart your computer.


Let me know what issues remain.

-screen317

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!