18 replies to this topic

[alee33]

my laptop is infected with various types of malware such as windows police pro, windows security, and numerous others i suppose. I have battled it back from not being able to access my registry or anything for that matter. I have renamed my mbam.exe file and I am now able to open it; however just as the program begins to scan it quits. please help, I have come so far from being completely locked up.

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

[alee33]

sUBs, on Oct 14 2009, 06:22 PM, said:

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

the following running rootkits are stopping the scan every time

c:\windows\system32\drivers\uacodarusdwye.sys
c:\windows\system32\uacjkjkmxmaqe.dll
c:\windows\system32\uacnrmspvqueu.dll
c:\windows\system32\uaccwswmxyblri.dat
c:\windows\system32\uacaqtnqxdhla.dll
c:\windows\system32\uactpwggodorg.dll

where to go from here?

[sUBs]

Tell me how they are stopping

[alee33]

sUBs, on Oct 15 2009, 03:34 PM, said:

Tell me how they are stopping

combofix.exe begins to run the scan for infected files; however before completing stage 1 a message pops up that says "combofix has detected the presence of rootkit activity and needs to reboot the machine kindly note down on paper, the name of each file. we may need it later" then the list i posted is shown. i have clicked ok to reboot in safe and normal modes but i get the same msg from combo fix once it begins the scan again.

[sUBs]

Is this a fresh download of ComboFix? I hope you're not using an older copy

[alee33]

sUBs, on Oct 15 2009, 04:32 PM, said:

Is this a fresh download of ComboFix? I hope you're not using an older copy

yes i downloaded it today from the link you gave me

[sUBs]

combofix.exe begins to run the scan for infected files; however before completing stage 1 a message pops up that says "combofix has detected the presence of rootkit activity and needs to reboot the machine kindly note down on paper, the name of each file. we may need it later" then the list i posted is shown. i have clicked ok to reboot in safe and normal modes but i get the same msg from combo fix once it begins the scan again.

Tell me if this is correct.

1. Click OK to the "Rootkit" message and ComboFix reboots the machine.
2. On rebooting and logging on, ComboFix starts on it's own and a blue dos window appears.
3. It then tells you it found rootkit again.
4. on no occasion did you click to close the blue dos window.

[alee33]

correct. the combo fix is sending me in a loop

[sUBs]

Can mbam run now?

[alee33]

I don't know I am still stuck in this paradox of combofix. do i just close the dos window to get back to windows?

[sUBs]

Yes, please close it. Is this the first run? Or has other runs been in that sort of loop?

[alee33]

ok i closed it, but i did run it several times. I re-installed mbam and was able to update via install/finish it is working now currently doing a full scan. Thank You! what steps do I take from here to prevent the virus from spontaneously re-appearing? do i need to delete restore points? again thank you

[sUBs]

Please perform a 'Quick Scan' with mbam. Then show me the log which it produces. ComboFix despite getting caught in a loop should have done enough for mbam to run unhindered.

[alee33]

quick scan yielded this log

Malwarebytes' Anti-Malware 1.41
Database version: 2969
Windows 5.1.2600 Service Pack 2

10/15/2009 8:46:46 PM
mbam-log-2009-10-15 (20-46-46).txt

Scan type: Quick Scan
Objects scanned: 112284
Time elapsed: 14 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 38

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oicxgnbqpxdmdeob (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\antipol (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\antipol (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\antipol (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dbsinit.exe (Rogue.DB) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eventlog.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\plugie.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\221bc242.sys (Rootkit.Rustock) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\oicxgnbqpxdmdeob.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac9c3c.tmp (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac53eb.tmp (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac5bea.tmp (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac5fa3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac897c.tmp (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac912c.tmp (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac92d6.tmp (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac941a.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac9900.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uaca005.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\svchast.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACltmoeoqghyclrrqkh.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wingenocx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wispex.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Think\Local Settings\Temp\tmpwr2 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Think\Local Settings\Temp\tmpwr3 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Think\Local Settings\Temp\tmpwr4 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Think\Local Settings\Temp\tmpwr5 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Think\Local Settings\Temp\tmpwr6 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Think\Local Settings\Temp\tmpwr7 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Think\Local Settings\Temp\tmpwr8 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Think\Local Settings\Temp\tmpwr9 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\skynet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wf3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wf4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pump.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Think\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

[alee33]

i imagine i could run combofix now since it has removed the rogue rootkits. would you like that log also?

[sUBs]

That would be good. Yes, please run it

[alee33]

ok so everytime I restart my computer the dos prompt pops up for combofix. Now when the program begins to scan it flashes a red box to quickly for me to read then restarts my computer. should I re-install combofix? if yes, how? just go about it as if i never installed it in the first place?

[sUBs]

Delete the folder - C:\ComboFix. That shall stop it from running with each boot