40 replies to this topic

[Trav 1]

Hello,
I run XP on a Dell Inspirion 5150 & I have recently been infected with Antivirus Pro 2010 & Advanced Virus Removal. These are the ones I know of for sure. I can not access the web from the infected pc. I downloaded and installed Mbam from usb. I can not run it in normal mode, but I ran it i safe mode and found.....are you ready for this........535 infections. After the safe mode scan & removal I tried to open in normal mode and the desktop almost completely locks up. My system restore, reg editor and task manager have been disabled. Any thoughts or suggestions? Thanks for your time.

[Trav 1]

I have just read about renaming the mbam.exe during the save process. Gonna download again and attempt to open in normal mode.

[Blade81]

Hi,

If you still need help with this, do the following:

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
  
• Click rootkit-tab and then scan.
  
• Don't check
  Show All
  box while scanning in progress!
  
• When scanning is ready, click Copy.
  
• This copies log to clipboard
  
• Post log in your reply.

[Trav 1]

Finally got mbam to run in normal mode and it finds more infections but it freezes in "extra and heuristics scan". Cant access ie for updates. I will do the suggestions that you mentioned and let you know. Thanks.

[Trav 1]

Hello again! Here are the logs you requested. The GMER program is not exactly.....quick, is it....lol. I hope this helps. If you need anything else just let me know.

Attached Files

•  Attach.txt   22.9K   43 downloads
•  DDS.txt   14.18K   30 downloads
•  GMER_Log.zip   25.35K   12 downloads

[Blade81]

Thanks for the logs.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
  Remember to re-enable them afterwards.
  
  
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[Trav 1]

Hello,
Here are the new logs you requested. I want to thank you for your help & patience. I'm sure you are very busy and I appreciate all that your doing to help me.

Attached Files

•  1Attach.txt   16.43K   36 downloads
•  1DDS.txt   12.12K   18 downloads
•  combofixlog.txt   26.49K   16 downloads

[Blade81]

Hi,

Looks like ComboFix (and DDS) was run from external drive. Please copy the file to your desktop and run it there. Let ComboFix install recovery console too. Post a fresh report when ready.

[Trav 1]

I'm unable to download ComboFix from the link above. McAfee finds two "Artemis" trojans in the file. Any suggestions?

[Blade81]

Hi,

Keep your protection software disabled while you download and run ComboFix.

[Trav 1]

Ok, I got CF to download to my flash and installed on my infected desktop. I manually created Console Restore after I ran CF. These are the new logs ran from Desktop.

Attached Files

•  CFlog.txt   23.41K   12 downloads
•  Attach.txt   16.45K   28 downloads
•  DDS.txt   12.13K   12 downloads

[Blade81]

Hi again,

Uninstall Ask Toolbar if not installed on purpose.



Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\Toshua Gent\Local Settings\Application Data\ropu.com
c:\documents and settings\Toshua Gent\Application Data\kexutubej.pif
c:\windows\system32\usacibeto.dat
c:\program files\Common Files\xazal._sy
c:\program files\Common Files\yhywe.dat
c:\program files\Common Files\ruko._dl
c:\documents and settings\All Users\Application Data\ceryky.scr
c:\documents and settings\Toshua Gent\Application Data\ugume.exe
c:\windows\zoqexi.com
c:\windows\system32\temp32.bat
c:\program files\Common Files\ovuvy.dat
c:\documents and settings\Toshua Gent\Application Data\ysegynydew.dat
c:\documents and settings\All Users\Application Data\qete.exe
c:\program files\Common Files\mamydeku._sy
c:\program files\Common Files\seqogot.dll
c:\windows\siqo.pif
c:\windows\yhupyqe.pif
c:\documents and settings\Travis Harrell\Local Settings\Application Data\upidozihe.bin
c:\documents and settings\Travis Harrell\Application Data\vexez.bin
c:\windows\system32\eryba.dat
c:\program files\Common Files\qatuxyqor.bin
c:\windows\upova.pif
c:\windows\ymyda.pif
c:\documents and settings\Travis Harrell\Local Settings\Application Data\irujyqal.com
c:\documents and settings\All Users\Application Data\ohyzipa.dat
c:\program files\Common Files\cojuras.pif
c:\program files\Common Files\vixaqar.scr
c:\windows\imubot.dat
c:\windows\system32\ilyvaxixum.dat
c:\windows\system32\ranubydeq.bin
c:\documents and settings\Toshua Gent\Local Settings\Application Data\ywybir.dll
c:\windows\ykekyxepy.com
c:\documents and settings\All Users\Application Data\idiruleneh.dat
c:\documents and settings\Toshua Gent\Application Data\kodecex.sys
c:\windows\system32\ucyf.sys
c:\documents and settings\Toshua Gent\Local Settings\Application Data\ykurisape.com
c:\windows\ucanelefu.bin
c:\program files\Common Files\mopi.sys
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.2) here if you necessarily need it. I see that there's also Foxit Reader installed so you may not require Adobe Reader.

Uninstall Shockwave and get the fresh one here if needed.


Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 17.
  
• Click the
  Download
  button to the right.
  
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
  
• The page will refresh.
  
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Also, start MBAM, update its definitions on update tab and run a quick scan. Post back the results.

[Trav 1]

I am unable to access internet from infected computer. Will the above listed programs work off flash drive?

[Trav 1]

New logs. Installed CFScript and ATF. Mbam failed to update, error code 732 (0,0). I guessing its because I cant access internet. ATF done good, cleaned something like 5,000,000. If I could get online I could update MBAM. Ran quick scan without updates, found no infections. The quick scan is alot faster now. It used to run for about 14mins, this last time it only took about 6 mins.

Attached Files

•  2Attach.txt   17.15K   24 downloads
•  2cflog.txt   21.38K   44 downloads
•  2DDS.txt   10.14K   44 downloads
•  mbam_log_2009_11_07__21_30_49_.txt   834bytes   11 downloads

[Trav 1]

I forgot to mention I was unable to run Kaspersky scanner due to internet being down.

[Blade81]

Hi,

When did this connection problem begin to occur? How do you normally connect to internet (wired or wireless solution)?

[Trav 1]

The connection has been down for a month or two. It started after I failed to remove the two malware, Advanced Virus Remover & Anti Virus Pro 2010. I use both connections, wired & wireless. The taskbar shows I'm connected but no pages will open. Then it began to crash as soon as desktop opened, but after I ran the programs you suggested it doesn't crash but still can't open any pages. It say "page could not be displayed" or something like that. Thanks and have a good day.

[Blade81]

Have you given browser(s) proper permissions in your firewall?

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the quote box into a new file:

Quote

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
ping -n 2 google.com
route print
)
start Log1.txt
del %0

• Go to the File menu at the top of the Notepad and select Save as.
  
• Select save in: desktop
  
• Fill in File name: test.bat
  
• Save as type: All file types (*.*)
  
• Click save.
  
• Close the Notepad.
  
• Locate and double-click tast.bat on the desktop.
  
• A notepad opens, copy and paste the content it (log1.txt) to your reply.

[Trav 1]

Hi again,

Here is the new log you requested. Hope it helps.

Attached Files

•  Log1.txt   3.18K   51 downloads

[Blade81]

Hi,

Connection seems to work correctly. Did you check your firewall settings and make sure web browser is allowed there? Have you tried to turn Windows firewall on and the 3rd party one off?