101 replies to this topic

[Maniac]

See here:
http://www.microsoft.com/resources/documen...t_failsafe.mspx

[cgrammie2]

Maniac, on Jun 18 2010, 02:36 PM, said:

See here:
http://www.microsoft.com/resources/documen...t_failsafe.mspx

I was able to figure out how to boot up in safe mode but now I can't find your comments previous to this one - I think it was a link to download something in safe mode - sorry - I'm having a LOT of bringing up your latest replies to my questions! Also have a lot of difficulty logging out of the forum - what next?

[cgrammie2]

cgrammie2, on Jun 18 2010, 03:09 PM, said:

I was able to figure out how to boot up in safe mode but now I can't find your comments previous to this one - I think it was a link to download something in safe mode - sorry - I'm having a LOT of bringing up your latest replies to my questions! Also have a lot of difficulty logging out of the forum - what next?

Hello!
Have completed the Dr Web scan - looks like the log downloaded into an MS-Excel file instead of notepad - copied it below and also attached file to this reply - there's something called setup_XP - Notepad file which I have also copied below. I also ran mbam scan very early this morning and have copied the log below as well.
-----------------------------------------------------------------------------------------
DrWeb.csv log (file also attached) - scan run 6/19/10

7da515163ba3b90.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da515163ba3b90.bup;Win32.HLLC.Asdas.7;;
7da515163ba3b90.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5156b76d0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5156b76d0.bup;Win32.HLLC.Asdas.7;;
7da5156b76d0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da516132a3a5d0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da516132a3a5d0.bup;Trojan.Fakealert.15575;;
7da516132a3a5d0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5e1082800.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5e1082800.bup;Trojan.DownLoad1.58684;;
7da5e1082800.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5e1082c2ce0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5e1082c2ce0.bup;Trojan.DownLoad1.58684;;
7da5e1082c2ce0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5e14272c2e60.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5e14272c2e60.bup;Trojan.DownLoad1.58684;;
7da5e14272c2e60.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5e152922980.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5e152922980.bup;Trojan.DownLoad1.58684;;
7da5e152922980.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
7da5e6162f1190.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5e6162f1190.bup;Trojan.DownLoad1.58684;;
7da5e6162f1190.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;
mcinst.exe;C:\Program Files\Common Files\McAfee\Installer;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0297549.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2024;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0298101.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2030;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0298294.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2030;Trojan.StartPage.1505;Deleted.;

---------------------------------------------------------------------------------------------------------

[Windows]
FilesTypes = EXE,COM,DLL,SYS,VXD,OV?,BAT,BIN,DRV,PRG,BOO,SCR,CMD,386,FON,DO?
FilesTypes = XL?,WIZ,RTF,CL*,HT*,VB*,JS*,INF,PP?,OBJ,LIB,PIF,HLP,MD?,INI,MBR
FilesTypes = IMG,CSC,CPL,MBP,SH,SHB,SHS,SHT*,CHM,REG,XML,PRC,ASP,LSP,MSO,OBD
FilesTypes = THE*,NWS,SWF,MPP,OCX,VS*,DVB,CPY,BMP,RPM,ISO,DEB,AR?,ZIP,R??,GZ
FilesTypes = Z,TGZ,TAR,TAZ,CAB,LHA,LZH,BZ2,MSG,EML,7Z,CPIO,TBB
UserMasks = "*.EXE","*.COM","*.DLL","*.SYS","*.VXD","*.OV?","*.BAT","*.BIN"
UserMasks = "*.DRV","*.PRG","*.BOO","*.SCR","*.CMD","*.386","*.FON","*.DO?"
UserMasks = "*.XL?","*.WIZ","*.RTF","*.CL*","*.HT*","*.VB*","*.JS*","*.INF"
UserMasks = "*.PP?","*.OBJ","*.LIB","*.PIF","*.HLP","*.MD?","*.INI","*.MBR"
UserMasks = "*.IMG","*.CSC","*.CPL","*.MBP","*.SH","*.SHB","*.SHS","*.SHT*"
UserMasks = "*.CHM","*.REG","*.XML","*.PRC","*.ASP","*.LSP","*.MSO","*.OBD"
UserMasks = "*.THE*","*.NWS","*.SWF","*.MPP","*.OCX","*.VS*","*.DVB","*.CPY"
UserMasks = "*.BMP","*.RPM","*.ISO","*.DEB","*.AR?","*.ZIP","*.R??","*.GZ"
UserMasks = "*.Z","*.TGZ","*.TAR","*.TAZ","*.CAB","*.LHA","*.LZH","*.BZ2"
UserMasks = "*.MSG","*.EML","*.7Z","*.CPIO","*.TBB"
ScanFiles = All
HeuristicAnalysis = Yes
CheckArchives = Yes
CheckEMailFiles = No
InfectedFiles = Cure
SuspiciousFiles = Report
IncurableFiles = Move
ActionAdware = Report
ActionDialers = Report
ActionJokes = Report
ActionRiskware = Report
ActionHacktools = Report
ActionInfectedArchive = Move
ActionInfectedMail = Report
ActionInfectedContainer = Move
RebootMode = Prompt
CheckHOSTSFile = Yes
RenameFilesTo = #??
MoveFilesTo = "%USERPROFILE%\DoctorWeb\Quarantine\"
ExcludePaths = "%USERPROFILE%\DoctorWeb\Quarantine"
ExcludeFiles = "*.7z","*.ar?","*.bz2","*.cab","*.img","*.iso","*.jar","*.lzh"
ExcludeFiles = "*.mdf","*.nrg","*.rar","*.tar","*.tgz","*.vmdk","*.zip"
VirusBase = "*."
LogToFile = Yes
OverwriteLog = No
LogScanned = No
LogPacked = Yes
LogArchived = No
LogFileName = "%USERPROFILE%\DoctorWeb\CureIt.log"
LogFormat = ANSI
LngFileName = ""
ShowProgressBar = Yes
ScanPriority = 50
EnginePath = "setup.dll"
TestMemory = Yes
TestStartup = Yes
AutoSaveSettings = Yes
ScanSubDirectories = Yes
PromptOnAction = Yes
PlaySounds = No
UseDiskForSwap = Yes
AlertWav = "alert.wav"
CuredWav = "cured.wav"
DeletedWav = "deleted.wav"
RenamedWav = "renamed.wav"
MovedWav = "moved.wav"
FinishWav = "finish.wav"
ErrorWav = "error.wav"
UpdateAllFiles = No
UpdateVirusBasesOnly = No
OnUpdateRun = ""
UpdateRebootMode = prompt
ScanFDD = No
ScanHDD = Yes
ScanCD = No
ScanNet = No
LimitLog = Yes
MaxLogSize = 2048
RestoreAccessDate = No
WaitAfterScan = Yes
LogStatistics = Yes
EnableDeleteArchiveAction = No
DisableHotReconfigure = No

-----------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4214

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/19/2010 5:53:07 AM
mbam-log-2010-06-19 (05-53-07).txt

Scan type: Full scan (C:\|)
Objects scanned: 220301
Time elapsed: 1 hour(s), 36 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\DRIVERS\76414411.sys (Rootkit.Agent.H) -> Quarantined and deleted successfully.

[Maniac]

That's good!

How are things after... all?

[cgrammie2]

Maniac, on Jun 19 2010, 03:12 PM, said:

That's good!

How are things after... all?

Hi Borislav -

Things appear to be good so far but I'm still getting internet redirects when I do google searches. Why? This has been a nightmare - any more suggestions?

I really appreciate the help you've given during this time! Thank you!!!

[Maniac]

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Now click on Advanced Settings and select the following:

• Remove found threats
  
• Scan archives
  
• Scan for potentially unwanted applications
  
• Scan for potentially unsafe applications
  
• Enable Anti-Stealth Technology


• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  
• When completed the Online Scan will begin automatically.
  
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[cgrammie2]

Maniac, on Jun 20 2010, 12:56 AM, said:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Now click on Advanced Settings and select the following:

• Remove found threats
  
• Scan archives
  
• Scan for potentially unwanted applications
  
• Scan for potentially unsafe applications
  
• Enable Anti-Stealth Technology


• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  
• When completed the Online Scan will begin automatically.
  
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Here is the ESET scan log - Could this be a false positive? I uninstalled Spybot days ago.
Thanks for your help!

----------------------------------------------------------------------------
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=80d996b05ef17b4aa891bb4f11c48b12
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-06-20 04:30:53
# local_time=2010-06-20 09:30:53 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776613 100 96 3273987 29878357 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=83035
# found=1
# cleaned=1
# scan_time=6227
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudDataProtection18.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[Maniac]

Download RootRepeal Beta on your desktop.

• Double click RootRepeal.exe to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Click the Scan button
  
• In the Select Scan dialog, check:
  
  
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
• Click the OK button
  
• In the next dialog, select all drives showing
  
• Click OK to start the scan
  [indent]Note: The scan can take some time. DO NOT run any other programs while the scan is running[/indent]
  
• When the scan is complete, the Save Report button will become available
  
• Click this and save the report to your Desktop as RootRepeal.txt
  
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

[cgrammie2]

Maniac, on Jun 20 2010, 10:26 AM, said:

Download RootRepeal Beta on your desktop.

• Double click RootRepeal.exe to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Click the Scan button
  
• In the Select Scan dialog, check:
  
  
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
• Click the OK button
  
• In the next dialog, select all drives showing
  
• Click OK to start the scan
  [indent]Note: The scan can take some time. DO NOT run any other programs while the scan is running[/indent]
  
• When the scan is complete, the Save Report button will become available
  
• Click this and save the report to your Desktop as RootRepeal.txt
  
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Tried to download rootrepeal - would not initialize - also received message that "Windows Virtual Minimum Memor Too Low" - my computer is also running a bit sluggish now as well.

[Maniac]

Use the latest stable version:
http://sites.google....epeal_1.3.5.zip

[cgrammie2]

Maniac, on Jun 20 2010, 11:12 AM, said:

Use the latest stable version:
http://sites.google....epeal_1.3.5.zip

Well still not able to download RootRepeal for the same reason above. Is there something else we can use?

[cgrammie2]

cgrammie2, on Jun 20 2010, 01:44 PM, said:

Well still not able to download RootRepeal for the same reason above. Is there something else we can use?

one more thing - I don't receive email notifications of replies. Could this be due to some virus/worm etc?

[Maniac]

No, it's not due to malware.

• Download OTL to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

[cgrammie2]

Maniac, on Jun 21 2010, 03:59 AM, said:

No, it's not due to malware.

• Download OTL to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Hi - I started OTL scan about an hour ago - the only sign that's it's working is an hour glass on the screen - it doesn't show it scanning through the files like other scans - is it working or is it just hung up?

[Maniac]

Try in Safe Mode with Networking.

[cgrammie2]

Maniac, on Jun 21 2010, 07:39 AM, said:

Try in Safe Mode with Networking.

Tried twice in safe mode with no success. It will not run.

[Maniac]

Please follow these instructions:
http://www.bleepingcomputer.com/forums/ind...st&p=231230

Then post a new fresh DDS log.

[cgrammie2]

Maniac, on Jun 21 2010, 11:54 AM, said:

Please follow these instructions:
http://www.bleepingcomputer.com/forums/ind...st&p=231230

Then post a new fresh DDS log.

ok - Use safe mode or regular?

[Maniac]

Regular.

[cgrammie2]

Maniac, on Jun 21 2010, 12:26 PM, said:

Regular.

Hello again -

I've read the instructions at the bleepingcomputer website but have not done the SFC.EXE scan yet -this is WAY above my comfort level. I also have an application on my computer that I've paid a license fee to use (for my job) - If I should have to do a system restore I don't know how that wil affect my licensed application. I'm must check with them first before proceeding any further.