Jump to content


Photo
- - - - -

MalwareBytes (And Others) Won't Run


  • This topic is locked This topic is locked
25 replies to this topic

#1 ken2010

ken2010

    New Member

  • Members
  • Pip
  • 15 posts

Posted 06 April 2010 - 07:22 AM

Hi -

I am losing the battle here against the Malware on this Windows XP System. It seems like the main Malware on this system is Antivirus Pro 2010 or Advanced Virus Remover but there has got to be more based on how aggressive this is.

I am currently unable to run MalwareBytes/Spybot/Combofix/HijackThis etc. I have tried all of the tricks that I know such as renaming the .exe etc.

When I am finally able to get MalwareBytes to start running (After reinstall) it closes within a few seconds and it seems to be deleted as you can't run it a second time. The same behavior exactly with Spybot. et

Even in Safe Mode logged in as administrator I get the same behaviour with the programs closing etc ...

Running RKILL has not helped.

Can anyone help me step through this ??

Thanks in Advance !

#2 ken2010

ken2010

    New Member

  • Members
  • Pip
  • 15 posts

Posted 07 April 2010 - 08:00 AM

Can anyone help with this ?

#3 xixo_12

xixo_12

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 140 posts
  • Gender:Male
  • Location:Malaysia

Posted 07 April 2010 - 08:28 AM

Hello and :)
  • My name is xixo_12 and I will guide you.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Keep interact with me until your computer is clean.

Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

First,
exeHelper by raktor
Please download from HERE and save to the desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next,
Malwarebytes' Anti-Malware - Run
  • Double-click Malwarebytes' Anti-Malware to run the program.
  • Click on Update tab > Check for Updates.
  • Once done, click on Scanner tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    Posted Image
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


Next,
Checklist.
Please post.
  • Content of exehelperlog.txt
  • Content of MBAM log

Honors Graduate of Malware Removal University
Member of ASAP and UNITE

#4 ken2010

ken2010

    New Member

  • Members
  • Pip
  • 15 posts

Posted 08 April 2010 - 02:46 PM

Hello and :D

  • My name is xixo_12 and I will guide you.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Keep interact with me until your computer is clean.

Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

First,
exeHelper by raktor
Please download from HERE and save to the desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next,
Malwarebytes' Anti-Malware - Run
  • Double-click Malwarebytes' Anti-Malware to run the program.
  • Click on Update tab > Check for Updates.
  • Once done, click on Scanner tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    Posted Image
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


Next,
Checklist.
Please post.
  • Content of exehelperlog.txt
  • Content of MBAM log


Thank You For Your Assistance -

Here are the contents of the exehelperlog.txt

exeHelper by Raktor
Build 20100329
Run at 14:45:10 on 04/08/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\~.exe
Deleting file C:\WINDOWS\system32\41.exe
Deleting file C:\WINDOWS\system32\critical_warning.html
Deleting file C:\WINDOWS\system32\winupdate.exe
Deleting file C:\WINDOWS\system32\winhelper.dll
Deleting file C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
Deleting file C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.cfg
Deleting file C:\Program Files\AdvancedVirusRemover\PAVRM.exe
Checking for bad registry entries...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus Pro 2010
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

We are unable to run MalwareBytes here is what happens -

1. Program is launched and Scan selected
2. After a few Seconds program is automatically closed
3. Program will not run again unless re-installed

Additional Notes -

We have even tried renaming the .exe - This did not help
Spybot behaves the same way when attempted

#5 xixo_12

xixo_12

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 140 posts
  • Gender:Male
  • Location:Malaysia

Posted 08 April 2010 - 05:49 PM

Hi, :D
Ok, no worries,
Try this one.

First
ExeFix.
Please download from HERE and save to the desktop.
  • Double-click the file to run it.
  • Click No when prompt to visit webpage.

Next,
ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)
Save as Combo-Fix.com <<Please have a look on file name. You have to change.
Link 1
Link 2

**IMPORTANT !!! Save Combo-Fix.com to your Desktop**

  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on Combo-Fix.com & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Posted Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Next,
Checklist.
Please post.
  • Content of ComboFix.txt

Honors Graduate of Malware Removal University
Member of ASAP and UNITE

#6 ken2010

ken2010

    New Member

  • Members
  • Pip
  • 15 posts

Posted 10 April 2010 - 09:51 AM

Hi, :)
Ok, no worries,
Try this one.

First
ExeFix.
Please download from HERE and save to the desktop.

  • Double-click the file to run it.
  • Click No when prompt to visit webpage.

Next,
ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)
Save as Combo-Fix.com <<Please have a look on file name. You have to change.
Link 1
Link 2

**IMPORTANT !!! Save Combo-Fix.com to your Desktop**

  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on Combo-Fix.com & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Posted Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Next,
Checklist.
Please post.
  • Content of ComboFix.txt



Hi -

I won't have this system available to me until Monday April 12th. I plan un running the Combofix then. Please leave this thread open and I will
work this all the way through with you next week.

Thanks,

Ken

#7 xixo_12

xixo_12

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 140 posts
  • Gender:Male
  • Location:Malaysia

Posted 11 April 2010 - 07:57 PM

Ok, noted :)
Honors Graduate of Malware Removal University
Member of ASAP and UNITE

#8 ken2010

ken2010

    New Member

  • Members
  • Pip
  • 15 posts

Posted 12 April 2010 - 08:51 AM

Ok, noted :)


Hi - Here is the latest Update

- I have run the exefix as you requested
- I have run the combofix
- I am not currently connecting the infected laptop to the network so I was not able to install recovery console. Let me know if
there is an offline way to install this and I will do that.
- Right now I am downloading the fixes from a good computer to a USB Key and moving them to the infected system

Here are the Results from the ComboFix log -

ComboFix 10-04-11.01 - Angel 04/12/2010 9:21.1.1 - x86
Running from: c:\documents and settings\Angel\Desktop\Combo-Fix.com
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\afuqr.exe
C:\aIx30.tmp
C:\avjelge.exe
c:\documents and settings\All Users\Application Data\ipesovyr.reg
c:\documents and settings\All Users\Documents\lecurif._sy
c:\documents and settings\Angel\Application Data\gawezetuzu.exe
c:\documents and settings\Angel\Application Data\iniasd.txt
c:\documents and settings\Angel\Application Data\lizkavd.exe
c:\documents and settings\Angel\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\Angel\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Angel\Application Data\seres.exe
c:\documents and settings\Angel\Application Data\svcst.exe
c:\documents and settings\Angel\Cookies\azysub.pif
c:\documents and settings\Angel\Cookies\ebycyqy.com
c:\documents and settings\Angel\Cookies\ebype.com
c:\documents and settings\Angel\Cookies\efopoxo._sy
c:\documents and settings\Angel\Cookies\givydora.exe
c:\documents and settings\Angel\Cookies\pawideqo.vbs
c:\documents and settings\Angel\Cookies\uzezifaz.com
c:\documents and settings\Angel\Cookies\vynekihy.inf
c:\documents and settings\Angel\Cookies\xugujumel.sys
c:\documents and settings\Angel\Cookies\yvik.com
c:\documents and settings\Angel\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Angel\Local Settings\Application Data\anulocup.bin
c:\documents and settings\Angel\Local Settings\Application Data\fifyzoqehy.reg
c:\documents and settings\Angel\Local Settings\Application Data\hufixaf.inf
c:\documents and settings\Angel\Local Settings\Application Data\kojacop.inf
c:\documents and settings\Angel\Local Settings\Temporary Internet Files\asima.dat
c:\documents and settings\Angel\Local Settings\Temporary Internet Files\syfucyku.exe
c:\documents and settings\Angel\Local Settings\Temporary Internet Files\ubavequvec.com
c:\documents and settings\Angel\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\Angel\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Angel\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Angel\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
C:\ekffax.exe
C:\hrngen.exe
c:\program files\AdvancedVirusRemover
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\tilamilivi.dll
C:\qgferewy.exe
C:\qtpjjuur.exe
C:\vklebc.exe
c:\windows\desktop
c:\windows\Downloaded Program Files\poPCaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\elificabid.scr
c:\windows\fomo.dll
c:\windows\himosuxu.reg
c:\windows\sosaw.sys
c:\windows\system32\_scui.cpl
c:\windows\system32\10672.exe
c:\windows\system32\10937.exe
c:\windows\system32\11460.exe
c:\windows\system32\1174.exe
c:\windows\system32\11765.exe
c:\windows\system32\13481.exe
c:\windows\system32\13829.exe
c:\windows\system32\14163.exe
c:\windows\system32\15173.exe
c:\windows\system32\16158.exe
c:\windows\system32\17085.exe
c:\windows\system32\17192.exe
c:\windows\system32\17367.exe
c:\windows\system32\19642.exe
c:\windows\system32\19942.exe
c:\windows\system32\21698.exe
c:\windows\system32\24590.exe
c:\windows\system32\25540.exe
c:\windows\system32\28194.exe
c:\windows\system32\28557.exe
c:\windows\system32\31960.exe
c:\windows\system32\3321.exe
c:\windows\system32\4030.exe
c:\windows\system32\4361.exe
c:\windows\system32\4396.exe
c:\windows\system32\4582.exe
c:\windows\system32\4796.exe
c:\windows\system32\5801.exe
c:\windows\system32\6022.exe
c:\windows\system32\664.exe
c:\windows\system32\6751.exe
c:\windows\system32\6991.exe
c:\windows\system32\9353.exe
c:\windows\system32\drivers\gasfkygrkltpun.sys
c:\windows\system32\ehilahit._dl
c:\windows\system32\gasfkyaxijnamt.dat
c:\windows\system32\gasfkybodsxwko.dll
c:\windows\system32\gasfkygtxhuabx.dll
c:\windows\system32\gasfkykipxudev.dat
c:\windows\system32\gasfkynembgqxt.dll
c:\windows\system32\gasfkyypjbogfi.dll
c:\windows\system32\kelarozo.dll
c:\windows\system32\raromozo.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\uwob.exe
c:\windows\ypuly._dl
c:\windows\zaribi.dl

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyltoboulq
-------\Legacy_gasfkyltoboulq
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-12 13:26 . 2010-04-12 13:26 -------- d-----w- c:\windows\LastGood.Tmp
2010-04-05 17:22 . 2010-04-05 17:22 -------- d-----w- c:\documents and settings\Administrator.ANGEL-BD3F088EE.001
2010-04-05 16:36 . 2010-04-08 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 16:15 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 16:15 . 2010-04-05 16:34 -------- d-----w- c:\program files\catch
2010-04-05 16:15 . 2010-04-05 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-05 16:15 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 13:37 . 2007-04-06 19:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-12 12:04 . 2010-04-12 12:04 15614 ----a-w- c:\program files\Common Files\facymyni.db
2010-04-12 12:01 . 2009-10-01 02:00 0 ----a-r- c:\windows\win32k.sys
2010-04-05 18:21 . 2010-04-05 18:21 -------- d-----w- c:\documents and settings\Administrator.ANGEL-BD3F088EE.001\Application Data\Template
2010-04-05 17:45 . 2010-04-05 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-05 17:44 . 2010-04-05 17:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-05 17:33 . 2010-04-05 17:27 -------- d-----w- c:\program files\catchmal
2010-04-05 17:29 . 2010-04-05 17:29 -------- d-----w- c:\documents and settings\Administrator.ANGEL-BD3F088EE.001\Application Data\Malwarebytes
2009-10-01 02:04 . 2009-10-01 02:04 19642 ----a-w- c:\program files\Common Files\qopenycys.com
2009-10-01 02:04 . 2009-10-01 02:04 11972 ----a-w- c:\program files\Common Files\sylymo.lib
2007-06-21 22:45 . 2007-06-21 22:45 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-04-06 19:46 . 2007-04-06 19:46 32 --sha-w- c:\windows\{3FC0BA97-60FB-4C58-A782-154D472F8B61}.dat
2007-04-06 19:46 . 2007-04-06 19:46 32 --sha-w- c:\windows\system32\{A45C1FC4-4467-418A-8B1B-3ACA19C2EEE8}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 68856]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2007-05-16 40960]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-20 50880]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-20 34504]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-16 323584]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-07 29744]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-19 149280]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 68856]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

R3 fa120;NETGEAR FA120 Adapter;c:\windows\system32\DRIVERS\fa120.sys [2002-12-23 10496]
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-07 29744]

.
Contents of the 'Scheduled Tasks' folder

2009-07-11 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NAVW32.exe [2002-08-20 00:31]

2009-07-10 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-04-20 20:12]

2010-04-12 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-04-06 13:04]

2010-04-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-05 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 09:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3016)
c:\windows\system32\shdoclc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Norton AntiVirus\navapsvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
**************************************************************************
.
Completion time: 2010-04-12 09:43:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 13:43

Pre-Run: 38,121,021,440 bytes free
Post-Run: 38,694,662,144 bytes free

- - End Of File - - 41C2BC49E62C693259131CEE4A976553


Thank you for your continued assistance -

#9 xixo_12

xixo_12

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 140 posts
  • Gender:Male
  • Location:Malaysia

Posted 12 April 2010 - 09:16 AM

Hi,
Let's proceed.

First,
ComboFix - Installing recovery console
Is there some reason you did not install the Recovery Console. With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Go to Microsoft's website => http://support.microsoft.com/kb/310994
  • Scroll down to Step 1 (where it says: Step 1: Download the Setup disk program), & select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
    Note: If you have SP3, use the SP2 package.
  • Save the file to the desktop of your computer
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    Posted Image
  • Drag the setup package onto ComboFix.exe and drop it
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console
    Posted Image
  • At the next prompt, click No to exit

Next,
Now, please proceed connect to the network.

Next,
ExeFix..
Run again this tool.

Please download from HERE and save to the desktop.

  • Double-click the file to run it.
  • Click No when prompt to visit webpage.


Next,
Malwarebytes' Anti-Malware
Please uninstall the previous version after you have download the new version. Proceed to install it and follow the rest of instructions.

Download Malwarebytes' Anti-Malware here and save to the desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    Posted Image
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


Next,
Checklist.
Please post.
  • Content of MBAM log

Honors Graduate of Malware Removal University
Member of ASAP and UNITE

#10 ken2010

ken2010

    New Member

  • Members
  • Pip
  • 15 posts

Posted 12 April 2010 - 12:33 PM

Hi,
Let's proceed.

First,
ComboFix - Installing recovery console
Is there some reason you did not install the Recovery Console. With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Go to Microsoft's website => http://support.microsoft.com/kb/310994
  • Scroll down to Step 1 (where it says: Step 1: Download the Setup disk program), & select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
    Note: If you have SP3, use the SP2 package.
  • Save the file to the desktop of your computer
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    Posted Image
  • Drag the setup package onto ComboFix.exe and drop it
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console
    Posted Image
  • At the next prompt, click No to exit

Next,
Now, please proceed connect to the network.

Next,
ExeFix..
Run again this tool.


Next,
Malwarebytes' Anti-Malware
Please uninstall the previous version after you have download the new version. Proceed to install it and follow the rest of instructions.


Next,
Checklist.
Please post.
  • Content of MBAM log



Hi -

I am still unable to get the Recovery Console Installed. I understand the procedure but it is not working. I drag and drop the package
onto ComboxFix and Combox will launch but I get the error you will see in the doc that I uploaded about ccscript.

I understand how to get to the recovery console manually if needed by booting to an XP CD.

I ran the exefix again as you requested.


I was able to run MalwareBytes for the first time. I was not able to Update it first. Do you have a link where I can download the latest
mbam-rules.ref and install it manually ? Database Version right now is 3/29/2010 . I suppose it may be the latest.


Here is the contents of the MBAM.log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/12/2010 1:06:55 PM
mbam-log-2010-04-12 (13-06-55).txt

Scan type: Full scan (C:\|)
Objects scanned: 183724
Time elapsed: 56 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\aefxixl.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\aIx30.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\afuqr.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\avjelge.exe.vir (Trojan.Harnig) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\ekffax.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\hrngen.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\qgferewy.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\qtpjjuur.exe.vir (Trojan.Antavmu) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\vklebc.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Angel\Application Data\lizkavd.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkybodsxwko.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkygtxhuabx.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkynembgqxt.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyypjbogfi.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkygrkltpun.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\fasodajo.reg (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.


Thanks - I will wait for your next instructions

Attached Files



#11 xixo_12

xixo_12

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 140 posts
  • Gender:Male
  • Location:Malaysia

Posted 12 April 2010 - 05:13 PM

Hi,

First,
Discussion.
So far, how is your system?
In the next instruction, please minimize the exposure to the website, just connect it to the network.

Next,
RSIT by random/random.
Please download from HERE and save to the desktop.
  • Double-click on RSIT.exe to run the tool.
  • Click Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized
  • Please post the contents of both logs in your next post.
***You can find manually the log at C:\rsit

Next,
GMER.
Please download from HERE and save to the desktop.
  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Next,
Analyze file(s).
Please visit Jotti.
Click on browse > copy below link (one by one) and paste on the File name box > Click Open:

c:\program files\Common Files\facymyni.db
c:\program files\Common Files\qopenycys.com
c:\program files\Common Files\sylymo.lib
c:\windows\{3FC0BA97-60FB-4C58-A782-154D472F8B61}.dat
c:\windows\system32\{A45C1FC4-4467-418A-8B1B-3ACA19C2EEE8}.dat

  • Press Submit file - this will submit the file for testing.
  • Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Posted Image

Next,
Checklist.
Please post.
  • Respond to our discussion
  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of GMER.txt
  • Web links (total = 5)

Honors Graduate of Malware Removal University
Member of ASAP and UNITE

#12 ken2010

ken2010

    New Member

  • Members
  • Pip
  • 15 posts

Posted 13 April 2010 - 08:32 PM

Hi,

First,
Discussion.
So far, how is your system?
In the next instruction, please minimize the exposure to the website, just connect it to the network.

Next,
RSIT by random/random.
Please download from HERE and save to the desktop.

  • Double-click on RSIT.exe to run the tool.
  • Click Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized
  • Please post the contents of both logs in your next post.
***You can find manually the log at C:\rsit

Next,
GMER.
Please download from HERE and save to the desktop.
  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Next,
Analyze file(s).
Please visit Jotti.
Click on browse > copy below link (one by one) and paste on the File name box > Click Open:

  • Press Submit file - this will submit the file for testing.
  • Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Posted Image

Next,
Checklist.
Please post.
  • Respond to our discussion
  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of GMER.txt
  • Web links (total = 5)


Hi -

The system is running better. No pop-ups nothing running in the System Tray. It feels better but still
a bit sluggish.

I was unable to run the RSIT - I was getting the following error
AutoIt Error
Line -1
Error: Varible used without being declared

Here is the contents of the gmer.txt

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 21:01:17
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.001\LOCALS~1\Temp\awtyapob.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Counter 7612
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Help 7613

---- EOF - GMER 1.0.15 ----

***************************************************

I went to the jotti site and it processed the first three files. The final two "Were Not Found" They did not find anything here -
http://virusscan.jot...dc0c898777a875f
http://virusscan.jot...420c94e5278666d
http://virusscan.jot...3ea0e5190c9213a


I will wait for your next instruction -


Thanks

#13 xixo_12

xixo_12

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 140 posts
  • Gender:Male
  • Location:Malaysia

Posted 14 April 2010 - 05:59 AM

H,
Let's proceed.

First,
ERUNT by Lars Hederer
Download ERUNT and save to the desktop.
  • Double click on erunt-setup.exe to install the program.
  • Follow the prompts > uncheck Create NTREGOPT desktop icon at the Additional Tasks screen.
  • Click No when you are prompted about creating an ERUNT entry in the startup folder.
  • Next screen, uncheck Show documentation and check Launch ERUNT.
  • If ERUNT doesnt start by itself, launch it from the desktop shortcut.
  • At the configuration screen, make sure all 3 checkboxes are checked
  • Click Ok to run the backup process

Note:
The backups can be restored from here:
C:\windows\ERDNT\<todays date>\ERDNT.exe

Next,
MBAM - clean
  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer <-Important.
  • Download from HERE and run the utility.
  • It will ask to restart your computer (please allow it to).

Next,
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to the desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    Posted Image
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


Next,
TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop.
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdsskiller.txt on your desktop and post the contents in your next reply

Next,
Checklist.
Please post.
  • Content of MBAM log
  • Content of tdsskiller.txt

Honors Graduate of Malware Removal University
Member of ASAP and UNITE

#14 ken2010

ken2010

    New Member

  • Members
  • Pip
  • 15 posts

Posted 14 April 2010 - 08:48 PM

H,
Let's proceed.

First,
ERUNT by Lars Hederer
Download ERUNT and save to the desktop.

  • Double click on erunt-setup.exe to install the program.
  • Follow the prompts > uncheck Create NTREGOPT desktop icon at the Additional Tasks screen.
  • Click No when you are prompted about creating an ERUNT entry in the startup folder.
  • Next screen, uncheck Show documentation and check Launch ERUNT.
  • If ERUNT doesnt start by itself, launch it from the desktop shortcut.
  • At the configuration screen, make sure all 3 checkboxes are checked
  • Click Ok to run the backup process

Note:
The backups can be restored from here:
C:\windows\ERDNT\<todays date>\ERDNT.exe

Next,
MBAM - clean
  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer <-Important.
  • Download from HERE and run the utility.
  • It will ask to restart your computer (please allow it to).

Next,
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to the desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    Posted Image
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


Next,
TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop.
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdsskiller.txt on your desktop and post the contents in your next reply

Next,
Checklist.
Please post.
  • Content of MBAM log
  • Content of tdsskiller.txt


Hi - I was able to complete all of the tasks -

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3985

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/13/2010 10:35:23 PM
mbam-log-2010-04-13 (22-35-23).txt

Scan type: Full scan (C:\|)
Objects scanned: 180966
Time elapsed: 57 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



*******************************************

21:46:16:852 1136 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
21:46:16:852 1136 ================================================================================
21:46:16:852 1136 SystemInfo:

21:46:16:852 1136 OS Version: 5.1.2600 ServicePack: 2.0
21:46:16:852 1136 Product type: Workstation
21:46:16:852 1136 ComputerName: ANGEL-BD3F088EE
21:46:16:852 1136 UserName: Angel
21:46:16:852 1136 Windows directory: C:\WINDOWS
21:46:16:852 1136 Processor architecture: Intel x86
21:46:16:852 1136 Number of processors: 1
21:46:16:852 1136 Page size: 0x1000
21:46:16:852 1136 Boot type: Normal boot
21:46:16:852 1136 ================================================================================
21:46:16:862 1136 UnloadDriverW: NtUnloadDriver error 2
21:46:16:862 1136 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
21:46:16:912 1136 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
21:46:16:912 1136 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:46:16:912 1136 wfopen_ex: Trying to KLMD file open
21:46:16:912 1136 wfopen_ex: File opened ok (Flags 2)
21:46:16:912 1136 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
21:46:16:912 1136 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:46:16:912 1136 wfopen_ex: Trying to KLMD file open
21:46:16:912 1136 wfopen_ex: File opened ok (Flags 2)
21:46:16:912 1136 Initialize success
21:46:16:912 1136
21:46:16:912 1136 Scanning Services ...
21:46:17:623 1136 Raw services enum returned 326 services
21:46:17:643 1136
21:46:17:643 1136 Scanning Kernel memory ...
21:46:17:643 1136 Devices to scan: 2
21:46:17:643 1136
21:46:17:643 1136 Driver Name: Disk
21:46:17:643 1136 IRP_MJ_CREATE : F754DC30
21:46:17:643 1136 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
21:46:17:643 1136 IRP_MJ_CLOSE : F754DC30
21:46:17:643 1136 IRP_MJ_READ : F7547D9B
21:46:17:643 1136 IRP_MJ_WRITE : F7547D9B
21:46:17:643 1136 IRP_MJ_QUERY_INFORMATION : 804FB8EE
21:46:17:643 1136 IRP_MJ_SET_INFORMATION : 804FB8EE
21:46:17:643 1136 IRP_MJ_QUERY_EA : 804FB8EE
21:46:17:643 1136 IRP_MJ_SET_EA : 804FB8EE
21:46:17:643 1136 IRP_MJ_FLUSH_BUFFERS : F7548366
21:46:17:643 1136 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
21:46:17:643 1136 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
21:46:17:643 1136 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
21:46:17:643 1136 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
21:46:17:643 1136 IRP_MJ_DEVICE_CONTROL : F754844D
21:46:17:643 1136 IRP_MJ_INTERNAL_DEVICE_CONTROL : F754BFC3
21:46:17:643 1136 IRP_MJ_SHUTDOWN : F7548366
21:46:17:643 1136 IRP_MJ_LOCK_CONTROL : 804FB8EE
21:46:17:643 1136 IRP_MJ_CLEANUP : 804FB8EE
21:46:17:643 1136 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
21:46:17:643 1136 IRP_MJ_QUERY_SECURITY : 804FB8EE
21:46:17:643 1136 IRP_MJ_SET_SECURITY : 804FB8EE
21:46:17:643 1136 IRP_MJ_POWER : F7549EF3
21:46:17:643 1136 IRP_MJ_SYSTEM_CONTROL : F754EA24
21:46:17:643 1136 IRP_MJ_DEVICE_CHANGE : 804FB8EE
21:46:17:643 1136 IRP_MJ_QUERY_QUOTA : 804FB8EE
21:46:17:643 1136 IRP_MJ_SET_QUOTA : 804FB8EE
21:46:17:663 1136 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
21:46:17:663 1136
21:46:17:663 1136 Driver Name: atapi
21:46:17:663 1136 IRP_MJ_CREATE : F7416572
21:46:17:663 1136 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
21:46:17:663 1136 IRP_MJ_CLOSE : F7416572
21:46:17:663 1136 IRP_MJ_READ : 804FB8EE
21:46:17:663 1136 IRP_MJ_WRITE : 804FB8EE
21:46:17:663 1136 IRP_MJ_QUERY_INFORMATION : 804FB8EE
21:46:17:663 1136 IRP_MJ_SET_INFORMATION : 804FB8EE
21:46:17:663 1136 IRP_MJ_QUERY_EA : 804FB8EE
21:46:17:663 1136 IRP_MJ_SET_EA : 804FB8EE
21:46:17:663 1136 IRP_MJ_FLUSH_BUFFERS : 804FB8EE
21:46:17:663 1136 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
21:46:17:663 1136 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
21:46:17:663 1136 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
21:46:17:663 1136 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
21:46:17:663 1136 IRP_MJ_DEVICE_CONTROL : F7416592
21:46:17:663 1136 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74127B4
21:46:17:663 1136 IRP_MJ_SHUTDOWN : 804FB8EE
21:46:17:663 1136 IRP_MJ_LOCK_CONTROL : 804FB8EE
21:46:17:663 1136 IRP_MJ_CLEANUP : 804FB8EE
21:46:17:663 1136 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
21:46:17:663 1136 IRP_MJ_QUERY_SECURITY : 804FB8EE
21:46:17:663 1136 IRP_MJ_SET_SECURITY : 804FB8EE
21:46:17:663 1136 IRP_MJ_POWER : F74165BC
21:46:17:663 1136 IRP_MJ_SYSTEM_CONTROL : F741D164
21:46:17:663 1136 IRP_MJ_DEVICE_CHANGE : 804FB8EE
21:46:17:663 1136 IRP_MJ_QUERY_QUOTA : 804FB8EE
21:46:17:663 1136 IRP_MJ_SET_QUOTA : 804FB8EE
21:46:17:683 1136 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
21:46:17:683 1136
21:46:17:683 1136 Completed
21:46:17:683 1136
21:46:17:683 1136 Results:
21:46:17:683 1136 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
21:46:17:683 1136 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:46:17:683 1136 File objects infected / cured / cured on reboot: 0 / 0 / 0
21:46:17:683 1136
21:46:17:683 1136 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
21:46:17:683 1136 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
21:46:17:693 1136 KLMD(ARK) unloaded successfully

#15 xixo_12

xixo_12

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 140 posts
  • Gender:Male
  • Location:Malaysia

Posted 14 April 2010 - 10:55 PM

Hi,
Try this.

First,
DDS by sUBs.
Please download from HERE and save to the desktop.
Note : Please disable any anti-malware program that will block scripts from running before running DDS.
Posted Image
  • Double-Click on dds.scr to run it and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • Follow the instruction that appear on How to post the logs
    Note : Please save the logs on your desktop.

Next,
Checklist.
Please post.
  • Content of DDS.txt and Attach.txt

Honors Graduate of Malware Removal University
Member of ASAP and UNITE

#16 ken2010

ken2010

    New Member

  • Members
  • Pip
  • 15 posts

Posted 16 April 2010 - 01:58 PM

Hi,
Try this.

First,
DDS by sUBs.
Please download from HERE and save to the desktop.
Note : Please disable any anti-malware program that will block scripts from running before running DDS.
Posted Image

  • Double-Click on dds.scr to run it and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • Follow the instruction that appear on How to post the logs
    Note : Please save the logs on your desktop.

Next,
Checklist.
Please post.
  • Content of DDS.txt and Attach.txt


Hi Again -

Here are the contents of the DDS.txt. I am attaching the attach.txt via a zip file as requested.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Angel at 14:53:53.47 on Fri 04/16/2010
Internet Explorer: 6.0.2900.2180

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [NCLaunch] c:\windows\NCLAUNCH.EXe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\angel\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175878324527
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-04-13 22:53:59 0 d-----w- C:\GMER
2010-04-12 15:39:50 0 d-----w- c:\docume~1\angel\applic~1\Malwarebytes
2010-04-12 13:58:09 0 d-----w- c:\windows\system32\appmgmt
2010-04-12 13:11:37 98816 ----a-w- c:\windows\sed.exe
2010-04-12 13:11:37 77312 ----a-w- c:\windows\MBR.exe
2010-04-12 13:11:37 261632 ----a-w- c:\windows\PEV.exe
2010-04-12 13:11:37 161792 ----a-w- c:\windows\SWREG.exe
2010-04-05 17:44:31 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-05 17:44:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-05 17:27:37 0 d-----w- c:\program files\catchmal
2010-04-05 16:36:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 16:15:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 16:15:49 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 16:15:49 0 d-----w- c:\program files\catch
2010-04-05 16:15:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-04-12 12:04:22 15614 ----a-w- c:\program files\common files\facymyni.db
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:05:09 668672 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:05:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31:30 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19:55 2181376 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2058368 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-10-01 02:04:55 19642 ----a-w- c:\program files\common files\qopenycys.com
2009-10-01 02:04:55 11972 ----a-w- c:\program files\common files\sylymo.lib
2007-06-21 22:45:31 774144 ----a-w- c:\program files\RngInterstitial.dll

============= FINISH: 14:54:47.19 ===============

Attached Files



#17 xixo_12

xixo_12

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 140 posts
  • Gender:Male
  • Location:Malaysia

Posted 16 April 2010 - 07:14 PM

Hi,
Let's proceed.

First,
Uninstall Combofix
  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    Posted Image

Next,
ComboFix
Please have a look properly. I'm ask you to save as .exe extension. Previously we deal with .com extension. Please connect to the network as we will installing the Recovery console.

Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)
Save as Combo-Fix.exe <<Please have a look on file name. You have to change.
Link 1
Link 2

**IMPORTANT !!! Save Combo-Fix.exe to your Desktop**

  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on Combo-Fix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Posted Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Next,
OTL by Old Timer
Please download from HERE save to the Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Next,
Checklist.
Please post.
  • Content of ComboFix.txt
  • Content of OTListIt.txt and Extra.txt
  • Please post if you still have any visible problem

Honors Graduate of Malware Removal University
Member of ASAP and UNITE

#18 xixo_12

xixo_12

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 140 posts
  • Gender:Male
  • Location:Malaysia

Posted 18 April 2010 - 05:02 PM

Hello :),

Reminder.
It's 48 hours since my last reply.
Please let me know if you have any problems to understand my instructions or you need an extra time.
In order to maintain our policy,
You have, next 24 hours to reply at this topic, otherwise it will be closed as inactive.

Regards,
xixo_12
Honors Graduate of Malware Removal University
Member of ASAP and UNITE

#19 ken2010

ken2010

    New Member

  • Members
  • Pip
  • 15 posts

Posted 19 April 2010 - 07:01 AM

Hello :),

Reminder.
It's 48 hours since my last reply.
Please let me know if you have any problems to understand my instructions or you need an extra time.
In order to maintain our policy,
You have, next 24 hours to reply at this topic, otherwise it will be closed as inactive.

Regards,
xixo_12


Hi - I need some extra time. I will respond this evening with the results.

#20 xixo_12

xixo_12

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 140 posts
  • Gender:Male
  • Location:Malaysia

Posted 19 April 2010 - 07:03 AM

Ok noted! :)
Honors Graduate of Malware Removal University
Member of ASAP and UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users