Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bowser Redirect Malware/Virus (Rootkit?)


  • This topic is locked This topic is locked
69 replies to this topic

#1 Chatt

Chatt

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 10 August 2011 - 11:33 PM

I think I picked up a browser redirect virus or rootkit while visiting www.crossfitfootball.com TrendMicro and the Windows Vista firewall detected it and I tried to exit the browser (Firefox), but I kept getting a pop-up claiming that I was trying to open the task manager, which I was not doing. I couldn't escape out of it, but after selecting "cancel" enough the window went away. Now, any search engine I have tried (Google and Yahoo) on either Firefox or IE redirects me to spam sites.

I tried running a TrendMicro scan, but it locked up and never went anywhere. I tried running a MalwareBytes scan too. Although MalwareBytes came up at first, it closed out after about 10 seconds and now says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the file."

I have followed the instructions for this site in the preparation guide, and my DDS logs are posted/attached below. I could not get gmer to work with either of the links provided. It seemed to download and instal just fine, but it closed itself out after 10 seconds or so (just like MalwareBytes) and now tells me I do not have permission to re-open.

I'm grateful for any help you can provide.


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_20
Run by Owner at 22:57:42 on 2011-08-10
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3061.952 [GMT -5:00]
.
AV: Trend Micro AntiVirus *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro AntiVirus *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Windows\1328167361:1053218224.exe
C:\Program Files\VMware\VMware View\Client\bin\wswc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\rundll32.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\RacAgent.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://remote.balch.com/?page=launch.jsp
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080610
uInternet Settings,ProxyOverride = *.local
BHO: MRI_DISABLED - No File
BHO: Browser Address Error Redirector - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Apoint] "c:\program files\delltpad\Apoint.exe"
mRun: [OEM02Mon.exe] "c:\windows\OEM02Mon.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [hpbdfawep] "c:\program files\hp\dfawep\bin\hpbdfawep.exe" 1
mRun: [SigmatelSysTrayApp] "c:\program files\sigmatel\c-major audio\wdm\sttray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NetFxUpdate_v1.1.4322] "c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe" 1 v1.1.4322 GAC + NI NID
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\owner\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mri_di~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mri_di~1\quickset.lnk - c:\program files\dell\quickset\quickset.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://remote.balch.com/downloads/VMware-viewclient.cab
TCP: DhcpNameServer = 205.152.37.23 205.152.132.23
TCP: Interfaces\{3003A203-A403-4FC7-873F-EB6C58886834} : DhcpNameServer = 205.152.37.23 205.152.132.23
TCP: Interfaces\{47E221F9-0513-40B6-A221-5688F18ED48D} : DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{DDF4C051-F7E0-4CF7-9655-D37F645C5520} : DhcpNameServer = 4.2.2.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\h992hx05.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\owner\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
============= SERVICES / DRIVERS ===============
.
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-10 111616]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-9 39272]
.
=============== Created Last 30 ================
.
2011-08-09 11:58:55 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f2a06d61-cccc-4961-88d7-99f654507dc6}\mpengine.dll
2011-07-27 10:34:58 -------- d-----w- c:\program files\iPod
2011-07-27 10:34:56 -------- d-----w- c:\program files\iTunes
2011-07-27 10:31:13 -------- d-----w- c:\program files\Bonjour
2011-07-14 01:21:51 -------- d-----w- c:\programdata\nH03700DgNdH03700
2011-07-12 23:31:35 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-07-12 23:31:29 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-12 23:31:29 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
.
==================== Find3M ====================
.
2011-06-19 20:27:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 00:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 22:58:51.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 12 August 2011 - 09:25 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download aswMBR.exe ( 511KB ) to your desktop.
  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Chatt

Chatt
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 13 August 2011 - 02:24 PM

Hello and thank you for your help. I downloaded the program to my desktop and began running it. The first thing it asked was to update its definitions, which I did. It completed that update and I initiated the scan. Early on, the scan identified some form of malicious software it identified in red text in the log (I didn't catch what it was at the time), but the scan was continuing on so I let it run. I stepped away from the computer for a moment while it was scanning and, when I returned, the aswMBR window had disappeared. I tried to start it again by double-clicking on the desktop icon, but it won't work. I get a window that says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." This is the exact same way MalwareBytes acted when I tried to run it before I came here for help.

I tried two more times by downloading the aswMBR software anew. Each time, it let me save to the desktop and allowed me to initiate a scan. The second time, I was able to see that the item it identified in red was called "win32:sire fef-f [DRP]". I wasn't able to get the complete file path before it once again shut down. I got the same "permission" window when I tried to start the program again. The last time I tried it, I got the same thing, but it also identified one more item in red text. Didn't catch all of it, but it had "audio" somewhere in the filepath.

So, I do not have a log to attach to this message.

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 13 August 2011 - 03:14 PM

Chatt:

Please give this a try:

Posted Image Please download Rootkit Unhooker and save it on your desktop.
  • Disable your security programs
  • Double click RKUnhookerLE.exe to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.
Note - You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Please include the following in your next post:
  • RootkitUnhooker log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Chatt

Chatt
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 13 August 2011 - 10:12 PM

Unfortunately, I get the same result. It started scanning (took a long time) but eventually disappeared and when I try to open it again, I get a window that says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 13 August 2011 - 10:30 PM

Chatt:

OK, let's do this now:

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Chatt

Chatt
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 14 August 2011 - 02:46 PM

I downloaded it and turned off Windows Defender, which is the only protection that seems to be working anymore. (As I mentioned above, MalwareBytes gives me the "no permission" prompt, and TrendMicro is totally non-responsive.) I also disabled my internet connection while defender was turned off.

When I ran ComboFix, it opened a small black window that said "scanning for infected files" and had a message saying it typically doesn't take more than 10 minutes, but may be slower if there is an infection. Then after about 30 seconds the screen said "access is denied" about 5 or 6 times in succession, and then it didn't do anything for about an hour. I closed the window and haven't tried it again, per your instructions. So, no ComboFix log.

I re-enabled windows defender before turning my internet connection back on. I'm awaiting your further instructions, and I thank you for your patience.

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 14 August 2011 - 03:14 PM

Chatt:

Run this tool, then try ComboFix again:

Posted Image Please download ExeFix.scr by Farbar and save it to a flashdrive or on the root of the system drive (usually C:).
  • Important: Boot your computer into the account that has trouble running exe files.
  • Run the tool.
  • The tool notifies you within a fraction of a second to reboot the computer, please do so.
  • Please tell me if you are now able to run programs.
Note: If the tool did not run you may change the extension to .com or .bat or .cmd or .pif
Also note that in order the fix to work you need to be booted to the user account that has trouble running exe files.

Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Chatt

Chatt
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 14 August 2011 - 07:19 PM

Still no joy. I do not think the ExeFix could get through either. I tried both saving it to a flash drive, and saving it to the C: drive. Nothing happened at all with the .scr, .com, or .pif extensions. When I tried the .bat and .cmd extensions it appeared to briefly open a small window, but it immediately closed, within half a second or so. I couldn't see what was in the windows. Just in case, I rebooted the computer, since you said it might prompt me to do that. Still nothing happens when I clicked on the ExeFix icon. To be sure, I went ahead and tried to run ComboFix (not being sure whether the ExeFix did anything. I got the same result as before ("access denied" printed 7 times on the screen and no further action).

Thank you for your patience, and please forgive the length of time for me to respond to your suggestions. Doing the best I can under the circumstances.

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 14 August 2011 - 08:00 PM

Chatt:

Please give this a shot:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Please include the following in your next post:
  • TDSSKiller log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Chatt

Chatt
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 14 August 2011 - 08:46 PM

Same thing again. I extracted it to the desktop, opened TDSSKiller and it began to run. About 4 seconds into the scan, it abruptly closed. When I tried to open it again, I get that same prompt saying "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Am I doing something wrong here, or is this virus (or whatever it is) actually disabling all these tools?

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 14 August 2011 - 08:52 PM

Chatt:

It's the infection (you have a nasty rootkit). Please run this for me:

Posted Image We need to scan the system with this special tool.
  • Step One
  • Please download Junction.zip and save it to your desktop.
  • Unzip it and extract junction.exe to your C:\ drive.
  • Step Two
  • Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

    @ECHO OFF
    cd c:\
    junction -s c:\>log.txt
    start log.txt
    del %0
  • Save it to your desktop as File name: junc.bat
    Save as type: All Files
  • Step Three
  • Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Chatt

Chatt
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 14 August 2011 - 09:09 PM

OK, I think I did everything as instructed, but when I clicked on the junc.bat file I created, I get a window titled log.txt that states "Windows cannot find 'log.txt'. Make sure you typed the name correctly, and then try again."

Was I supposed to do anything with the junction.exe file, other than save it to the c: drive?

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 14 August 2011 - 09:14 PM

Chatt:

Looks like you did everything right. Lets try a different approach:

First, you must verify that you can access the Vista Recovery Environment.
To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.
If the option 'Repair your computer' is available, select it.

If not available, you will need to insert your Vista installation dvd and restart, then press any key when prompted to boot from the cd.
At the Install Windows screen, select Repair your computer. (image below)

Posted Image

Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Environment.
Once you get to the System Recovery Options screen, first take note of the drive letter assigned to the operating system, then select Command Prompt.

Posted Image

Type the following bolded command at the x:\sources> prompt (or x:\windows\system32>) then hit Enter.

cd /d x:\windows <--- the red x represents your operating system drive letter, as shown in the image below


Posted Image

At the C:\Windows> prompt type the following command then hit Enter

look.bat

You will see many files copied then return to the x:\windows> prompt.
Type Exit then restart your computer and logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 Chatt

Chatt
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 14 August 2011 - 09:45 PM

OK, something worked, at least sort of...

I went through the entire drill, but the log generated at the end said:

Run from C:\Users\Owner\Desktop\maxlook.exe on Sun 08/14/2011 at 21:37:48.66

No infected file found



A couple of observations though:

(1) When I first ran maxlook, it said something to the effect that I may need to do the d: drive because that is where the recovery information is located. But, the place you said to look indicated the c: drive, so that is what I used in the command prompt

(2) When I was restarting the computer in the recovery environment, it asked me to select a user. The only one I have ever set up is defaulted to "Owner", but it was also giving me the option to select "aspnet", which I have never seen or heard of.

No idea if either of these are helpful, but they stuck out to me...

Edited by Chatt, 14 August 2011 - 09:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users