Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus2008? Already ran Combofix


  • Please log in to reply
1 reply to this topic

#1 CatalystSwitch

CatalystSwitch

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 28 December 2008 - 03:34 AM

Initially, Symantec, Malwarebyte's, and Spybot were unable to update and their respective sites were blocked. I uploaded ComboFix under safe mode and followed the instructions on the site. It skipped the 3 steps before scanning that have to do with the recovery console, then after scanning it rebooted windows. After windows restarted, I was able to update my virus definitions and go to those sites. The instructions say to post the log report still, so here it is.

EDIT:
After following some more advice on fixes that may not be malware related, I find I cannot run msconfig
Windows cannot find 'msconfig'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click Search.

Sorry, I really have no clue what to do.

Attached Files

  • Attached File  log.txt   18.28KB   26 downloads

Edited by CatalystSwitch, 28 December 2008 - 03:57 AM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:29 AM

Posted 08 January 2009 - 01:19 AM

Hello CatalystSwitch .

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member CatalystSwitch only. If you are a lurker, do NOT try this on your system!
If you are not CatalystSwitch and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=

You have to turn off Tea Timer, otherwise any changes we make while cleaning the system will have not effect.
If you do not understand Tea Timer's function, keep it off permanently (and definitely off while we clean).
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click on Tools, then click on the Resident Icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
Click on the "System Startup" icon in the List
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done.
=

Using Bit torrents obviously got you infected. Spywareguard (NOT the one by Javacool) malware is one of the current pests.
If you have any Bit torrent or other Peer-to-peer filesharing, de-install it now; before we get further down the road.
I do note this has Azureus and LimeWire, so please de-install those before we get started.

Downloading from unknown sources is one of the leading causes of transmission of malware.
"File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:
http://cid-6aaab341ce47c5c2.skydrive.live....licies.exe
  • ]
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.


Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\windows\system32\drivers\senekaulrmukoe.sys
    c:\windows\system32\ivfohh.dll
    c:\windows\Tasks\vknbigzs.job
    
    Drivers to delete:
    seneka
    seneka.sys
    senekaulrmukoe.sys
    senekaulrmukoe
    
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seneka
    
    Folders to delete:
    C:\resycled
    D:\resycled
    e:\resycled
    f:\resycled
    g:\resycled
    h:\resycled
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=

Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 1629 or later.

When done, click the Scanner tab.
Do a FULL Scan. Let it quarantine or remove tagged items. Get a copy of that log in your next reply.
=
Using Internet Explorer browser only, go to ESET Online Scanner website:
  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Look at contents of this file using Notepad or Wordpad.

The Frequently Asked Questions for ESET Online Scanner can be viewed here
[url="http://www.eset.com/onlinescan/cac4.php?page=faq"]http://www.eset.com/onlinescan/cac4.php?page=faq
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
=

Reply with copies of the C:\Avenger.txt,
the MBAM log,
and the Eset log.
and tell me, How is your system now?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users