Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't run antimalware (MWAW, HJT, DDS.scr, etc.)


  • This topic is locked This topic is locked
88 replies to this topic

#1 stainlesswonder

stainlesswonder

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 31 August 2009 - 09:48 PM

Hi there,

I'm posting a new topic per direction from the "Am I Infected?" Forum.


Previous topic is here.



Attached is my log from Sophos. I still cannot get DDS to run properly (the output is miscellaneous symbols, etc.)


Sophos Anti-Rootkit Version 1.5.0 2009 Sophos Plc
Started logging on 8/30/2009 at 23:35:18
User "Ted Reyes" on computer "SPEEDRACER"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SAM
Hidden: registry item \HKEY_LOCAL_MACHINE\SECURITY
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE
Hidden: registry item \HKEY_USERS\.DEFAULT
Hidden: registry item \HKEY_USERS\S-1-5-18
Hidden: registry item \HKEY_USERS\S-1-5-18_Classes
Hidden: registry item \HKEY_USERS\S-1-5-19
Hidden: registry item \HKEY_USERS\S-1-5-19_Classes
Hidden: registry item \HKEY_USERS\S-1-5-20
Hidden: registry item \HKEY_USERS\S-1-5-20_Classes
Hidden: registry item \HKEY_USERS\S-1-5-21-851143220-957812901-1160967621-1006
Hidden: registry item \HKEY_USERS\S-1-5-21-851143220-957812901-1160967621-1006_Classes
Hidden: registry item \HKEY_USERS\S-1-5-21-851143220-957812901-1160967621-1007
Hidden: registry item \HKEY_USERS\S-1-5-21-851143220-957812901-1160967621-1007_Classes
Hidden: registry item \HKEY_USERS\S-1-5-21-851143220-957812901-1160967621-1008
Hidden: registry item \HKEY_USERS\S-1-5-21-851143220-957812901-1160967621-1008_Classes
Hidden: registry item \HKEY_USERS\S-1-5-21-851143220-957812901-1160967621-1009
Hidden: registry item \HKEY_USERS\S-1-5-21-851143220-957812901-1160967621-1009_Classes
Hidden: registry item \HKEY_USERS\s-1-5-21-851143220-957812901-1160967621-500_Classes
Hidden: registry item \HKEY_USERS\S-1-5-21-851143220-957812901-1160967621-501
Hidden: registry item \HKEY_USERS\S-1-5-21-851143220-957812901-1160967621-501_Classes
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\SYSTEM32\logqpreg.dll
Hidden: file C:\WINDOWS\SYSTEM32\timevsrv.tpr
Hidden: file C:\WINDOWS\SYSTEM32\DUMPREP.EXE
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Hidden: file C:\Documents and Settings\Ted Reyes\Desktop\RSIT.exe
Hidden: file C:\Program Files\tools\Spybot - Search & Destroy\SpybotSD.exe
Hidden: file C:\WINDOWS\SYSTEM32\DRIVERS\glaide32.sys
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\mb.exe
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\mb2.exe
Hidden: file C:\RECYCLER\NPROTECT\00018570.
Hidden: file C:\RECYCLER\NPROTECT\00018464.
Hidden: file C:\RECYCLER\NPROTECT\00018456.
Hidden: file C:\RECYCLER\NPROTECT\00018457.
Hidden: file C:\RECYCLER\NPROTECT\00018468.
Hidden: file C:\RECYCLER\NPROTECT\00018467.
Hidden: file C:\RECYCLER\NPROTECT\00018463.
Hidden: file C:\RECYCLER\NPROTECT\00018233.
Hidden: file C:\RECYCLER\NPROTECT\00018231.
Hidden: file C:\RECYCLER\NPROTECT\00017939.
Hidden: file C:\RECYCLER\NPROTECT\00018220.
Hidden: file C:\RECYCLER\NPROTECT\00018230.
Hidden: file C:\RECYCLER\NPROTECT\00017940.
Hidden: file C:\RECYCLER\NPROTECT\00016789.
Hidden: file C:\RECYCLER\NPROTECT\00016800.
Hidden: file C:\RECYCLER\NPROTECT\00018402.
Hidden: file C:\RECYCLER\NPROTECT\00018210.
Hidden: file C:\RECYCLER\NPROTECT\00018218.
Hidden: file C:\RECYCLER\NPROTECT\00018219.
Hidden: file C:\RECYCLER\NPROTECT\00018211.
Hidden: file C:\RECYCLER\NPROTECT\00018458.
Hidden: file C:\RECYCLER\NPROTECT\00018459.
Hidden: file C:\RECYCLER\NPROTECT\00018460.
Hidden: file C:\RECYCLER\NPROTECT\00018461.
Hidden: file C:\RECYCLER\NPROTECT\00018462.
Hidden: file C:\RECYCLER\NPROTECT\00018465.
Hidden: file C:\RECYCLER\NPROTECT\00018466.
Hidden: file C:\RECYCLER\NPROTECT\00017946.
Hidden: file C:\RECYCLER\NPROTECT\00017909.
Hidden: file C:\RECYCLER\NPROTECT\00017534.
Hidden: file C:\RECYCLER\NPROTECT\00017537.
Hidden: file C:\RECYCLER\NPROTECT\00017539.
Hidden: file C:\RECYCLER\NPROTECT\00016362.
Hidden: file C:\RECYCLER\NPROTECT\00043453.
Hidden: file C:\RECYCLER\NPROTECT\00017687.
Hidden: file C:\RECYCLER\NPROTECT\00017685.
Hidden: file C:\RECYCLER\NPROTECT\00017686.
Hidden: file C:\Program Files\Symantec AntiVirus\VPC32.exe
Hidden: file C:\Documents and Settings\Ted Reyes\Desktop\RootRepeal.exe
Hidden: file C:\RECYCLER\NPROTECT\00043470.
Hidden: file C:\RECYCLER\NPROTECT\00043471.
Hidden: file C:\RECYCLER\NPROTECT\00043472.
Hidden: file C:\RECYCLER\NPROTECT\00043473.
Hidden: file C:\RECYCLER\NPROTECT\00043474.
Hidden: file C:\RECYCLER\NPROTECT\00043477.
Hidden: file C:\RECYCLER\NPROTECT\00043478.
Hidden: file C:\RECYCLER\NPROTECT\00043484.
Hidden: file C:\RECYCLER\NPROTECT\00043428.
Hidden: file C:\RECYCLER\NPROTECT\00043308.
Hidden: file C:\RECYCLER\NPROTECT\00043131.
Hidden: file C:\RECYCLER\NPROTECT\00043132.
Hidden: file C:\RECYCLER\NPROTECT\00043133.
Hidden: file C:\RECYCLER\NPROTECT\00043134.
Hidden: file C:\RECYCLER\NPROTECT\00043135.
Hidden: file C:\RECYCLER\NPROTECT\00043136.
Hidden: file C:\RECYCLER\NPROTECT\00043137.
Hidden: file C:\RECYCLER\NPROTECT\00043139.
Hidden: file C:\RECYCLER\NPROTECT\00043138.
Hidden: file C:\RECYCLER\NPROTECT\00043063.
Hidden: file C:\RECYCLER\NPROTECT\00043095.
Hidden: file C:\RECYCLER\NPROTECT\00016745.
Hidden: file C:\RECYCLER\NPROTECT\00043045.
Hidden: file C:\RECYCLER\NPROTECT\00016388.
Hidden: file C:\RECYCLER\NPROTECT\00016376.
Hidden: file C:\RECYCLER\NPROTECT\00016597.
Hidden: file C:\RECYCLER\NPROTECT\00016608.
Hidden: file C:\RECYCLER\NPROTECT\00016598.
Hidden: file C:\RECYCLER\NPROTECT\00016615.
Hidden: file C:\RECYCLER\NPROTECT\00016616.
Hidden: file C:\RECYCLER\NPROTECT\00016626.
Hidden: file C:\RECYCLER\NPROTECT\00016667.
Hidden: file C:\RECYCLER\NPROTECT\00019296.
Hidden: file C:\RECYCLER\NPROTECT\00016659.
Hidden: file C:\RECYCLER\NPROTECT\00019297.
Hidden: file C:\RECYCLER\NPROTECT\00018571.
Hidden: file C:\RECYCLER\NPROTECT\00016629.
Hidden: file C:\RECYCLER\NPROTECT\00016643.
Hidden: file C:\RECYCLER\NPROTECT\00016634.
Hidden: file C:\RECYCLER\NPROTECT\00043293.
Hidden: file C:\WINDOWS\SYSTEM32\DRIVERS\ntfs.sys
Hidden: file C:\WINDOWS\SYSTEM32\eventlog.dll
Hidden: file C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
Hidden: file C:\WINDOWS\SYSTEM32\DRIVERS\e24db1ad.sys
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Stopped logging on 8/31/2009 at 00:53:42

BC AdBot (Login to Remove)

 


#2 stainlesswonder

stainlesswonder
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 04 September 2009 - 11:31 PM

Hello there. 7 days with no reply. Is this typical?

#3 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 AM

Posted 12 September 2009 - 12:12 PM

Hello stainlesswoder.

The forum is extremely busy. Your patience is appreciated. If you have resolved your issues, please let me know right away.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image
If you are a casual viewer, do NOT try this on your system!
If you are not stainlesswonder and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

Next, Download and Save to the DESKTOP Win32kDiag from any of the following locations.
Click on Start button. Select Run, and copy-paste the following command (the bolded text) into the "Open" textbox, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

=
Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then Right-click the file within: Fix_Policies.cmd and select Run As Administrator.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
=


(With much thanks to Tetonbob at TSF, whose methods & verbiage I'm using here).

Download This tool save it directly to your desktop - not a folder on the desktop - the commands are tailored for the desktop location.

Click Start>Run and
Copy then Paste the following bolded text into the Run box and click OK:

"%userprofile%\desktop\Inherit.exe" "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"


Repeat for these files, or simply find the files, and drag.drop them onto inherit.exe. Any other files you get an access denied message, you can do the same

"%userprofile%\desktop\Inherit.exe" "c:\WINDOWS\system32\wbem\wmiprvse.exe"

=

Give MBAM a try for a quick scan.


Run DDS.

Please reply with copy of the MBAM scan log and
copy of DDS.txt and Attach.txt

Please Copy and Paste contents of logs In-line within body of reply textbox. Do not use the file attach feature.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#4 stainlesswonder

stainlesswonder
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 13 September 2009 - 11:04 PM

Thank you for the help. I was out this weekend and will jump on this tomorrow.

Sorry for breaking the rule on replying to my own post. I saw several newer topics get addressed before mine so I thought mine might have gotten lost in the shuffle. Of course soon afterwards I saw another 7-day-old topic just getting answered so I feel kind of silly.

Thx.

#5 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 AM

Posted 14 September 2009 - 03:56 PM

OK. Please do these soonest, and meantime do not use the system for anything else. Absolutely no websurfing, nothing online, other than this forum and the sites I guide you to.

FYI, sometimes others will be answered ahead of you, but that is likely because the helper(s) answer the ones they can most effectively cover. And, no, no posts are lost or fogotten. BC forums keeps track of all posts.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#6 stainlesswonder

stainlesswonder
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 15 September 2009 - 12:34 AM

I ran everything per your directions. I was able to open MBAM. However, after starting the quick-scan, the application closes within a few seconds.

DDS creates a jibberish file.

I tried the instructions in normal mode and in safe mode. Both with the same results.

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 AM

Posted 17 September 2009 - 09:47 PM

My apology for having delayed in my response. Let's give this a try.

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

Edited by Maurice Naggar, 17 September 2009 - 09:47 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 stainlesswonder

stainlesswonder
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 20 September 2009 - 04:47 PM

I ran GMER for yesterday. Here's what happened.

I ran GMER in normal mode and it did a quick scan.
It gave me a notice about possible rootkit activity and asked me to do a full scan.
I clicked on yes and the scan lasted several hours and started listing a log.
I checked back on it every once in a while for several hours to make sure it was running.
The last time I checked it, the GMER application was closed.
I tried to re-start GMER but it said I didn't have permission.
I dragged the application into "Inherit" and I was able to open GMER again.
I ran the full scan again (after it prompted me).
After a couple of hours I got a blue-screen.


I tried to run GMER in Safe-mode and the same thing happened with the application self-closing.
I shut down and restarted windows.
I dragged the application into "Inherit" and I was able to open GMER again.
I ran a full scan again after it prompted me.
This time I clicked on "Save..." and saved the log as it existed about 30 minutes into the scan.
I let the scan run for several hours and checked back often and verified no new entries were made on the log in the application.
Upon checking it again several hours later, GMER had closed itself.
Trying to restart GMER I got the permission error.
I have a log however obviously it may not be complete since the scan never completed.

Let me know if you'd like me to post it in the body of a reply or as an attachment.

Thanks for your help. This malware is in there good!

#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 AM

Posted 21 September 2009 - 08:07 PM

Yes, do post a copy of the log. Do a Copy and Paste into a reply.
If and only if you can't fit into one reply box, then split it into 2 replies.

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.


Also, try running MBAM again, do a Quick scan. If it "disappears" after a few seconds, then drag it over to Inherit.exe
I'd like to have that log as well.

Third, also copy and paste here the contents of Win32kdiag.txt

Best to have as many reports as possible.

Edited by Maurice Naggar, 21 September 2009 - 08:15 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 stainlesswonder

stainlesswonder
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 21 September 2009 - 11:23 PM

MBAM wouldn't keep the scan going even after dragging it to "inherit"

I forgot to mention earlier that I could not run Fixpolicies under "Run As Administrator" option. There was no such option when right-clicking on the file. So instead I ran it by just double-clicking it.

Here are GMER and Win32kdiag.


GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-19 22:29:46
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\TEDREY~1\LOCALS~1\Temp\pfroruow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\e24db1ad.sys ZwCreateEvent [0xB9DFEAAD]
SSDT \SystemRoot\System32\drivers\e24db1ad.sys ZwCreateKey [0xB9DFCB85]
SSDT \SystemRoot\System32\drivers\e24db1ad.sys ZwOpenKey [0xB9DFCC45]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 102 804E493C 4 Bytes JMP E638B9DF
? C:\WINDOWS\system32\drivers\glaide32.sys The system cannot find the file specified.
? C:\WINDOWS\System32\drivers\e24db1ad.sys The system cannot find the file specified.
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[800] WS2_32.dll!send + 2 71AB428C 6 Bytes JMP 5EEF2223 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\services.exe[800] WS2_32.dll!WSARecv + 2 71AB431A 5 Bytes JMP 5EEF21BC C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\services.exe[800] WS2_32.dll!recv + 2 71AB615C 6 Bytes JMP 5EEF19D9 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\services.exe[800] WS2_32.dll!WSASend + 2 71AB6235 5 Bytes JMP 5EEF1CF7 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\services.exe[800] WS2_32.dll!closesocket + 2 71AB963B 14 Bytes [42, 98, 98, 2F, 37, D6, 99, ...] {INC EDX; CWDE ; CWDE ; DAS ; AAA ; SALC ; CDQ ; STC ; LAHF ; JMP 0xffffffffed437d2c}
.text C:\WINDOWS\system32\svchost.exe[1128] WS2_32.dll!send + 2 71AB428C 6 Bytes JMP 5EEF2223 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\svchost.exe[1128] WS2_32.dll!WSARecv + 2 71AB431A 5 Bytes JMP 5EEF21BC C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\svchost.exe[1128] WS2_32.dll!recv + 2 71AB615C 6 Bytes JMP 5EEF19D9 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\svchost.exe[1128] WS2_32.dll!WSASend + 2 71AB6235 5 Bytes JMP 5EEF1CF7 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\svchost.exe[1128] WS2_32.dll!closesocket + 2 71AB963B 14 Bytes [40, D6, F9, 49, F5, F3, 41, ...]
.text C:\WINDOWS\System32\svchost.exe[1180] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\288462E2.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1180] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\288462E2.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1180] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\288462E2.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1180] WS2_32.dll!send + 2 71AB428C 6 Bytes JMP 5EEF2223 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\System32\svchost.exe[1180] WS2_32.dll!WSARecv + 2 71AB431A 5 Bytes JMP 5EEF21BC C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\System32\svchost.exe[1180] WS2_32.dll!recv + 2 71AB615C 6 Bytes JMP 5EEF19D9 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\System32\svchost.exe[1180] WS2_32.dll!WSASend + 2 71AB6235 5 Bytes JMP 5EEF1CF7 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\System32\svchost.exe[1180] WS2_32.dll!closesocket + 2 71AB963B 14 Bytes [D6, FC, 3F, FC, F9, 49, 90, ...]
.text C:\WINDOWS\Explorer.EXE[1280] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\288462E2.x86.dll
.text C:\WINDOWS\Explorer.EXE[1280] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\288462E2.x86.dll
.text C:\WINDOWS\Explorer.EXE[1280] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\288462E2.x86.dll
.text C:\WINDOWS\Explorer.EXE[1280] WS2_32.dll!send + 2 71AB428C 6 Bytes JMP 5EEF2223 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\Explorer.EXE[1280] WS2_32.dll!WSARecv + 2 71AB431A 5 Bytes JMP 5EEF21BC C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\Explorer.EXE[1280] WS2_32.dll!recv + 2 71AB615C 6 Bytes JMP 5EEF19D9 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\Explorer.EXE[1280] WS2_32.dll!WSASend + 2 71AB6235 5 Bytes JMP 5EEF1CF7 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\Explorer.EXE[1280] WS2_32.dll!closesocket + 2 71AB963B 14 Bytes [F2, 42, 49, 41, 3F, 98, 92, ...]
.text C:\WINDOWS\system32\spoolsv.exe[1568] WS2_32.dll!send + 2 71AB428C 6 Bytes JMP 5EEF2223 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] WS2_32.dll!WSARecv + 2 71AB431A 5 Bytes JMP 5EEF21BC C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] WS2_32.dll!recv + 2 71AB615C 6 Bytes JMP 5EEF19D9 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] WS2_32.dll!WSASend + 2 71AB6235 5 Bytes JMP 5EEF1CF7 C:\WINDOWS\system32\logqpreg.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] WS2_32.dll!closesocket + 2 71AB963B 14 Bytes [F8, 49, 4A, 2F, 4A, 40, 92, ...]
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1732] WS2_32.dll!send + 2 71AB428C 6 Bytes JMP 5EEF2223 C:\WINDOWS\system32\logqpreg.dll
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1732] WS2_32.dll!WSARecv + 2 71AB431A 5 Bytes JMP 5EEF21BC C:\WINDOWS\system32\logqpreg.dll
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1732] WS2_32.dll!recv + 2 71AB615C 6 Bytes JMP 5EEF19D9 C:\WINDOWS\system32\logqpreg.dll
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1732] WS2_32.dll!WSASend + 2 71AB6235 5 Bytes JMP 5EEF1CF7 C:\WINDOWS\system32\logqpreg.dll
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1732] WS2_32.dll!closesocket + 2 71AB963B 14 Bytes [F3, F3, 48, F5, 90, F9, F5, ...]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[1180] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\288462E2.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1180] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\288462E2.x86.dll
IAT C:\WINDOWS\Explorer.EXE[1280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\288462E2.x86.dll
IAT C:\WINDOWS\Explorer.EXE[1280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\288462E2.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs e24db1ad.sys

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Driver\Tcpip \Device\Ip e24db1ad.sys
Device \Driver\Tcpip \Device\Tcp e24db1ad.sys
Device \Driver\prodrv06 \Device\ProDrv06 E1946728
Device \Driver\iaStor \Device\Ide\iaStor0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\prohlp02 \Device\ProHlp02 E10151C0
Device \Driver\Tcpip \Device\Udp e24db1ad.sys
Device \Driver\Tcpip \Device\RawIp e24db1ad.sys
Device \Driver\Tcpip \Device\IPMULTICAST e24db1ad.sys

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\288462E2.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [800] 0x35670000
Library \\?\globalroot\Device\__max++>\288462E2.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1128] 0x35670000
Library \\?\globalroot\Device\__max++>\288462E2.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1180] 0x35670000
Library \\?\globalroot\Device\__max++>\288462E2.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1280] 0x35670000
Library \\?\globalroot\Device\__max++>\288462E2.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1384] 0x35670000
Library \\?\globalroot\Device\__max++>\288462E2.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1568] 0x35670000
Library \\?\globalroot\Device\__max++>\288462E2.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1680] 0x35670000
Library \\?\globalroot\Device\__max++>\288462E2.x86.dll (*** hidden *** ) @ C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [1732] 0x35670000
Library \\?\globalroot\Device\__max++>\288462E2.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1772] 0x35670000
Library \\?\globalroot\Device\__max++>\288462E2.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [1960] 0x35670000
Library \\?\globalroot\Device\__max++>\288462E2.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2412] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\e24db1ad.sys (*** hidden *** ) [SYSTEM] e24db1ad <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\glaide32.sys (*** hidden *** ) [SYSTEM] glaide32 <-- ROOTKIT !!!
Service (*** hidden *** ) [SYSTEM] Null <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?(?g?*??Monitor??g??USB\Class_09&SubClass_00&Prot_00?USB\Class_09&SubClass_00?USB\Class_09??????? ???????g???????????]??????????????????????????????0????????????????`???????????????????? ????????????????????? ???????????????????? 2??g???-?????11D??Monitor\Default_Monitor?????*PNP09FF????? ???????A?????g?????O?????????????????????????e?????C?F?G?G?G?G?f?g?G?g?g?g A????????????????????????? ??????????????h?????x?????????????????????x?????????????????????????????????????????????????????????????? ???N???i?????c?b??USB??D???g???????????A???????????T???????????o???????D??USB??X??Ramp Force?f????? ???g???@?????a?A???B???j???0?????????????????????????????????007???????????????????????????g???v??s????g???????h???g???h???????????g?????s?f??{36FC9E60-C465-11CF-8056-444553540000}\0038??f??(Generic USB Hub)??????i???A???Q???f?????g???@?f?f?N?f?g?g?c?b?c?c?g????? ???????f???????????g?K??????(? ??????????????>?>???????????>??????????????? ???????f????????????? ?????????????????f??????????????????????? ??????????????????inp
Reg HKLM\SYSTEM\CurrentControlSet\Services\e24db1ad@ImagePath \SystemRoot\System32\drivers\e24db1ad.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\e24db1ad@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\e24db1ad@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\e24db1ad@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\e24db1ad@F96ZK6nPB YWR2YW50YXN0YXIudXM=
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\null@EventMessageFile %SystemRoot%\System32\IoLogMsg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\null@TypesSupported 7
Reg HKLM\SYSTEM\CurrentControlSet\Services\glaide32@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\glaide32@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\glaide32@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\glaide32@ImagePath \??\C:\WINDOWS\system32\drivers\glaide32.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\glaide32\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\glaide32\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Null@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Null@Group Base
Reg HKLM\SYSTEM\CurrentControlSet\Services\Null@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Null@Tag 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Null@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Null@F96ZK6nPB YmluZGVyeXNlcnZpY2UubW9iaQ==
Reg HKLM\SYSTEM\ControlSet003\Services\e24db1ad@ImagePath \SystemRoot\System32\drivers\e24db1ad.sys
Reg HKLM\SYSTEM\ControlSet003\Services\e24db1ad@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\e24db1ad@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\e24db1ad@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\e24db1ad@F96ZK6nPB YWR2YW50YXN0YXIudXM=
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\null@EventMessageFile %SystemRoot%\System32\IoLogMsg.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\null@TypesSupported 7
Reg HKLM\SYSTEM\ControlSet003\Services\glaide32@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\glaide32@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\glaide32@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\glaide32@ImagePath \??\C:\WINDOWS\system32\drivers\glaide32.sys
Reg HKLM\SYSTEM\ControlSet003\Services\glaide32\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\glaide32\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\Null@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\Null@Group Base
Reg HKLM\SYSTEM\ControlSet003\Services\Null@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\Null@Tag 1
Reg HKLM\SYSTEM\ControlSet003\Services\Null@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\Null@F96ZK6nPB YmluZGVyeXNlcnZpY2UubW9iaQ==
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/LanManServer/Parameters/NullSessionPipes@ValueType 7
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/LanManServer/Parameters/NullSessionPipes@DisplayType 4
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/LanManServer/Parameters/NullSessionPipes@DisplayName Network access: Named Pipes that can be accessed anonymously
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/LanManServer/Parameters/NullSessionShares@ValueType 7
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/LanManServer/Parameters/NullSessionShares@DisplayType 4
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/LanManServer/Parameters/NullSessionShares@DisplayName Network access: Shares that can be accessed anonymously
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\SAPI.SpNullPhoneConverter@ SpNullPhoneConverter Class
Reg HKLM\SOFTWARE\Classes\SAPI.SpNullPhoneConverter\CLSID
Reg HKLM\SOFTWARE\Classes\SAPI.SpNullPhoneConverter\CLSID@ {455F24E9-7396-4A16-9715-7C0FDBE3EFE3}
Reg HKLM\SOFTWARE\Classes\SAPI.SpNullPhoneConverter\CurVer
Reg HKLM\SOFTWARE\Classes\SAPI.SpNullPhoneConverter\CurVer@ SAPI.SpNullPhoneConverter.1
Reg HKLM\SOFTWARE\Classes\SAPI.SpNullPhoneConverter.1@ SpNullPhoneConverter Class
Reg HKLM\SOFTWARE\Classes\SAPI.SpNullPhoneConverter.1\CLSID
Reg HKLM\SOFTWARE\Classes\SAPI.SpNullPhoneConverter.1\CLSID@ {455F24E9-7396-4A16-9715-7C0FDBE3EFE3}
Reg HKLM\SOFTWARE\Classes\System.ArgumentNullException@ System.ArgumentNullException
Reg HKLM\SOFTWARE\Classes\System.ArgumentNullException\CLSID
Reg HKLM\SOFTWARE\Classes\System.ArgumentNullException\CLSID@ {3BD1F243-9BC4-305D-9B1C-0D10C80329FC}
Reg HKLM\SOFTWARE\Classes\System.NullReferenceException@ System.NullReferenceException
Reg HKLM\SOFTWARE\Classes\System.NullReferenceException\CLSID
Reg HKLM\SOFTWARE\Classes\System.NullReferenceException\CLSID@ {7F71DB2D-1EA0-3CAE-8087-26095F5215E6}







Running from: C:\Documents and Settings\Ted Reyes\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Ted Reyes\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\Installer\Installer

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\DRIVERS\e24db1ad.sys

[1] 2009-09-21 20:48:56 111308 C:\WINDOWS\SYSTEM32\DRIVERS\e24db1ad.sys ()



Cannot access: C:\WINDOWS\SYSTEM32\DRIVERS\glaide32.sys

[1] 2009-09-21 20:50:14 99276 C:\WINDOWS\SYSTEM32\DRIVERS\glaide32.sys ()



Cannot access: C:\WINDOWS\SYSTEM32\DUMPREP.EXE

[1] 2004-08-04 03:00:00 10752 C:\WINDOWS\SYSTEM32\DUMPREP.EXE ()

[1] 2004-08-04 03:00:00 10752 C:\i386\DUMPREP.EXE (Microsoft Corporation)



Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2004-08-04 03:00:00 62464 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2004-08-04 03:00:00 55808 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 03:00:00 55808 C:\i386\EVENTLOG.DLL (Microsoft Corporation)





Finished!

Edited by stainlesswonder, 21 September 2009 - 11:30 PM.


#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 AM

Posted 22 September 2009 - 06:27 AM

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image
If you are a casual viewer, do NOT try this on your system!
If you are not stainlesswonder and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

There is one Windows DLL to be restored and some rootkits to be removed.

Start NOTEPAD and then copy and paste the codebox lines below into it.
Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
copy C:\WINDOWS\i386\eventlog.dll c:\

Double-click on fixes.bat file to run it.

Next, Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
    
    Drivers to disable:
    e24db1ad
    glaide32
    Null
    
    Drivers to delete:
    e24db1ad
    glaide32
    Null
    
    Files to delete:
    C:\WINDOWS\system32\288462E2.x86.dll
    C:\WINDOWS\System32\drivers\e24db1ad.sys
    C:\WINDOWS\system32\drivers\glaide32.sys
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Avenger.txt
and C:\Combofix.txt

Following that, Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Now, reply with copy of the MBAM scan log.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 stainlesswonder

stainlesswonder
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 22 September 2009 - 10:02 PM

I ran everything all the way up to Combo Fix.

When running Combo Fix I acknowledged the software window and clicked on the "yes" button.

It did not ask to install Microsoft Windows Recovery Console so I assume it's already installed.

I then got a window that said (paraphrasing) "Rootkit! Combofix needs to reboot the computer. Click on OK to continue."

I clicked on OK and the computer rebooted. I went into my account.

The hard drive turned off after several minutes but no log was generated.

I looked in the C: drive but did not find combofix.txt

Looking more closely at the c: drive, there is what appears to be a "computer" icon named "Combo-Fix".

If you open this icon, it shows a replica of what's listed below "My Computer".

This continues to nest indefinitely.

See attached jpeg.

I did not re-run Combo-Fix per the instructions above.

Edited by Maurice Naggar, 26 September 2009 - 05:34 AM.


#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 AM

Posted 22 September 2009 - 10:14 PM

Leave the computer as is. Do not do anything. Don't shut it off. Don't start anything.
Let me do some research. I'll get back to you, though it maybe a good while. Please have patience.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#14 stainlesswonder

stainlesswonder
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 22 September 2009 - 11:12 PM

No problem. Will keep it running. Thanks for the quick reply.

#15 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 AM

Posted 23 September 2009 - 01:58 AM

Close the view in Explorer that you opened, if still in open window. Please don't repeat the action that you'd taken. We have an incomplete run of Combofix.
Now, making sure you have no open windows from programs you started, and with your antivirus program off, double click the Combofix icon to start it once more.
Answer the initial prompts, and then let it run.
When done, reply with copy of C:\Combofix.txt
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users