Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with trojan tdss


  • This topic is locked This topic is locked
32 replies to this topic

#1 leonjack

leonjack

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 09 September 2009 - 04:19 PM

Hi,

I have unsuccessfully tried to get rid of this tdss trojan. I've tried MBAM and I get "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmlkyrnvoa (Rootkit.TDSS) -> Quarantined and deleted successfully." But it returns after I reboot the computer. Also, I am unable to use my Norton 360. It will pop up occasionally that there are items to be fixed but once I click on it, it never responds. I don't get any redirections on web sites but then again I stopped using this computer except when trying to fix it. My computer isn't any slower and it starts up without any problems. I just can't get rid of the above TDSS nor can I use Norton 360. Any help would be greatly appreciated. I think I've attached everything I'm supposed to.



DDS (Ver_09-07-30.01) - NTFSx86
Run by jamie mckay at 16:33:02.90 on Wed 09/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.525 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Documents and Settings\jamie mckay\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.igoogle.com
uSearch Page = hxxp://www.igoogle.com
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
mSearch Page = hxxp://www.igoogle.com
mStart Page = hxxp://www.igoogle.com
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {4e7bd74f-2b8d-469e-d0fc-e57af4d5fa7d} - Verizon Broadband Toolbar
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
TB: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-d0fc-e57af4d5fa7d} -
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\jamiem~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jamiem~1\applic~1\mozilla\firefox\profiles\gexz0qaj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.igoogle.com/
FF - component: c:\documents and settings\jamie mckay\application data\mozilla\firefox\profiles\gexz0qaj.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\jamie mckay\application data\mozilla\firefox\profiles\gexz0qaj.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-16 101936]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-12-20 1245064]
S0 IFP300;iriver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys --> c:\windows\system32\drivers\ifp300.sys [?]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090830.005\NAVENG.SYS [2009-8-30 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090830.005\NAVEX15.SYS [2009-8-30 1323568]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================

2009-09-09 13:17 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-09-09 13:14 <DIR> --d----- c:\windows\ERUNT
2009-09-09 13:10 <DIR> --d----- C:\SDFix
2009-08-31 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-31 14:59 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-31 14:59 <DIR> --d----- c:\docume~1\jamiem~1\applic~1\SUPERAntiSpyware.com
2009-08-31 14:58 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-31 00:37 <DIR> --d----- C:\NSS
2009-08-16 09:13 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-16 03:10 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-16 03:07 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-16 03:07 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-16 03:07 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-16 03:07 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-16 03:07 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-16 03:07 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-16 03:07 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-16 03:07 <DIR> --d----- C:\282c7bdca03f236ae8
2009-08-16 03:06 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-13 20:59 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-13 20:58 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 04:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 04:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 04:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 04:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 04:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 07:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2008-12-12 10:56 726,008 a------- c:\documents and settings\jamie mckay\gotomypc_437.exe
2007-03-05 15:46 630,784 a------- c:\documents and settings\jamie mckay\GoToAssist_chat2way__317_en.exe
2009-01-01 14:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010120090102\index.dat
2007-05-23 08:17 17,398,560 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-05-23 08:17 614,944 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 16:34:19.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 10 September 2009 - 12:47 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 leonjack

leonjack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 10 September 2009 - 02:01 PM

Thanks for replying so quickly. Since I don't want to screw anything else up, I wanted to point out that I cannot access Norton 360 at all so I don't know if it is even on. It does pop up now and then but I can't do anything with it. I don't want to assume it is off and cause further problems and waste your time. Any advice? Thanks.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 10 September 2009 - 02:24 PM

Just run ComboFix then.. :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 leonjack

leonjack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 10 September 2009 - 03:27 PM

Do not know if it's supposed to run this way but it has been stuck on the following for over 30 minutes:
Please wait.
ComboFix is preparing to run.

System file is infected !! Attempting to restore
"C:\WINDOWS\system32\sfcfiles.dll"


This is all in a blue box with a blinking cursor beneath the last line.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 10 September 2009 - 03:39 PM

exit and run ComboFix again..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 leonjack

leonjack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 10 September 2009 - 04:15 PM

I tried again and it still got stuck at the same point. I exited and tried to uninstall norton 360 but it says not responding when I attempted. I tried a third to run combofix and it got stuck at the same point.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 10 September 2009 - 11:31 PM

Please download avz4.zip and unzip it to your Desktop
  • Start AVZ.

  • Choose from the menu "AVZGuard" => "Enable AVZGuard ".
    Posted Image

  • Choose from the menu "AVZGuard" => "Run application as trusted".
    Posted Image

  • The Run a trusted process window will appear:
    Posted Image

  • For Application:, select the Posted Image icon and select ComboFix.

  • Click Posted Image

  • Once complete, Choose from the menu "AVZGuard" => "Disable AVZGuard ".

  • Reboot your computer..

  • Post back the log from the trusted process run.

Edited by fenzodahl512, 10 September 2009 - 11:32 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 leonjack

leonjack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 11 September 2009 - 08:05 PM

Thanks for getting back to me. Just got home. I did what you told me to do but the same thing happened just as when I tried to run ComboFix on its own. It just stops after those four lines and doesn't do anything else.

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 11 September 2009 - 10:06 PM

Please save this file to your Desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 leonjack

leonjack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 12 September 2009 - 07:36 PM

Hi,
Here's what happened when I ran Win32kDiag:

Running from: C:\Documents and Settings\jamie mckay\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\jamie mckay\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

It only took a few seconds.

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 13 September 2009 - 12:55 AM

Go HERE and download SysProt AntiRootkit. Unzip it to your Desktop
  • Run SysProt >> Click on the Log tab
  • Tick ALL the boxes at the "Write to log" section (Do NOT tick the "Hidden Objects Only" options)
  • Hit the Create Log button
  • When it asked for scanning option, choose Scanning all drives >> Hit Start button (Do NOT hit "Ok" button)
  • Let it scan until finish
  • Find the log.txt inside the SysProt folder and attach the log here.


NEXT


Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 leonjack

leonjack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 13 September 2009 - 07:48 AM

Thanks for getting back to me. I am attaching the SysProt AntiRootkit log like you asked. And below is the mbr.log. Thanks.





Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Attached Files



#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 13 September 2009 - 08:42 AM

Please download avz4.zip and unzip it to your Desktop

AVZ FIX :

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before this fix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

  • Close all windows then double click on AVZ.exe
  • Click File >> Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program

    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
    SetServiceStart('kbiwkmlkyrnvoa', 4);
    StopService('kbiwkmlkyrnvoa');
    DeleteService('kbiwkmlkyrnvoa');
    DeleteFile('C:\WINDOWS\system32\drivers\kbiwkmoyltoirr.sys');
    BC_ImportDeletedList;
    ExecuteSysClean;
    BC_DisableSvc('kbiwkmlkyrnvoa');
    BC_DeleteSvc('kbiwkmlkyrnvoa');
    BC_DeleteSvcReg('kbiwkmlkyrnvoa');
    BC_DeleteFile('C:\WINDOWS\system32\drivers\kbiwkmoyltoirr.sys');
    BC_Activate;
    RebootWindows(true);
    end.

  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.

Then reboot your computer and try run ComboFix again.. Tell me how it goes and post the log here if any..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 leonjack

leonjack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 13 September 2009 - 08:53 AM

Is it OK to run this even though I have no access or control over Norton 360. I can't turn it off.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users