Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help removing a root kit


  • This topic is locked This topic is locked
23 replies to this topic

#1 Jay_jay_01

Jay_jay_01

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 25 October 2009 - 02:52 PM

first of all ive tried the DDS / HJT log preparation guide and could not get the dds to work it runs but gets stuck on 30% and the RootRepeal Log doesn't work either i have created a thread already which is in am i infected section so ill just copy paste the infor i displayed there to here so everything makes sense:

HI

just want to start off by saying i don't no if this is a malware, spyware, virus etc but i need help i read on this website about a virus just like mine but which i can't find now but it said to post for help. i have some virus which i think is new because its very clever basically it prevents all antiviruses and antispyware from running and when i click on the programs it says you do not have permission etc and those that do open close half way through scanning iv tried safe mode in which it still blocks all antiviruses and it tried to install something else called soft cop which obviously i wasn't trying to install anyway i need help. the page i saw before on this website i can't find now but it said basically it replaces the main windows files with the virus version which i believe is why it still works in safe mode. it is really annoying and i dont want to reboot my computer just because of this virus so could someone help. also i don't no if this will help but yesterday i got really angry as i can't remove it so i thought i would try removing it manually without any antivirus so i went to regedit and looked at all the files i ain't a computer expert just a law student with loads of time but i found this list of all the antivirus on my computer and all the antispyways and it was in a folder called disallowed so i deleted it restared my computer and it was still there so i went to my computer c:/windows/system32 and there are all these weird files called like v5rus, spam, w5orm etc. could someone help me if you need any info just ask i think iv given enough infor anyway but could someone please help me!!!!!!!!!!!!!!!!!!!


p.s please forgive about punctuation spelling etc iv got a lecture now have to go so i rushed it


i was then told to try this :


Welcome to BC

step1.gif

We Need to check for Rootkits with RootRepeal

1. Download RootRepeal from the following location and save it to your desktop.
* Direct Download (Recommended)
o Primary Mirror
o Secondary Mirror
o Secondary Mirror
o Secondary Mirror
* Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
o Primary Mirror
o Secondary Mirror
o Secondary Mirror
* Rar Mirrors - Only if you know what a RAR is and can extract it.
o Primary Mirror
o Secondary Mirror
o Secondary Mirror
2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
3. Open on your desktop.
4. Click the tab.
5. Click the button.
6. Check all seven boxes:
7. Push Ok
8. Check the box for your main system drive (Usually C:), and press Ok.
9. Allow RootRepeal to run a scan of your system. This may take some time.
10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.



----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

=============================

step2.gif

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2

* This tool will create a diagnostic report
* Double-click on Win32kDiag.exe to run and let it finish.
* When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
* A file called Win32kDiag.txt should be created on your Desktop.
* Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

--------------------------------------


step3.gif Go to > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:>, copy and paste the following command and press Enter:
CODE
DIR /a/s %windir%scecli.dll %windir%netlogon.dll %windir%eventlog.dll >Log.txt & START notepad Log.txt

A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.


--------------------
Mark

and this was my reply:


hi
for root repeal first time round i did as you said and when scanning it closed by itself now when i tried to open it it says
Posted Image


then i tried to save it as tatertot.scr and even tatertot when you click save as from the download link and still it won't open,the file is not a magnifying glass Posted Image it now looks like this:Posted Image
that is how all my links to the antivirus programs and antispyware look like

and when i righ click and rename i get this on all my antivirus programs and antispyware:Posted Image

and for the program Win32kDiag.exe it closed half way through aswell so when i type in

DIR /a/s %windir%scecli.dll %windir%netlogon.dll %windir%eventlog.dll >Log.txt & START notepad Log.txt


no log.txt appears on my desktop but before entering this code a notepad copy of Win32kDiag is on my desktop which is i believe still incomplete it is as follows:


Running from: C:Documents and SettingskDesktopWin32kDiag.exe
Log file at : C:Documents and SettingskDesktopWin32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:WINDOWS'...  
Found mount point	   : C:WINDOWS$hf_mig$KB950759-IE7KB950759-IE7
Mount point destination : Device__max++>^
Found mount point	   : C:WINDOWS$hf_mig$KB953838-IE7KB953838-IE7 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWS$hf_mig$KB956390-IE7KB956390-IE7 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWS$hf_mig$KB958215-IE7KB958215-IE7 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWS$hf_mig$KB960714-IE7KB960714-IE7 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWS$hf_mig$KB961260-IE7KB961260-IE7 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWS$regcmp$$regcmp$ Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSaddinsaddins Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP23D.tmpZAP23D.tmp Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSassemblytemptemp Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSassemblytmptmp Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSConfigConfig Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSConnection WizardConnection Wizard Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSCSCd1d1 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSCSCd2d2 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSCSCd3d3 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSCSCd4d4 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSCSCd5d5 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSCSCd6d6 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSCSCd7d7 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSCSCd8d8 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSDownloaded Program FilesDownloaded Program Files Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSHelptoursmmtourmmtour Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSimechsimeappletsapplets Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSimeCHTIMEAppletsApplets Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSimeimejpappletsapplets Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSimeimejp98imejp98 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSimeimjp8_1appletsapplets Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSimeimkr6_1appletsapplets Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSimeimkr6_1dictsdicts Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSimesharedresres Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSInstaller$PatchCache$Managed00002109411090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSInstaller$PatchCache$Managed00002109440090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSInstaller$PatchCache$Managed00002109511090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSInstaller$PatchCache$Managed00002109711090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSInstaller$PatchCache$Managed00002109910090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSInstaller$PatchCache$Managed00002109B10090400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSInstaller$PatchCache$Managed00002109F100A0C00000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSInstaller$PatchCache$Managed00002109F100C0400000000000F01FEC12.0.451812.0.4518 Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSjavaclassesclasses Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSjavatrustlibtrustlib Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSLogsLogs Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSMicrosoft.NETFrameworkv1.1.4322Temporary ASP.NET FilesBind LogsBind Logs Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET FilesTemporary ASP.NET Files Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSMinidumpMinidump Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSmsappsmsinfomsinfo Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSmsdownld.tmpmsdownld.tmp Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSOffline Web PagesOffline Web Pages Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSpchealthERRORREPQHEADLESQHEADLES Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSpchealthERRORREPQSIGNOFFQSIGNOFF Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSpchealthhelpctrBATCHBATCH Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSpchealthhelpctrConfigCacheCache Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSpchealthhelpctrConfigCheckPointCheckPoint Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSpchealthhelpctrHelpFilesHelpFiles Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSpchealthhelpctrInstalledSKUsInstalledSKUs Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSpchealthhelpctrSystem_OEMSystem_OEM Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSpchealthhelpctrTempTemp Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSPIFPIF Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSRegistrationCRMLogCRMLog Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSsecuritylogslogs Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSSoftwareDistributionAuthCabsDownloadedDownloaded Mount point destination : Device__max++>^ Found mount point	   : C:WINDOWSSunJavaDeploymentDeployment Mount point destination : Device__max++>^ Cannot access: C:WINDOWSsystem32eventlog.dll [1] 2008-03-21 08:35:58 61952 C:WINDOWSsystem32eventlog.dll () [2] 2008-03-21 08:35:58 56320 C:WINDOWSsystem32logevent.dll (Microsoft Corporation)


also i mentioned before there were some weird files in my C:WINDOWSsystem32 SO I TOOK A screen shot and there below:
Posted Image

Posted Image


thats everythin g i can think of the dds and rootrepeal don't work so thats the only log i can make so could someone please help me it would be much appreciated
if you need any info just ask

thank you

PS incase the other thread is required the link is

http://www.bleepingcomputer.com/forums/ind...p;#entry1468241

incase anyone wants to check it out

Merged posts. ~ OB

Edited by Orange Blossom, 25 October 2009 - 03:04 PM.


BC AdBot (Login to Remove)

 


#2 Jay_jay_01

Jay_jay_01
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 31 October 2009 - 09:06 AM

HI

COULD SOME ONE HELP ME WITH THIS PROBLEM PLEASE I'VE BEEN WAITING AND HAVE HEARD NOTHING IF NO ONE IS PLANNING ON HELPING ME AT LEAST SAY SO, SO I CAN WORKING IT OUT FOR MYSELF THEN.

#3 Jay_jay_01

Jay_jay_01
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 01 November 2009 - 01:51 PM

hi
i believe i have a skynet trojan which stops me from opening any antispyware/antivirus programs.
i ran sophos anti root kit and the log is below i just need help, i was wondering whether it will be o.k to delete everything in the log with skynet in it because some are in system 32 folder and i don't want to delete any system files especially if this clever trojan has overwrote the system files with it self could some one please advise as it would be very appreciated

thanks IN ADVANCE

i couldn't get the log as a txt format so their screen shots, which are in the right order



Posted Image
Posted Image
Posted Image
Posted Image

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:18 AM

Posted 01 November 2009 - 03:50 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Jay_jay_01

Jay_jay_01
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 03 November 2009 - 08:20 AM

thanks for the reply

sorry i didn't realize you posted a comment was working over the weekend and didn't have time to check anyway i'm at uni at the moment so hopefully when i get home i follow your instructions then as i havn't still fixed my computer yet so i thought id just update this post so everyone knows whats currently happening.

thanks

Edited by Jay_jay_01, 03 November 2009 - 08:24 AM.


#6 Jay_jay_01

Jay_jay_01
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 03 November 2009 - 03:59 PM

hi temp

i downloaded the otl ran it checked the scan all users box and after scanning for 15seconds it closed itself and know will not open thats what happens to some of the anti spyware software i have and some just don't open altogether the screen shots are above in the intro paragraph of this thread any ideas?

I'm just tempted to delete everything with skynet in it its been like 3weeks since of had this and its annoying im sure you now what i mean. its the only pc problem i am unable to fix myself.

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:18 AM

Posted 03 November 2009 - 05:02 PM

Hi,

please try running Combofix instead then:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Jay_jay_01

Jay_jay_01
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 04 November 2009 - 12:38 PM

hi temp,

i ran just like you said there was one problem before combo fix ran it said i had bit defender installed and running iv had there problem before i don't have it installed i did ages ago and i uninstalled it but for some reason when i install an anti virus it claims i have bit defender installed and that i should uninstall it because they conflict anyway i got rid of it ages ago but before i ran combo fix it said i should close it and continue i just continued and well the logs below just as you requested :


p.s can i delete combo fix now and enable my anti virus because of the looks of things it seems this root kit has gone could you confirm it has gone and that i can delete combo fix and enable my anti virus which i need to install back on


thanks for your time and help

kind regards

Jay_Jay_01

Attached Files



#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:18 AM

Posted 05 November 2009 - 11:22 AM

Hi,

Combofix removed a LOT of malware, but you are still pretty infected! Please don't remove Combofix until I tell you to do so. Your anti virus program only needs to be disabled when Combofix is running. If Combofix isn't running, but still installed you can reenable your anti virus program.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Afterwards please run COmbofix again:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\tatertot.sys
c:\windows\system32\drivers\tatertot.scr.sys
c:\windows\system32\ALSndMgru.exe
c:\windows\mcexdc.dll
c:\windows\winstart.bat
c:\windows\system32\026C725C11.dll
c:\windows\system.sys
c:\windows\win32k.sys
c:\windows\system32\1652459191.dat
c:\windows\system32\15z82s9yd.bin
c:\windows\system32\nethelp.exe
c:\windows\system32\drivers\60870453.sys
c:\windows\Ppisahemilek.bin
c:\windows\Nlimuzag.dat

Folder::
c:\documents and settings\All Users\Application Data\fssg

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

SecCenter::
{6C4BB89C-B0ED-4F41-A29C-4373888923BB}

Driver::
rseb
1440EB7C
76E1CE54
F7BB7802
qaoceuhi
Wmiupnphost
EverestDriver
MEMSWEEP2
tatertot.scr
tatertot
ZDPSp40

netsvc::
Qaoceuhi


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


please run win32kdiag.exe again, with the following command to fix some malware related changes.
Please make sure that a copy of win32kdiag.exe is located on your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
Please post back the logs from gooredfix, combofix, win32kdiag and junction in your next reply. Are you still using the firewall from Bitdefender, it is listed as your firewall right now.

regards _temp_

Edited by _temp_, 05 November 2009 - 01:23 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 Jay_jay_01

Jay_jay_01
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 12 November 2009 - 05:05 PM

sorry for not replying back had 2 go away for a few days
anyway i am not using bitdefender at all not even the firewall it doesn't even show in add/remove program there is nothing with the word bitdefender in the programs list thats whats weird any way a few problems occured first i ran GooredFix that went well iv got the log below and combofix went well as well apart from it telling me that bitdefender is running and that if i continued it was at my own risk, again the log for that is below but for win32kdiag this happened :
Posted Image

and it said press any button to exit clearly it has not ran properly and for the program junction when i go to run and type this : cmd /c junction -s c:\ >log.txt&log.txt& del log.txt a black window opens and it just said junction is not recognised externally or internally and an empty log opens with nothing in side it

please could you help
thanks


ps on a unrelated topic since i ran these programs combo fix and win32 etc i get these when i boot up my pc you can't see the top display box but its exactly like the bottom one and there both dll related problems as you can see the first i believe is related to the malware that was removed the second i don't know about, do you know how i can get rid of them they look like this:
Posted Image
they came up when combofix restarted the computer by itself when i ran it like you said this time round when it produced this log attached

thanks

Attached Files



#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:18 AM

Posted 12 November 2009 - 06:06 PM

Hi,

there is still a lot of malware entries left, which may be causing this error messages. I will ask you to run the following script and please let me know if this removed the error messages or not.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\tatertot.sys
c:\windows\system32\drivers\tatertot.scr.sys
c:\windows\system32\15z82s9yd.bin
c:\windows\system32\drivers\60870453.sy
c:\windows\Ppisahemilek.bin
c:\windows\Nlimuzag.dat
c:\windows\system.sys
c:\windows\win32k.sys
c:\windows\mcexdc.dll

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Jay_jay_01

Jay_jay_01
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 18 November 2009 - 02:44 PM

hi mate again i apologize for not getting around to posting this sooner but here it is as requested

Attached Files

  • Attached File  log.txt   60.65KB   9 downloads


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:18 AM

Posted 18 November 2009 - 04:44 PM

Hi,

that log doesn't look half bad. :( How is your PC doing, are you still getting the error messages?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Jay_jay_01

Jay_jay_01
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 19 November 2009 - 08:59 AM

theres no error messages now my computers seems fine now it keeps freezing for about 2 seconds every once in a while probably just processing a large file thats probably not related in anyway. anyway from the looks of the log can you tell me whether my computer is fully clean now or are there still some left and could you recommend any good firewalls and antiviruses free ones if you could please

again thanks for your time

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:18 AM

Posted 19 November 2009 - 06:29 PM

Hi,

in order to check for any remaining malware I would like you to run the following ARK scan:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

I'd also like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

In regards to anti virus programs, I personally know of Avira, Avast and AVG who are offering free anti virus solutions:
  • www.free-av.com (avira)
  • www.avast.com/eng/download-avast-home.html (avast)
  • free.avg.com/ (avg)
All three are good anti virus programs, I personally like Avira best though.

For free firewalls, please have a look at our Firewall tutorial: Link You will find a list of free and non-free firewalls at the bottom.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users