Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this look like there is a rootkit variant


  • This topic is locked This topic is locked
9 replies to this topic

#1 Profesionalac

Profesionalac

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 09 November 2009 - 11:23 AM

During the download my browser is blocked. Internet Explorer Address loaded after a white page appears in the lower left corner reads done. Same with Mozilla Firefox. Opera releases me the following message:

Error!
Connection closed by remote server

You tried to access the address hxxp://www.google.com/search?hl=sr&source=hp&q=zov+oglasi&btnG=Google+%D0%BF%D1%80%D0%B5%D1%82%D1%80%D0%B0%D0%B3%D0%B0&lr=&aq=f&oq= which is currently unavailable. Please make sure that the Web address (URL) is correctly spelled and punctuated, then try reloading the page.
Make sure your Internet connection is active and check whether other applications that rely on the same connection are working.


After that I reboot my computer and everything works perfectly and when I run download again the problem was there. I did a few steps on your recommendations (combofix, dds, rootrepeal), Please answer me which log files I should sent you to tell me did I solve the problem or is he still there.

Referred from: http://www.bleepingcomputer.com/forums/t/270071/unknown-problem/ ~ OB

I just finished all process from boopme recommendation and here is my logs

Sorry, I'm not sure whether I should send the zip files or not,
so I zipped them and attach again.
I am interested Is my computer infected or not.
Thank you very much
P.S. this forum is the best i have ever seen!

Attached Files


Edited by Orange Blossom, 09 November 2009 - 10:18 PM.
Deactivate link, remove unnecessary quote. ~ OB


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 AM

Posted 15 November 2009 - 06:39 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Profesionalac

Profesionalac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 15 November 2009 - 02:36 PM

Hello,
Since last post I have installed Skype, NetWorx and my old HP printer.
I haven't problems in the use of computer. Anyway I am sending new log files for your review, evaluate and judge.
Thans a lot
Kind regards


DDS (Ver_09-10-26.01) - NTFSx86
Run by Markoni at 20:20:37,17 on ned 15.11.2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1562 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\NetWorx\networx.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Markoni\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.codecguide.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: &NetWorx Desk Band: {feea54b4-d80f-41c7-87b9-dc08e6d3255f} - c:\progra~1\networx\deskband.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Six Engine] "c:\program files\asus\six engine\SixEngine.exe" -r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [NetWorx] "c:\program files\networx\networx.exe" /auto
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRunOnce: [SWUPath] c:\program files\hewlett-packard\hp software update\shellExWin.exe -m
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\markoni\applic~1\mozilla\firefox\profiles\1d50ss0b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/intl/sr/
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-6-23 150568]
R1 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2009-11-15 38976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]

=============== Created Last 30 ================

2009-11-15 17:35:59 82380 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2009-11-15 17:33:58 306688 ----a-w- c:\windows\IsUninst.exe
2009-11-15 17:33:28 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-11-15 17:33:28 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-15 17:31:48 179151 ----a-w- c:\windows\hpdj5100.his
2009-11-15 17:31:48 11169 ----a-w- c:\windows\hpdj5100.ini
2009-11-15 11:05:39 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
2009-11-15 11:05:29 0 d-----w- c:\program files\NetWorx
2009-11-15 11:05:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SoftPerfect
2009-11-14 08:17:11 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-14 08:13:44 0 d-----r- c:\program files\Skype
2009-11-08 22:43:13 376 ----a-w- c:\windows\ODBC.INI
2009-11-08 22:43:06 17920 ----a-w- c:\windows\system32\mdimon.dll
2009-11-08 22:41:53 0 d-----w- c:\program files\common files\L&H
2009-11-08 22:41:43 0 d-----w- c:\program files\Microsoft ActiveSync
2009-11-08 22:41:06 0 d-----w- c:\windows\SHELLNEW
2009-11-08 15:41:32 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-11-08 15:41:32 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-11-08 15:40:52 0 d-----w- c:\program files\Kaspersky Lab
2009-11-08 15:40:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-11-08 15:39:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-11-08 15:38:06 0 d-----w- c:\docume~1\markoni\applic~1\BitDefender
2009-11-08 15:38:05 0 d-----w- c:\windows\system32\appmgmt
2009-11-08 15:38:00 0 d-----w- c:\windows\SxsCaPendDel
2009-11-08 13:33:13 0 d-----w- c:\documents and settings\markoni\.imindmap
2009-11-08 11:18:28 0 d-sha-r- C:\cmdcons
2009-11-08 11:15:27 98816 ----a-w- c:\windows\sed.exe
2009-11-08 11:15:27 77312 ----a-w- c:\windows\MBR.exe
2009-11-08 11:15:27 267264 ----a-w- c:\windows\PEV.exe
2009-11-08 11:15:27 161792 ----a-w- c:\windows\SWREG.exe
2009-11-08 09:49:57 121 ----a-w- c:\windows\bdagent.INI
2009-11-07 21:29:55 376 ----a-w- c:\documents and settings\markoni\Application Dataprivacy.xml
2009-11-07 16:28:49 69 ----a-w- c:\windows\NeroDigital.ini
2009-11-07 16:21:18 0 d-----w- c:\program files\FontFrenzy
2009-11-07 16:20:41 0 d-----w- c:\program files\URUSoft
2009-11-07 16:19:31 0 d-----w- c:\program files\Vector Magic
2009-11-07 16:14:00 0 d-----w- c:\program files\YouTube Downloader
2009-11-07 15:42:49 39 ----a-w- c:\windows\KeplerAstrology.INI
2009-11-07 15:41:56 0 d-----w- C:\KEPLER70
2009-11-07 15:26:20 0 d-----w- c:\docume~1\alluse~1\applic~1\ALM
2009-11-07 13:07:05 0 d-----w- c:\program files\Buzan Online
2009-11-07 13:04:01 0 d--h--w- c:\windows\PIF
2009-11-07 01:18:26 0 d-----w- c:\docume~1\markoni\applic~1\ACD Systems
2009-11-07 01:17:40 0 d-----w- c:\docume~1\alluse~1\applic~1\ACD Systems
2009-11-07 01:17:38 0 d-----w- c:\program files\common files\ACD Systems
2009-11-07 01:17:38 0 d-----w- c:\program files\ACD Systems
2009-11-07 01:08:55 0 d-----w- c:\docume~1\markoni\applic~1\Malwarebytes
2009-11-07 01:08:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 01:08:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-07 01:08:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 01:08:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-07 01:00:43 0 d-----w- c:\docume~1\markoni\applic~1\Windows Search
2009-11-07 01:00:07 0 d-----w- c:\program files\K-Lite Codec Pack
2009-11-07 00:59:07 0 d-----w- c:\docume~1\markoni\applic~1\Windows Desktop Search
2009-11-07 00:58:30 0 d-----w- c:\windows\system32\GroupPolicy
2009-11-07 00:58:30 0 d-----w- c:\program files\Windows Desktop Search
2009-11-07 00:57:52 0 d--h--w- c:\windows\$hf_mig$
2009-11-07 00:46:45 4 ----a-w- c:\windows\system32\aspdict-en.dat
2009-11-07 00:46:45 16 ----a-w- c:\windows\system32\asdict.dat
2009-11-07 00:39:41 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-07 00:30:01 5504 ------w- c:\windows\system32\drivers\imagedrv.sys
2009-11-07 00:30:01 125184 ------w- c:\windows\system32\drivers\imagesrv.sys
2009-11-07 00:29:51 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-11-07 00:29:51 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-11-07 00:29:51 262144 ------w- c:\windows\system32\ImagXR7.dll
2009-11-07 00:29:51 1568768 ------w- c:\windows\system32\ImagX7.dll
2009-11-07 00:29:51 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-11-07 00:29:51 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2009-11-07 00:16:18 0 d-----w- c:\program files\MV2Player
2009-11-07 00:14:41 24064 ------w- c:\windows\system32\msxml3a.dll
2009-11-07 00:05:45 385 ----a-w- c:\windows\system32\user_gensett.xml
2009-11-07 00:03:31 0 d-----w- c:\program files\BitDefender
2009-11-07 00:03:31 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2009-11-07 00:02:39 0 d-----w- c:\windows\system32\URTTemp
2009-11-07 00:02:27 0 d-----w- c:\program files\common files\BitDefender
2009-11-06 23:56:45 8 --sh--r- c:\docume~1\alluse~1\applic~1\E969878206.sys
2009-11-06 23:56:45 3140 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-11-06 23:56:08 0 d-----w- c:\program files\common files\Protexis
2009-11-06 23:56:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Corel
2009-11-06 23:55:15 0 d-----w- c:\program files\common files\Corel
2009-11-06 23:46:10 0 d-----w- c:\program files\Corel
2009-11-06 23:21:39 0 d-----w- c:\program files\common files\ODBC
2009-11-06 23:21:37 0 d-----w- c:\program files\common files\SpeechEngines
2009-11-06 23:21:19 0 d-----r- c:\documents and settings\all users\Documents
2009-11-06 23:09:48 0 d-----w- c:\program files\common files\Macrovision Shared
2009-11-06 23:09:43 0 d-----w- c:\program files\Rosetta Stone
2009-11-06 23:09:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-11-06 23:05:38 0 d-----w- c:\program files\DAEMON Tools Toolbar
2009-11-06 23:05:33 0 d-----w- c:\program files\DAEMON Tools Lite
2009-11-06 23:05:25 0 d-----w- c:\docume~1\markoni\applic~1\DAEMON Tools Lite
2009-11-06 23:05:22 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-11-06 23:02:12 0 d-----w- c:\program files\My Company Name
2009-11-06 22:56:33 0 d-----w- c:\program files\ASUS
2009-11-06 22:51:14 0 d-----w- c:\program files\Marvell
2009-11-06 22:51:14 0 d-----w- c:\docume~1\markoni\applic~1\TMP
2009-11-06 22:48:40 0 d-----w- c:\program files\Analog Devices
2009-11-06 22:31:55 0 d-sh--w- c:\documents and settings\all users\DRM
2009-11-06 22:31:44 0 d--h--w- c:\program files\WindowsUpdate
2009-11-06 22:31:04 0 d-----w- c:\program files\common files\MSSoap
2009-11-06 22:29:56 0 d-----w- c:\program files\Online Services
2009-11-06 22:29:51 0 d-----w- c:\program files\Messenger
2009-11-06 22:29:49 0 d-----w- c:\program files\MSN Gaming Zone
2009-11-06 22:29:21 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2009-11-06 23:05:37 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-06 22:30:13 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-04 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-20 19:34:56 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-14 20:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-02 18:39:44 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 20:20:51,26 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:27 AM

Posted 19 November 2009 - 02:35 AM

Hi Profesionalac,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, :(
My name is sundavis, I will be helping you to deal with your Malware problems today.

Step1

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Step2

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. You will see the below prompt when you first run ComboFix:


Posted Image


The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time. Once Recovery Console is installed, you should see a blue screen prompt like the one below:


Posted Image

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.




In your next reply, please post back:


1.GMER log
2.ComboFix log Thanks

#5 Profesionalac

Profesionalac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 21 November 2009 - 03:13 PM

I have followed the instructions.
Here is log
Kind regards

Attached Files



#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:27 AM

Posted 21 November 2009 - 06:28 PM

Hi Profesionalac,



Looks good. I need to see what happened in the previous runs. Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply. After that, please do the following:


Step1

I notice you have MBAM installed in your system, Please rerun it as instructed in the following. Update your virus definitions before proceeding. If you can't update the program, you can download the virus definitions from Here and install it manually.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Step2

Please run the ESET Online Scanner
Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt .
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
Step3
  • Please download OTL and save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste the following bolded text:

    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5


  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • copy and paste both logs back here in your next reply.
Please post back the logs in your next reply.


1.MBAM log
2.ESET Online Scan log
3.OTListIt.txt and Extra.txt

Tell me the remaining issues you are still experiencing now.

Edited by sundavis, 22 November 2009 - 12:47 AM.


#7 Profesionalac

Profesionalac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 22 November 2009 - 03:14 PM

I have done everything you recommended.
Thanks a lot
Kind regards

Combofix:

2009-11-08 11:22:25 . 2009-11-21 19:47:11 6,898 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-11-08 11:15:24 . 2009-11-21 19:41:00 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-11-07 21:42:21 . 2009-11-07 21:42:25 1,181 ----a-w- C:\Qoobox\Quarantine\C\test.txt.vir
2009-06-03 13:08:28 . 2009-06-03 13:08:28 34,304 ----a-w- C:\Qoobox\Quarantine\C\Program Files\BitDefender\BitDefender Online Backup\ntsvc.ocx.vir

Attached Files


Edited by Profesionalac, 22 November 2009 - 03:24 PM.


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:27 AM

Posted 22 November 2009 - 05:00 PM

Hi Profesionalac,



The logs look good to me. Your system appears to be clean now. :( If you have no remaining concerns on your pc, let's do some tidy up and we can send you on your way.


Step1

Click START then RUN
Now copy/paste Combofix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Start OTL from your desktop.
  • Double click OTL and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all these programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#9 Profesionalac

Profesionalac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 22 November 2009 - 06:17 PM

Thank you very much.
I'll do tomorrow all steps that you recommend me.
Best regards

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:27 AM

Posted 03 December 2009 - 11:53 AM

Since this issue appears resolved ... this Topic is closed.

Glad we could help.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users