Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Something bad


  • This topic is locked This topic is locked
38 replies to this topic

#1 ianjamo

ianjamo

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 13 May 2010 - 09:59 PM

I have been redirected to this part of the forum from here http://www.bleepingcomputer.com/forums/t/316477/please-help/

I've followed the steps outlined in the preparation guide, when I run the DDS script it starts but then stops within a couple of seconds and doesn't create any log files!! I have attached my gmer log.

My laptop seems to be getting worse, is now only stable in safe mode. wacko.gif

Attached Files

  • Attached File  ark.txt   7.22KB   14 downloads


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 14 May 2010 - 06:32 PM

Hello. smile.gif

My name is Extremeboy, and I will help you out here. That's not a good sign at all, if you need to feel free to perform the steps below in Safe Mode as needed.

I would like you to run this scan, if it doesn't work let me know. You seem to be infected with one of the newer TDL3 rootkit which we will try to deal with in our next step once I see the logs from the scan below...

Download and run OTL
  1. Download OTL by OldTimer and save it to your desktop.
  2. Double click on the icon on your desktop. If you are using Vista, please right-click and select run as administrator
  3. Click the "Scan All Users" checkbox.
  4. Push the button.
  5. It will now begin to scan, please be paitent while it scans.
  6. Two reports will open once it's done.
  7. Please copy and paste them in your next reply:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 ianjamo

ianjamo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 14 May 2010 - 06:54 PM

Scan completed and attached!

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 14 May 2010 - 07:23 PM

Hi again.

Thanks for those logs.

The main infection is that TDL3 rootkit I want to deal with first. Let's run Combofix and see if it can remove and disinfect it, if not we'll try something else next post.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 ianjamo

ianjamo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 14 May 2010 - 08:27 PM

Combo fix has run logfile attached

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 14 May 2010 - 09:14 PM

Is that the Complete Combofix log?

Go to your C:\ drive and look for the Combofix.txt log file again and see if that's the complete log. If it is, please run Combofix once more and post the log. If that is not the complete log, post the complete log for me to review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 ianjamo

ianjamo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 14 May 2010 - 09:54 PM

Rerun and the correct log attached

Attached Files



#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 15 May 2010 - 01:03 PM

Thanks for that log file, could you do the following..

Press the "Windows Key" and the R button on your keyboard. This will bring up the Run... command.

Copy/paste the following single-line command into the Run box and click OK:

cmd /c "mbr -t" >Log.txt&Log.txt&del Log.txt

A log will appear once done. Post that log in your next reply.

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  7. Push
  8. A report will open. Copy and Paste that report in your next reply.
  9. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 ianjamo

ianjamo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 15 May 2010 - 04:45 PM

Thanks for all that,logs attached as per request.

Attached Files


Edited by ianjamo, 15 May 2010 - 10:13 PM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 15 May 2010 - 09:35 PM

Thanks for those log files.

I need to see the OTL.txt log as well. You posted the Extras.txt log twice.

Thanks.

The infection is still active, and once I see the OTL.txt we can find a suitable replacement copy.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 ianjamo

ianjamo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 15 May 2010 - 10:03 PM

Sorry bout that, bit of a goose!

OTL logfile created on: 16/05/2010 7:27:22 AM - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Ian Jamieson\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.39 Gb Total Space | 68.43 Gb Free Space | 49.44% Space Free | Partition Type: NTFS
Drive D: | 111.79 Gb Total Space | 74.17 Gb Free Space | 66.35% Space Free | Partition Type: NTFS
Drive E: | 10.66 Gb Total Space | 2.38 Gb Free Space | 22.37% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IANJAMIESON-PC
Current User Name: Ian Jamieson
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 15 May 2010 - 10:08 PM

You didn't post the complete OTL.txt log. ;)

Getting late here, I'll review the logs tomorrow.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 ianjamo

ianjamo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 15 May 2010 - 10:11 PM

like i said- goose!!

Attached Files

  • Attached File  OTL.Txt   141.79KB   3 downloads

Edited by ianjamo, 15 May 2010 - 10:15 PM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 16 May 2010 - 10:52 AM

No worries.

I few questions before we continue.

1) Do you still have you Windows Vista disk available?
2) Do you have some spare and not used CDs/DVDs?

Let me know, and please do the following as well.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    partmgr.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 ianjamo

ianjamo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 16 May 2010 - 04:31 PM

Extremeboy, I dont believe that I was ever given any Vista disks when I bought the laptop, however it does have a partitioned off drive for recovery?

Yes I do have some CD's or will get some more dvd's as required.

Log posted below:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 07:25 on 17/05/2010 by Ian Jamieson (Administrator - Elevation successful)

========== filefind ==========

Searching for "partmgr.sys"
C:\Qoobox\32788R22FWJFW\partmgr.sys --a--- 54248 bytes [07:17 27/05/2009] [06:32 11/04/2009] (Unable to calculate MD5)
C:\Windows\System32\drivers\partmgr.sys --a--- 54248 bytes [07:17 27/05/2009] [06:32 11/04/2009] 57389FA59A36D96B3EB09D0CB91E9CDC
C:\Windows\winsxs\x86_microsoft-windows-partitionmanager_31bf3856ad364e35_6.0.6000.16386_none_df65518fbd847fbf\partmgr.sys --a--- 49256 bytes [08:51 02/11/2006] [09:50 02/11/2006] 555A5B2C8022983BC7467BC925B222EE
C:\Windows\winsxs\x86_microsoft-windows-partitionmanager_31bf3856ad364e35_6.0.6001.18000_none_e19c138bba6f9093\partmgr.sys --a--- 56376 bytes [08:18 20/03/2008] [07:42 19/01/2008] 3B38467E7C3DAED009DFE359E17F139F
C:\Windows\winsxs\x86_microsoft-windows-partitionmanager_31bf3856ad364e35_6.0.6002.18005_none_e3878c97b7915bdf\partmgr.sys --a--- 54248 bytes [07:17 27/05/2009] [06:32 11/04/2009] (Unable to calculate MD5)

-=End Of File=-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users