Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

breaking all the rules


  • This topic is locked This topic is locked
16 replies to this topic

#1 zzajlatem

zzajlatem

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 17 October 2010 - 12:09 AM

Hello,
I just got my membership, so I will be following instructions from here on out, BUT... I read the things not to do and I've done ALL of them.
I used combofix, have cd emulation and am posting without the correct logs.
ANYWAY...
My computer was working fine. A little download here, a little porno there, I had webroot, malwarebytes, spybot s&d, combofix, everything was cool. I shut my computer down and was away from home for a few days. When I came back, the first thing that happened when I turned it on was "windows security essentials" had a security alert for me and I don't even have that program on my machine! I began running scans like a good boy (webroot, malwarebytes, spybot) and got rid of the fake security program. What it left on my computer is this: My sound switched from USB device to laptop speakers, when I click google links it sends me WEIRD places and I can't get combofix to run. AEI.EXE starts when I run combofix and takes up 100% CPU. Then SSU.EXE and CSRSS.EXE come in and battle for control. I've deleted ssu and csrss, but they just come back. I've contacted webroot, but they send me instructions that I've already followed.
What I am attaching is my combofix log (yeah, I got it to run once). I will find out what programs I need to post logs that you can use and do that.

DDS said it would take 3 minutes and it took at least an hour. gmer went fine.
I've done as I was instructed to do and even turned off my virtual cd drive with defogger.
The files are attached and I await a reply with some type of help...
please.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 17 October 2010 - 04:26 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 27 October 2010 - 02:21 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 28 October 2010 - 10:44 PM

Thank you for responding. I think that I may have fixed the problem, as my computer is working much more normally now. I used Dr. Web and Super Anti-Spyware along with my regular programs (webroot with spysweeper, malwarebytes' anti-malware, combofix and spybot s&d). I hope that this does not prevent you from trying to help me with my possible infection.
I will run the programs that you have told me as well as the other diagnostic tools and upload the logs from all of them. It would be nice to find out for sure if my computer is really and truly free of problems.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 29 October 2010 - 08:08 AM

Thank you for letting me know. Could you please also post the combofix log (it can be found at c:\log.txt).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 29 October 2010 - 09:43 PM

I tried to run combofix to get the log that you wanted, but it said "OS incompatible", then it updated and restarted and didn't end up running.
I'm attaching all of the other reports that I did gather.
The sound on my machine is working correctly and firefox is also functioning. I will be running the following programs since combofix not working seems to be a bad omen.
webroot with spysweeper
spybot s&d
malwarebytes' anti-malware
super anti-spyware free edition
here are the placeholder tags for my logs that I just ran.
Attached File  DDS.txt   14.33KB   0 downloads
Attached File  Extras.Txt   33.76KB   1 downloads
Attached File  gmer 10 29 10.log   17.36KB   1 downloads
Attached File  OTL.Txt   78.92KB   0 downloads
Attached File  Attach.zip   3.29KB   0 downloads
Thank you for being more helpful than the computer protection company that I have to pay for.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 30 October 2010 - 04:57 AM

Hi, please also run rootkit unhooker and post me the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 30 October 2010 - 01:04 PM

I ran rootkit unhooker without reading the instructions and it generated this report
Attached File  Report.txt   62.32KB   1 downloads
I ran it as the directions instructed and got a file that this forum won't let me post. It says that the file type is not allowed.
I ran the programs that I mentioned and nothing came up with any results.
My internet connection is the only thing that draws my attention now. It is normally very good and pages load very quickly, but recently, I've gotten page load errors when loading basic websites like blogger and such.

Edited by zzajlatem, 30 October 2010 - 01:07 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 30 October 2010 - 01:19 PM

Combofix not working is not necessarily a bad omen, sometimes it just happens. :) Please try it as instructed below from within safe mode with networking.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 06 November 2010 - 06:00 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 07 November 2010 - 01:24 AM

Yes, I'm still here. I'll follow your combofix instructions and post the log for you.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 07 November 2010 - 04:27 AM

Okay, I'll wait for your log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 07 November 2010 - 05:37 PM

I turned off all of the virus scanners and protection, then ran combofix. Here is the log.Attached File  ComboFix.txt   14.41KB   1 downloads

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 08 November 2010 - 02:59 AM

That looks okay. What problems do you still have at this point?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 08 November 2010 - 06:10 PM

Thanks for responding.
Like I said before, I just wanted to make sure that the computer is clean. Thank you for your time and for being human.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 09 November 2010 - 03:10 AM

Hi, some last steps to ensure you stay clean. :)

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users