Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win Disk Trojan


  • This topic is locked This topic is locked
42 replies to this topic

#1 DarkChocolate9

DarkChocolate9

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:10:08 AM

Posted 04 February 2011 - 07:19 PM

I have tried rkill and then used Malware bytes as suggested but to no avail. The virus comes back next time I boot computer. I tried resetting my computer to a week before again to no avail. I have also tried to get gmer.zip file opened and scanned. I was only able to use gmer after rkill so I could stop the bug from interfering with my use of the computer. To be safe I will post this topic and then run the gmer scan (which failed last
time as the computer shut down). After the scan is done I will post the results. I dont want to loose this stuff due to the computer shutting down again during scan. Cheers Henry

DDS (Ver_10-12-12.02) - NTFSx86
Run by Jan-Maree at 9:04:18.29 on Sat 05/02/2011
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_05
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.61.1033.18.2039.641 [GMT 11:00]

AV: CA Anti-Virus Plus *Enabled/Outdated* {3EED0195-0A4B-4EF3-CC4F-4F401BDC245F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Disabled/Updated* {F008AB3A-52B9-2B13-3681-4ED4FDA86549}
SP: CA Anti-Virus Plus *Enabled/Outdated* {858CE071-2C71-417D-F6FF-7432605B6EE2}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\DataMate Online Backup Manager\aua\bin\AuaObm.exe
C:\Program Files\DataMate Online Backup Manager\bin\Scheduler.exe
C:\Program Files\DataMate Online Backup Manager\aua\jvm\bin\AuaObmJW.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\DataMate Online Backup Manager\jvm\bin\SchedulerOBM.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\SMINST\scheduler.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\DataMate Online Backup Manager\bin\SystemTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\ProgramData\QbyEjDmJqwk.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Canon\EOS Utility\WFTPairing\WFTPairing.exe
C:\ProgramData\ME63AhuOgBAvvB.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\Canon\EOS Utility\WFTPairing\EOSUPNPSV.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
C:\Users\Jan-Maree\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.theage.com.au/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=none&bd=smb&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=none&bd=smb&pf=laptop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [QbyEjDmJqwk.exe] c:\programdata\QbyEjDmJqwk.exe
uRun: [ME63AhuOgBAvvB] c:\programdata\ME63AhuOgBAvvB.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [VetStart] "c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe" -r
mRun: [OBSystemTray] "c:\program files\datamate online backup manager\bin\SystemTray.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\jan-ma~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\wftpai~1.lnk - c:\program files\canon\eos utility\wftpairing\WFTPairing.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll
AppInit_DLLs: APSHook.dll
LSA: Notification Packages = SbHpNp scecli ASWLNPkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\jan-ma~1\appdata\roaming\mozilla\firefox\profiles\m3ltaz89.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.theage.com.au/
FF - plugin: c:\progra~1\sonyon~1\npsoe.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-6-18 40840]
R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2010-9-17 135248]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-10 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-3-30 13696]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-6-18 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-6-18 81288]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-4-23 5808]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-4-19 21504]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-4-19 21504]
R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2010-10-29 206152]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2010-1-31 212992]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-8-6 206160]
R2 OBAutoUpdate;AutoUpdateAgent (DataMate Online Backup Manager);c:\program files\datamate online backup manager\aua\bin\AuaObm.exe [2009-9-15 61440]
R2 OBScheduler;Online Backup Scheduler (DataMate Online Backup Manager);c:\program files\datamate online backup manager\bin\Scheduler.exe [2009-9-15 49152]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-1-28 185640]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2010-8-24 740160]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2010-9-17 301648]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-11-25 179712]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-5-12 29472]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-19 21504]
S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-4-23 221184]
S4 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2007-1-5 18944]
S4 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-11-25 540448]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-6-18 356920]
S4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-6-18 1079176]

=============== Created Last 30 ================

2011-02-02 10:26:27 377344 ----a-w- c:\progra~2\ME63AhuOgBAvvB.exe
2011-02-02 10:26:19 421888 ----a-w- c:\progra~2\bqFGxVGikap.dll
2011-02-02 10:26:18 456704 ----a-w- c:\progra~2\QbyEjDmJqwk.exe
2011-01-17 03:02:57 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2011-01-17 03:02:57 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
2011-01-17 03:02:57 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-17 03:02:57 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
2011-01-17 03:02:57 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2011-01-17 03:02:57 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2011-01-17 03:02:53 1169408 ----a-w- c:\windows\system32\sdclt.exe

==================== Find3M ====================

2010-11-08 21:29:01 95568 ----a-w- c:\windows\system32\vetredir.8
2010-11-08 21:29:01 128336 ----a-w- c:\windows\system32\isafeif.8

============= FINISH: 9:11:55.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 DarkChocolate9

DarkChocolate9
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:10:08 AM

Posted 04 February 2011 - 08:09 PM

Hi there Attached is the gmer log. Please note this log was taken after turning on the computer and then running rkill to free the computer enought from the windisk trojan to allow for running the log without the computuer crashing mid stream. I think that about all I can provide at the moment and look forward to some suggestions to kill this trojan. Cheers Henry

Attached Files



#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:08 PM

Posted 05 February 2011 - 01:21 AM

Hello
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • If your still needing assistance with your Malware problem let me know. If you no longer require assistance also please let me know
  • I will be analyzing your log. I will get back to you with instructions.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 DarkChocolate9

DarkChocolate9
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:10:08 AM

Posted 05 February 2011 - 08:07 PM

Hi Fireman

Yes I still need help with this Malware. Its still well and truly in action. Look forward to hearing from you.

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:08 PM

Posted 06 February 2011 - 03:22 PM

Hello,


Please proceed with these steps in order given.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDSSkiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 DarkChocolate9

DarkChocolate9
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:10:08 AM

Posted 06 February 2011 - 03:44 PM

Hi Fireman I have used rkill on the computer to make it usable at this time. If I shut down the computer and restart then the malware returns. Do I need to do this before I start to execute step one or can I execute step one having already used rkill?

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:08 PM

Posted 07 February 2011 - 12:16 AM

Hello,

Run Rkill Before TDSSkiller then again before Combofix.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 DarkChocolate9

DarkChocolate9
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:10:08 AM

Posted 07 February 2011 - 02:23 AM

I did not get far. I tried your instructions below....Loaded .exe file to desktop then double clicked to run. It asked for admin permissions so I said continue but then it did not do anything. So I tried the run as administrator option (as its a Vista Machine). This did not help. I then tried renaming it and this did not help. So I am stuck. Your advice please. Thanks Henry



  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com).

Edited by DarkChocolate9, 07 February 2011 - 02:24 AM.


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:08 PM

Posted 10 February 2011 - 05:04 PM

Hello,

Please skip the TDSSKIller and proceed to Combofix.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:08 PM

Posted 12 February 2011 - 05:41 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 DarkChocolate9

DarkChocolate9
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:10:08 AM

Posted 12 February 2011 - 06:33 PM

Hi I am struggling big time. I proceeded to install combofix and thought I had disabled anti virus (CA). During the running of Combo it asked me to uninstall the anti virus. I did this and then ran Combo. It froze. I tried to run it again (twice) and the first time it froze and the second time it froze and produced a "blue screen of death"!!!! Ahhhh!!! So I went back to square one and restored my computer to yesterday (before installing Combo and deleting CA anti virus). Went through again deleting anti virus and installing combo fix. When I ran combo fix it started and then I got the blue screen of death again. So now don't know what to do?? Please give me your suggestion. Cheers Henry

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:08 PM

Posted 12 February 2011 - 09:54 PM

Hello,

Lets run COmbofix in Safemode. Delete any copy of Combofix you have from your desktop. Make sure Ca antivirus is uninstalled not just deleted.

Now download a new copy of Combofix to your desktop. Don't run it yet. Now boot into Safemode and run it.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 DarkChocolate9

DarkChocolate9
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:10:08 AM

Posted 13 February 2011 - 02:35 AM

Hi Followed your instructions and when I ran Combofix in safe mode the same issue. Its froze while running. No blue screen this time just froze. Any other approach?

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:08 PM

Posted 13 February 2011 - 12:29 PM

Hello,

We will Use another tool. Please run these tools in normal mode if you can.

1.
  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized



2.
Download Bootkit Remover to your desktop

1. Extract the file to your desktop.
2. Double click Remover.exe to run it (Right click and run as Administrator for Vista).
3. It will show a Black screen with some data on it.
4. Right click on the screen and choose [/b]Select All[/b].
5. Press Control+C (to copy the data).
6. Open a notepad, Click on Edit tab > paste.
7. Exit the Remover.exe window.
8. Please post the contents of the notepad when you reply.


3.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

4.
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".


Things to include in your next reply::
OTL.txt
Attach.txt
Bootkit Remover log
MBRCheck log
RkuUnhooker log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 DarkChocolate9

DarkChocolate9
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:10:08 AM

Posted 13 February 2011 - 06:55 PM

Hi Fireman You will see the docs that you requested attached. You will also see them all except rkuunhooker. When i tried to run this one (after leaving the two boxes checked that you required) I got a blue screen of death (see attached for details). I will try the unhooker again with one of the other links and see what happens and then give you another update. Cheers

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users