Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:Win32/Sirefef...


  • This topic is locked This topic is locked
8 replies to this topic

#1 stindi

stindi

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 24 April 2012 - 05:51 PM

I received this computer infected and have since found the browser (IE) unresponsive to certain websites like Yahoo Mail. However Google and GMail work just fine.
Websearch was also the home page which I have changed.
I've done full scans with both Microsoft Security Essentials and Malwarebytes. The Trojan has said to been removed, only to reappear fairly quickly.
We'll take whatever we find one step at a time. The Trojan seems to be the most intrusive at this point.
The instructions asked for the DDS log, The Attach doc and the GMER log for 32 bit systems. I have attached the last 2.
OP is Vista.
Thanks in advance.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Owner at 18:32:18 on 2012-04-23
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3062.1433 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://www.google.com/
uSearch Bar =
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mSearchAssistant =
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80208
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: ALOT Appbar Helper: {85f5cf95-ec8f-49fc-bb3f-38c79455cba2} - c:\program files\alotappbar\bin\bho\ALOTHelperBHO.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: ALOT Appbar: {a531d99c-5a22-449b-83da-872725c6d0ed} - c:\program files\alotappbar\bin\ALOTHelper.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [AROReminder] c:\program files\advanced registry optimizer\ARO.exe -rem
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [PINGER] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [hpqSRMon]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{08A5B188-0DC9-4390-8F90-55A7288AEF89} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{38DDC70D-26C2-40A0-8077-F1C3114E537D} : DhcpNameServer = 93.188.166.105 1.2.3.4
TCP: Interfaces\{7C465835-7E6E-4708-8BCB-F6886FB7071D} : DhcpNameServer = 192.168.0.10 192.168.0.11
TCP: Interfaces\{9362D75E-5917-4887-B580-3CF0BA2C60FC} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-2-2 21504]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S2 avgfwsrv;LPDSVC;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 CTMFLT;Nmraapache;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 mcafeeantispyware;Outpostfirewall;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 mcproxy;Pptchpad;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 mcredirector;Nvstor64;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 mctaskmanager;Cpucoolserver;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 mfebopk;Tsmservice;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 mirrorv3;Tosporte;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 mksupdateint;Marvinbus;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 mksvirmonsvc;Ss_mdfl;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 naiavfilter1;PDExchange;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 ofcservice;SE27obex;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 RalinkRegistryWriter;Awservice;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 starwindservice;Scdemu;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 vetmonnt;L8042Kbd;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 webrootadminconsole;EPOWER;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 webrootenterpriseclientservice;Ssm_bus;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S2 xfilt;ROB_V;c:\windows\system32\svchost.exe -k netsvcs [2009-2-2 21504]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-7 253088]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-12-1 30192]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2007-8-15 552448]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-23 21:18:05 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{d2a9cda3-18f3-4926-ba28-8c895e75b70e}\offreg.dll
2012-04-23 18:48:45 -------- d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2012-04-23 18:48:32 -------- d-----w- c:\programdata\Malwarebytes
2012-04-23 18:48:30 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-23 18:48:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-23 15:00:11 6734704 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{d2a9cda3-18f3-4926-ba28-8c895e75b70e}\mpengine.dll
2012-04-12 07:10:45 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-12 07:10:45 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-12 05:11:15 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-04-08 11:32:35 -------- d-----w- c:\users\owner\appdata\roaming\SpeedMaxPc
2012-04-08 11:32:35 -------- d-----w- c:\users\owner\appdata\roaming\DriverCure
2012-04-08 11:32:23 -------- d-----w- c:\program files\common files\SpeedMaxPc
2012-04-08 11:32:19 -------- d-----w- c:\programdata\SpeedMaxPc
2012-04-08 11:32:19 -------- d-----w- c:\program files\SpeedMaxPc
2012-04-07 21:21:00 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-07 14:46:50 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-26 15:41:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-04-14 11:35:34 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-14 15:45:30 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 14:12:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47:57 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-07 15:02:40 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-02 15:16:25 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 18:33:00.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:12:56 AM

Posted 25 April 2012 - 01:03 AM

Hi stindi

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)

    • Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.

    • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:


NEXT:



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:



Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:


Running OTL

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Copy and Paste the following code into the Posted Image textbox.
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    CreateRestorePoint
    "%WinDir%\$NtUninstallKB*$." /30
    C:\Program Files\Common Files\ComObjects\*.* /s
    %systemroot%\*. /mp /s
    %systemroot%\*. /rp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %SYSTEMDRIVE%\*.exe
    /md5start
    volsnap.sys
    atapi.sys
    explorer.exe
    winlogon.exe
    wininit.exe
    tdx.sys
    afd.sys
    netbt.sys
    ping.exe
    /md5stop
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log.
3. Farbar Service Scanner log.
4. OTL.txt & Extras.txt logs.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.


Please let me know how the above scans go.

Kindest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 stindi

stindi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 25 April 2012 - 05:33 AM

First off, let me say thank you ST. I appreciate your help. This is something I do for friends when they have problems. I too have a regular job that only allows me small amounts of time to work on PC's, but I will be as fast as I can.
With that said, let me ask. Would saving the things, documents and pictures, and reformatting this machine to it's original state be easier? I realize all the documents and so on could be infected as well, but the guy that owns this PC uses it pretty much for emails, some browsing and so on. Pulling his pics and documents would be a breeze and save us both time.
And if you have a moment, how does something like this get past Microsoft Security Essentials? I'm sure it's something he allow but shouldn't the security program stop it?
It probably asked him... LOL
Anyway, thanks again for your time. I'll be starting on this today until I hear from you otherwise that reformatting would work.
And stindi or Steve works just fine. :)

#4 stindi

stindi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 25 April 2012 - 06:04 AM

ST,
I see after reading the articles posted, a reformat and re-install might be the best way to go. Although, I do love tinkering... I'll ask my friend what he wants and get back to you.

#5 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:12:56 AM

Posted 25 April 2012 - 08:19 AM

Hi Steve!

Would saving the things, documents and pictures, and reformatting this machine to it's original state be easier? I realize all the documents and so on could be infected as well, but the guy that owns this PC uses it pretty much for emails, some browsing and so on. Pulling his pics and documents would be a breeze and save us both time.

A reformat and re-install is always going to be the easiest thing to do.

how does something like this get past Microsoft Security Essentials? I'm sure it's something he allow but shouldn't the security program stop it?
It probably asked him... LOL

In all honesty, it can originate from something like a pop-up window, so there is a possibility that it originated from someone clicking something and it brought the malicious infection on board. It also doesn't help that your friends router appears to have been hijacked.

Among the many things going on with this computer it also appears that your friends router is infected. Assuming you don't live in the Ukraine that is.

This entry here shows me this:

TCP: Interfaces\{38DDC70D-26C2-40A0-8077-F1C3114E537D} : DhcpNameServer = 93.188.166.105 1.2.3.4

The IP address points to the Ukraine.

Link: http://whois.domaintools.com/93.188.166.105

Your friends router is going to need to be reset, and if your connecting the computer using your router, you may want to reset your router as well just to be on the safe side.

These are the instructions for resetting the router:

Router Reset
  • Please read this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds)"


  • This is the difficult part.
    First get to the routers server. To do that type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

  • Please make sure of the following settings:
    • Go to start => Control panel => Double-click Network and Sharing Center.
    • In the left window select Manage network Connection.
    • In the right window right-click Local Area connection and select Properties .
    • Internet Protocol Version 6 (IP6v) should be checked. Double-click on it: Make sure of the following settings:
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
    • Click OK.
    • Internet Protocol Version 4 (IP4v) should be checked. Double-click on it.
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
  • Click OK twice.
  • If you should change any setting reboot the computer.

Regardless of what you're friend and you decide you want to do, your friends router is going to need to be reset.

Let me know how you want to proceed.

~ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#6 stindi

stindi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 25 April 2012 - 09:26 AM

After reading your post, I ran the DDS on my computer. I show no problem with my router, the only connection is my home address. I'm hoping to avoid resetting it if possible.
As for his computer, I don't know if he has a rescue disk, the original OS disk or anything else. This PC does not have a section of the hard drive dedicated to restoring it. If he has none of the things we need to restore and re-install, he's on his own. I may attempt to clean it but he'll probably buy a new PC.
OK, what kind of chocolate chip cookies do you want? LOL
I'll be in touch when he's back in town.
Thanks. :)

Edited by stindi, 25 April 2012 - 09:27 AM.


#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:12:56 AM

Posted 26 April 2012 - 02:31 AM

Hi!

After reading your post, I ran the DDS on my computer. I show no problem with my router, the only connection is my home address. I'm hoping to avoid resetting it if possible.
As for his computer, I don't know if he has a rescue disk, the original OS disk or anything else. This PC does not have a section of the hard drive dedicated to restoring it. If he has none of the things we need to restore and re-install, he's on his own. I may attempt to clean it but he'll probably buy a new PC.

Okay. That's not a problem. I have no problem either way, just let me know what you guys decide. :)


OK, what kind of chocolate chip cookies do you want? LOL

haha! You're one of a handful of people who have noticed that tidbit in my Intro Speech. I added it in there to see how many people were paying attention.

I'll be in touch when he's back in town.

Okay.

I look forward to your reply then.

Warmest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#8 stindi

stindi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 27 April 2012 - 03:25 AM

ST,
Since he has the restoration disk, reformatting and re-installing is probably the best and easiest way to go. Had he not had this disk, as most don't, I would have tried to remove this.
Thank you very much for your help and time. I always enjoy what I can learn doing these things, as well as helping keep my computers clean.
Hope your next topic is an easy one. :)
Sincerely,
Steve

#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:12:56 AM

Posted 28 April 2012 - 07:12 AM

Hi Steve,

A reformat and re-install is the best thing one can do with this infection.

Please take care!

Kindest Regards,
SweetTech.

____________________________________________________

Since it appears that the issues you were experiencing with your computer have been resolved by reformatting and re-installing, I am going to close this thread. If you should need the thread re-opened please send me a Private Message (PM) with a request to re-open the thread, as well as the link to the thread in question, and I'd be happy to re-open the thread.


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users