Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please check for MBR Infection


  • This topic is locked This topic is locked
37 replies to this topic

#1 MML121212

MML121212

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 05 January 2013 - 12:23 PM

I have five computers running in the house on the same network. I have come to learn that most of them have been running with Administrative Shares Enabled, which I think was a bad idea.... As part of this clean up, I would appreciate being told if I should turn off file sharing, and how to do it. (I would like to share printers, but I really do not need to share files, and I am sick of these problems.)

THE PROBLEM:
Computer #1 caught a nasty Department of Justice Hostage virus, which has been removed. I am now working with someone to finish cleaning up Computer #1, which shows evidence of other infections.

I am now asking for your help with Computer #2, which has turned up warnings. I am willing to restore this computer from the recovery partition and start fresh, but I need to know that the MBR is not infected, so as not to perpetuate any problems. I am also open to any suggestion that you have, such as, "Don't bother, you have a simple infection. Just do this."

NOTE: While running DDS, my AVG Resident Shield detected:
Trojan horse Generic30.BNKA
in c:\ProgramData\Microsoft\Windows\DRM\ncrypt.dll

I told AVG to move it to the vault, and it reported that it has been removed successfully.

Thank you very, very much!
MML

==================================

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.7.2
Run by Mike at 11:50:42 on 2013-01-05
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.993 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080819
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 208.59.247.45 208.59.247.46
TCP: Interfaces\{C427074D-A2B3-4A66-A230-41DB5EAB908D} : DHCPNameServer = 208.59.247.45 208.59.247.46
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
IFEO: AcroRd32.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mike\appdata\roaming\mozilla\firefox\profiles\l5oycuao.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\ptc\np6_pvapplite9.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-7-26 237408]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-8-24 301920]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-8-13 5167736]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2012\TuneUpUtilitiesService32.exe [2012-5-29 1528672]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 FA31x;Netgear FA311/312 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\FA31xND5.SYS [2001-4-17 16025]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2012\TuneUpUtilitiesDriver32.sys [2012-5-8 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
.
=============== Created Last 30 ================
.
2013-01-04 02:31:09 -------- d-----w- c:\users\mike\.m2
2013-01-04 02:30:12 -------- d-----w- c:\users\mike\appdata\roaming\NetBeans
2013-01-04 02:30:12 -------- d-----w- c:\users\mike\appdata\local\NetBeans
2013-01-04 01:58:22 -------- d-----w- c:\program files\ESET
2013-01-04 01:54:03 -------- d-----w- c:\users\mike\appdata\local\Macromedia
2012-12-30 19:47:52 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2012-12-22 08:00:31 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-22 08:00:31 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-12-12 08:02:17 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-12-12 08:02:08 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-12-12 08:02:08 16896 ----a-w- c:\windows\system32\winusb.dll
2012-12-12 08:02:08 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-12-12 08:02:07 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-12-12 08:02:07 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-12-12 08:02:06 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-12-12 08:02:06 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-12-12 08:02:05 613888 ----a-w- c:\windows\system32\WUDFx.dll
2012-12-12 08:02:05 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-12-12 08:02:05 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2012-12-12 06:38:55 2048000 ----a-w- c:\windows\system32\win32k.sys
2012-12-12 06:38:52 224640 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-12-12 06:38:50 376320 ----a-w- c:\windows\system32\dpnet.dll
2012-12-12 06:38:50 23040 ----a-w- c:\windows\system32\dpnsvr.exe
2012-12-12 06:38:46 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-09 03:40:21 998128 ----a-w- c:\programdata\microsoft\windows\drm\install_flashplayer.exe
.
==================== Find3M ====================
.
2012-12-11 21:08:30 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-11 21:08:30 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-10-25 08:12:26 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-25 08:12:26 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 11:51:14.86 ===============

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:57 PM

Posted 07 January 2013 - 03:15 PM

Hello MML121212,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.


1.
You need to take all the computers off the network for now. Onc this has been done you need to Reset your router.
How to Reset your router.

2.
We need to check each computer and make sure it is clean before putting back on the network. Not doing so could just lead to reinfecting the network and all the computers again. This works much like a real virus like the flu.

3.
We will start with this particular machine for which you have posted the logs. Get it clean then proceed to the next. The only time we want the machine we are working on connected to the net is when downloading tools and checking to see if its still having issues.

4.
Do you have a USB Flash Drive you can use?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 MML121212

MML121212
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 07 January 2013 - 07:39 PM

Thanks Fireman4it!

I have an update... I think that I may have jumped the gun regarding the network computers all being infected. I had someone lead me through a thorough cleaning of the main computer, and they tell me that they have no reason to believe the network was compromised. Also, before receiving your reply I had run AVG on this machine and the scans are coming back totally clean. Please let me know, and thank you!

Is it possible that we could start by first taking a good look at this machine and seeing if it even has an active infection to worry about?

Regards,
MML

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:57 PM

Posted 07 January 2013 - 09:44 PM

I had someone lead me through a thorough cleaning of the main computer, and they tell me that they have no reason to believe the network was compromised

Maybe this person should lead you through cleaning of this machine also. I'm not going to work in conjunction with someone else it a waste of my time and theirs. You had or still have a Backdoor Trojan that operates over a Network and could possibly infect anyone and everyone you have contact with. This Steals critical information. Please pay particular attention to the second paragraph. I don't tell people to disconnect everything and check everything for no reason. I mean how much time will it take to scan each one after we have this one fixed vs what can happen if they all are infected or just one of them and they just keep spreading back and forth.

IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.



You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).



Because your computer was compromised please read:

Let me know how you want to proceed.

Edited by fireman4it, 07 January 2013 - 09:49 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 MML121212

MML121212
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 07 January 2013 - 09:59 PM

OK, all set. The network has been unplugged.

MML

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:57 PM

Posted 07 January 2013 - 10:04 PM

Lets run a couple of tools and see what they find.

1.
Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
Once you have these go ahead and reboot and see if AVG picks anything up. Don't put it back online just yet.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 MML121212

MML121212
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 07 January 2013 - 11:26 PM

I ran tdsskiller. I got confused after the first scan because I was expecting it to say that it found or did not find malicious stuff, and when it said neither I figured that might be part two of the scan, so I pressed 'scan' again. Both times it found a medium risk concern. It created two logs, which I attached.

I ran ComboFix, but because I downloaded it from another computer that had already downloaded it, it renamed the file ComboFix(1). I didn't pay much attention to this. I started the program and it seemed OK for a bit, then disappeared. I left it be and several minutes later it came back and said that I cannot use ComboFix(1)as the file name and to try something else. It seemed to have renamed it ComboFix on its own, and I just reran that and it went fine. I was surprised that it did not make me install a recovery option, but I guess that that machine already has one.

Looking forward to some favorable news.

My post was too long, so I zipped and attached the files. The tdsskiller file is 686K on the disk, but it is not really lot of text. Weird.

Regards,
MML

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:57 PM

Posted 08 January 2013 - 01:51 PM

Go ahead and put this one back on the network and see how it runs. Also run a full scan with AVG and see if it finds anything.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 MML121212

MML121212
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 08 January 2013 - 03:49 PM

Thanks! May I run the same process and post the results here for the other computer I took offline?

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:57 PM

Posted 08 January 2013 - 03:58 PM

Have you put the first one back online and ran a full scan with Avg?


Thanks! May I run the same process and post the results here for the other computer I took offline?

What operating system is this computer? Xp, Vista, win7? is it 32 bit or 64 bit?

Edited by fireman4it, 08 January 2013 - 03:59 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 MML121212

MML121212
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 08 January 2013 - 05:46 PM

No, not yet back online nor scanned. I will do that when I get home and report in before proceeding with next machine.

These two machines are Vista 32. The primary computer (fixed by someone else) is XP 32.

Thanks again!!!

#12 MML121212

MML121212
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 08 January 2013 - 09:09 PM

Online, updated AVG, ran complete scan. Perfect - No threats found.

MML

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:57 PM

Posted 09 January 2013 - 01:37 PM

Online, updated AVG, ran complete scan. Perfect - No threats found.

Glad to hear it. Once we get done with all of them I will give you instructions for cleaning up our tools and resetting your restore points. Go ahead with the next two machines they will be machine1 and machine2. This way we can check them both at the same time to try and speed this process up.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 MML121212

MML121212
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 09 January 2013 - 09:06 PM

Machine0 (Dining Room) = Waiting for instructions for cleaning up

Machine1 (Family Room) = The logs are attached, and AVG results were completely clean.

Machine2 (Main):

Ran tdsskiller - Found 10 medium risk things, none critical.

Ran ComboFix - But, just like when I ran it when I initially cleaned this machine with the other guy, ComboScan got ready to scan but then RMBR.3XE crashes. The computer sits there doing nothing until I select "Don't send to Microsoft", and then the ComboScan kicks back in.

Logs attached. BUT, this is the machine that started it all and that was cleaned with the help of someone else and reported as in good health. BUT, with all the stuff you wrote above, I am wondering if I have any choice to do anything but a clean install of the OS. I don't WANT to do a clean install, but do I have a sensible alternative? Every little thing freaks me out now. A YouTube video crashed on me after the computer was cleaned and running for a couple of days. It got into an audio stut-t-t-t-t-t-t-t-ter loop, and I had to power down to clear it. All I could think was, "Oh crap, the viri are gittin' all into me!"


Thanks again!!!
MML

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:57 PM

Posted 09 January 2013 - 09:18 PM

20:32:29.0562 0872 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
20:32:29.0562 0872 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Please rerun TdssKiller on the Machine2(MAIN) and select delete for the above only. As you can see it is still infected.


Please also run the following on Machine2 and post me the log

  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

Once that is done make sure to run a complete scan on this machine with its AV. Don't put this one back on the network yet till you report back to me and I give you the ok.. Machine 1 is ok to put back on the network.

Edited by fireman4it, 09 January 2013 - 09:18 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users