Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SSDT hook + rootkit(s?)


  • This topic is locked This topic is locked
46 replies to this topic

#1 geordiecs

geordiecs

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 19 March 2015 - 02:34 PM

One of my machines at work is apparently infected :unsure:

 

FRST.txt

 

Spoiler

 

Addition.txt

 

Spoiler



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 19 March 2015 - 05:49 PM

Hello geordiecs and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
---------------------------------------------------------------------------------------------------------
 
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
:hello:
 
Sincerely


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 19 March 2015 - 06:45 PM

Hi geordiecs,
 
Programs uninstall:

  • Click on the Windows Start Menu button and then click on the Control Panel.
  • Please double-click the Uninstall a program icon
  • A list of programs installed will be populated this may take a bit of time.
  • Please uninstall the following softwares and applications, if they are present :

TuneUp Utilities
Ask Toolbar
Ask Toolbar Updater
AVG Security Toolbar
C:\Program Files\Ask.com
C:\Program Files\AVG Secure Search
C:\Program Files\AVG Security Toolbar

-------------------------------------------------------
 
 Ensure your external and/or USB drives are inserted during the scan
 
Step 1:
FRST Script:
Please download this attached txt.gif  fixlist.txt   9.7KB   0 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
and fixlist.txt are in the same location or the fix will not work.
 
Step 2:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 4:
Scan with Malwarebytes Antimalware:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step 5:
ComboFix run:
Please be sure to run our tools with administrator rights.
* IMPORTAN: 1   Place ComboFix.exe on your Desktop
* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.
 
Have a nice day.

Attached Files


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 geordiecs

geordiecs
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 19 March 2015 - 08:29 PM

I am unable to uninstall the AVG Security Toolbar. No uninstaller appears when I select Uninstall, and when I run the Uninstall application in the Program Files folder for AVG Security Toolbar, nothing happens.

 

Should I continue to the next step anyway?



#5 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 20 March 2015 - 11:38 AM

I am unable to uninstall the AVG Security Toolbar. No uninstaller appears when I select Uninstall, and when I run the Uninstall application in the Program Files folder for AVG Security Toolbar, nothing happens.

 

Should I continue to the next step anyway?

Okay. Yes please.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 geordiecs

geordiecs
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 20 March 2015 - 12:51 PM

FRST's Fixlog.txt

Spoiler


#7 geordiecs

geordiecs
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 20 March 2015 - 01:00 PM

AdwCleaner's AdwCleaner[S0]

 

Spoiler



#8 geordiecs

geordiecs
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 20 March 2015 - 01:08 PM

JRT's JRT.txt

Spoiler



#9 geordiecs

geordiecs
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 20 March 2015 - 01:42 PM

MBAM Log

Spoiler


#10 geordiecs

geordiecs
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 20 March 2015 - 02:17 PM

When I ran combofix, it ran its course until it displayed "System file is corrupt, attempting to repair..." etc.

 

I can't remember the specific file that it was attempting to repair.

 

It hung there for maybe 25 minutes, and then rebooted the computer.

 

When I select a user to log in, I am presented with a RunDLL dialogue that says

 

"There was a problem starting iernonce.dll

iernonce.dll is not a valid Win32 application."

 

When I click OK on that dialog, the desktop loads normally, but there is a repeatedly cascading series of opening and closing combofix windows at a very rapid rate.



#11 geordiecs

geordiecs
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 20 March 2015 - 02:20 PM

Also, no combofix log was created.



#12 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 20 March 2015 - 05:03 PM

See here.
C: \ Combofix.txt

ComboFix during operation ,did you  make intervention?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 geordiecs

geordiecs
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 20 March 2015 - 05:09 PM

No, I was adamant about not touching anything, not even a movement of the mouse.

 

I was able to navigate to c: but there is no combofix log. the window is still repeatedly tiling/cascading/opening and closing very fast.



#14 geordiecs

geordiecs
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 20 March 2015 - 05:16 PM

I restarted the computer with advanced boot and safe mode to retrieve combofix.txt, which had in fact been created; i didn't see it because my vision and ability to click is greatly reduced by the continuously opening and closing combofix windows.

 

The iernonce.dll error still appears.

 

c:\combofix\combofix.txt

Spoiler


Edited by geordiecs, 20 March 2015 - 05:16 PM.


#15 geordiecs

geordiecs
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 20 March 2015 - 05:19 PM

To be clear, there is no c:\combofix.txt






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users