shawnh Posted March 7, 2010 Posted March 7, 2010 Hi all, I got a rather persistent little trojan on my hands. I've run Malwarebytes several times and it says it will remove it on reboot, but when I do and run Malwarebytes again, it's still there (see attached screenshot). I've noticed that possibly because of this virus, I can't do any google search on "malware" or such... my browser just won't go anywhere. And when I try to run TrendMicro Housecall, it'll crash it. Weird eh? Thanks to anyone who can help! Cheers Shawn Quote
ExTS Admin Starbuck Posted March 8, 2010 ExTS Admin Posted March 8, 2010 Hi shawnh 2 things for you: Step 1 Please download GooredFix from one of the locations below and save it to your Desktop Download Mirror #1 Download Mirror #2 Ensure all Firefox windows are closed. To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista). When prompted to run the scan, click Yes. GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt). Step 2 Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: Gooredfix.txt and both reports from OTL Thanks. Quote Member of:UNITE
shawnh Posted March 9, 2010 Author Posted March 9, 2010 Thanks very much Starbuck, I did all the runs you suggested, but there was too much text to paste into this reply window, hence I've attached the result files instead. Thanks! ShawnGooredFix.txtExtras.TxtOTL.Txt Quote
ExTS Admin Starbuck Posted March 9, 2010 ExTS Admin Posted March 9, 2010 Hi shawnh there was too much text to paste into this reply window, hence I've attached the result files instead. That's fine, no problem Gooredfix took care of one bad extension, let's clean up a bit more then we'll get another scan done: Step 1 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :OTL PRC - C:\Documents and Settings\Kathy\Local Settings\Temp\Tjl.exe () O4 - HKCU..\Run: [TOY5KNQ8OC] C:\Documents and Settings\Kathy\Local Settings\Temp\Tjl.exe () [2010/03/07 09:51:07 | 000,000,282 | -H-- | C] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job [2010/03/08 17:39:48 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Kathy\Application Data\SystemProc [2010/03/09 01:44:12 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job :commands [emptytemp] [purity] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. Step 2 Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. In your next reply, please submit: OTL report that comes up after the fix Combofix.txt Thanks. Quote Member of:UNITE
shawnh Posted March 9, 2010 Author Posted March 9, 2010 All done Starbuck... I've attached the files. Thanks man! Shawn03092010_172121.txtComboFix.txt Quote
ExTS Admin Starbuck Posted March 9, 2010 ExTS Admin Posted March 9, 2010 Hi shawnh How's the system running now? Quote Member of:UNITE
shawnh Posted March 11, 2010 Author Posted March 11, 2010 Seems to be great now Starbuck, thanks very much! I didn't think we were done - I thought there was still something left for you to do with the last files I sent you! Cheers Shawn Quote
ExTS Admin Starbuck Posted March 11, 2010 ExTS Admin Posted March 11, 2010 I didn't think we were done We're not quite finished yet :D I thought there was still something left for you to do with the last files I sent you! The Otl report just confirms that the fix ran successfully. Combofix took care of a couple of problems and didn't leave anything for us to clean up. Let's get an online scan done now and double check everything. I'd like you to do an ESET OnlineScanHold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. [*]Accept any security warnings from your browser. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png [*]Click the Start button. [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt Thanks Quote Member of:UNITE
shawnh Posted March 22, 2010 Author Posted March 22, 2010 Hi Starbuck, sorry for the long delay in getting back to you - I've had a millon things on the go here. Anyhoo, the ESET scan came out clean! Didn't find any malware at all! Below is a copy of the log file: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=cf2a1ed6ac5cd5468ebbd0c2b12631e4 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-03-22 05:36:16 # local_time=2010-03-22 02:36:16 (-0400, Atlantic Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # compatibility_mode=9217 16777214 75 70 2955781 9400243 0 0 # scanned=57356 # found=0 # cleaned=0 # scan_time=3709 ... so I guess we're all done with this computer then? Thanks SO much man! But I'm not done bugging you however ;-) It appears one other of my computers is affected with something. When I go to run MalwareBytes on it, it shuts the program down automatically. Would you mind helping me again for this one? Thank You! Shawn Quote
ExTS Admin Starbuck Posted March 22, 2010 ExTS Admin Posted March 22, 2010 Hi shawnh sorry for the long delay in getting back to you - I've had a millon things on the go here.it's no problem at all. But I'm not done bugging you however ;-) It appears one other of my computers is affected with something. We'll finish off this system, then we can draw a line under it. Each system will have to be looked at separately. We don't have a problem with looking at any other system you have.... just start a new thread and either myself or one of the team will take a look for you. Step 1 Please double-click OTL.exe to run it. You should see a CleanUp! button, press that button, http://img.photobucket.com/albums/v708/starbuck50/cleanupbutton.png This will remove any programs we have asked you to download along with there associated folders.. plus itself. Note: MBAM will not be removed Step 2 Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: Go to Start > Programs > Accessories > System Tools and click "System Restore". Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Then go to Start > Run and type: Cleanmgr Click "OK". Select the drive for cleaning then click OK (usually 'C' drive) Click the "More Options" Tab. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. To find out how you may have been infected....read this topic: So how did i get infected? Not all of the following information will be applicable to you, but it's still best to read it all. Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: Use an AntiVirus Software Avira AntiVir Avast free AVG Free Bitdefender Free MS Security Essentials ... see note* Note*: Upon installation MS Security Essentials will check that your OS is a legal copy. Only install one AntiVirus program [*]Update your AntiVirus Software regularly [*]Use a 3rd party Firewall Online Armor Free ZoneAlarm ...Important note below Outpost Firewall Free Sunbelt Personal Firewall NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option. Only install one software Firewall Some 3rd party Firewalls will turn off the windows firewall when they are installed. It's always best to check that the Windows Firewall is turned off: How to turn off Windows Firewall: Start ... Control Panel ...click on 'Classic View'. now select Windows Firewall. When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok [*]Scan regularly with a 'Stand Alone' Anti-Malware scanner: Installing another scanner that you can run once or twice a week is always beneficial. Something like: Malwarebytes Anti-Malware SUPERAntiSypware Remember to update these programs each time before running. You can install more than one of these if you only run them as stand alone programs. [*] Use an alternative browser: Some excellent alternatives to MS Internet Explorer are: Firefox For added security, add the NoScript extension to this browser: Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks also consider adding: WOT - Safe Browsing Tool Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web. Btw: you don't have to make a contribution. Opera They offer better security, more stability, and better speed. [*]Keep a backup of your registry Keeping a regular backup of your registry will help when something goes wrong. Use a program like: Erunt A full tutorial on how to set up and use Erunt can be found here: Erunt tutorial [*]Keep your system clean of temp files etc, using a 'Cleaner': Cleaners are programs that will help to clean out your: Windows temp files Current user temp files Cookies Temporary Internet flies Browser history Recycle bin Etc....... In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc. Programs like: CCleaner TFC by OldTimer ATF Cleaner [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. [*]Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using and installing SpywareBlaster [*]Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Glad I was able to help. Safe surfing. http://fc08.deviantart.net/fs71/f/2010/033/b/3/Computer_addict__by_Sinister_Starfeesh.gif Quote Member of:UNITE
shawnh Posted April 18, 2010 Author Posted April 18, 2010 Sorry for the long delay in replying Starbuck... I did your last recommended steps, so I guess we are all done with this machine! Thanks SO much!!! Anyhoo, like I had mentioned before, I have another machine with problems. OK if I open up a new thread regarding it, as you suggested? Thanks! Shawn Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.