Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan.fakealert, trojan.tdss, rootkit.agent, and many more!


  • Please log in to reply

#1
jessy108

jessy108

    New Member

  • Member
  • Pip
  • 5 posts
Hello,
I have a bit of a problem and I was hoping that you could help. For days now, my computer has been infected with trojans, malware and rootkits. I have tried everything from your guide and my antivirus program just popped up and said it found 50 infected files. I just needed some help to make sure I got it all. My computer was freezing after 10 minutes of being on it and it wouldn't let me open any security programs because it had them blocked. That has been fixed but I still kept finding malware and rootkits with different programs. Please help me to make sure I get them all!!! Thank you so much!

-----------------------------------------------------

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/14/2009 3:09:40 PM
mbam-log-2009-08-14 (15-09-40).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|)
Objects scanned: 156383
Time elapsed: 1 hour(s), 4 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This was my last malware scan a minute ago but like I said, my virus program keeps popping up and telling me I have viruses in my C and H drives. I just downloaded avast antivirus and I'm not sure how to post their findings.


-----------------------------------------------------------

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/14 02:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\A0048043.dll
Status: Locked to the Windows API!

Path: c:\windows\system32\wmp.dll
Status: Allocation size mismatch (API: 10842112, Raw: 10838016)

Path: c:\windows\system32\wmpdxm.dll
Status: Allocation size mismatch (API: 286720, Raw: 315392)

Path: C:\WINDOWS\inf\HFX37.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\inf\oem34.inf
Status: Locked to the Windows API!

Path: C:\WINDOWS\inf\oem34.PNF
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca.cat
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca.manifest
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\assembly\GAC_MSIL\ASPNET_REGIIS.EXE-0240A7FC.pf
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess
Status: Invisible to the Windows API!

Path: C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\default\local settings\temp\dd_net_framework20_setup3b15.txt
Status: Size mismatch (API: 12098436, Raw: 9156570)

Path: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB954550-v5.cat
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\msxpsdrv.CAT
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\spool\prtprocs\x64
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ngenrootstorelock.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.WinFX.targets
Status: Visible to the Windows API, but not on disk.

Path: \\?\C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Application Data\Pando\Pando Files\v3.5
Status: Locked to the Windows API!

Path: \\?\C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\ComSvcConfig.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\infocard.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\Microsoft.Transactions.Bridge.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\Microsoft.Transactions.Bridge.Dtc.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\MUI
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\ServiceModel.mof
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\ServiceModel.mof.uninstall
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\ServiceModelEvents.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\ServiceModelEvents.dll.mui
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\ServiceModelReg.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\ServiceMonikerSupport.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_SMSvcHostPerfCounters.h
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_SMSvcHostPerfCounters.ini
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_SMSvcHostPerfCounters.reg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_SMSvcHostPerfCounters.vrg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_TransactionBridgePerfCounters.h
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_TransactionBridgePerfCounters.ini
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_TransactionBridgePerfCounters.reg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_TransactionBridgePerfCounters.vrg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\SMdiagnostics.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\SMSvcHost.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\SMSvcHost.exe.config
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\System.Runtime.Serialization.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\System.ServiceModel.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\System.ServiceModel.Install.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\System.ServiceModel.WasHosting.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\WsatConfig.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelEndpointPerfCounters.h
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelEndpointPerfCounters.ini
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelEndpointPerfCounters.reg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelEndpointPerfCounters.vrg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelOperationPerfCounters.h
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelOperationPerfCounters.ini
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelOperationPerfCounters.reg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelOperationPerfCounters.vrg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelServicePerfCounters.h
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelServicePerfCounters.ini
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelServicePerfCounters.reg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\_ServiceModelServicePerfCounters.vrg
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\PerfCounters.h
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\PerfCounters.ini
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\PerfCounters.reg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\PerfCounters.vrg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\PerformanceCounterInstaller.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\SQL
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\en-US
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\NaturalLanguage6.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\NlsData0009.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\NlsLexicons0009.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\PenIMC.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\PresentationCFFRasterizer.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\PresentationFontCache.cat
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\PresentationFontCache.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\PresentationFontCache.exe.config
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\PresentationHostDLL.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\PresentationUI.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\wpfgfx_v0300.dll
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\MUI\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\MUI\0409
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\SQL\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\SQL\en
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\en-US\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\WPF\en-US\PresentationHostDLL.dll.mui
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\MUI\0409\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Communication Foundation\MUI\0409\ServiceModelEvents.dll.mui
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\SQL\en\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\SQL\en\SqlPersistenceService_Logic.sql
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\SQL\en\SqlPersistenceService_Schema.sql
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\SQL\en\Tracking_Logic.sql
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Default\Local Settings\Temp\IXP03B0E.tmp\Windows Workflow Foundation\SQL\en\Tracking_Schema.sql
Status: Invisible to the Windows API!

I also ran Rootappeal and have since emptied my temp folder.

--------------------------------------------------------------------

This was my malware scan from yesterday.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/14/2009 12:32:25 AM
mbam-log-2009-08-14 (00-32-22).txt

Scan type: Full Scan (C:\|D:\|H:\|)
Objects scanned: 161136
Time elapsed: 41 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClqcrpxrxyo.dll.vir (Rogue.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnkriskrsap.dll.vir (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{D200B31F-A553-465E-A0C7-36D6696F575D}\RP700\A0047756.dll (Rogue.Agent) -> No action taken.
C:\System Volume Information\_restore{D200B31F-A553-465E-A0C7-36D6696F575D}\RP700\A0047758.dll (Trojan.TDSS) -> No action taken.
H:\i386\Apps\App13493\add-gateway.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> No action taken.
C:\WINDOWS\system32\TDSSdxgp.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSkkao.log (Trojan.TDSS) -> No action taken.

This was my malware scan from yesterday. Please help me to make sure that I got everything!
  • 0

Advertisements


#2
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Hi Jessy,

Welcome to Geeks to Go! My name is SpySentinel and I will be helping you fix your computer problem.

If for any reason you do not understand any of the instructions, or are just unsure then please post back with your question, and we will go through it together :)



You have a nasty rootkit called TDSS. I see you have ComboFix installed already; please delete it then:


Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#3
jessy108

jessy108

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I just ran combofix and I attached a copy of my log.

Attached Files


  • 0

#4
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




Run ESET Online Scan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.
  • 0

#5
jessy108

jessy108

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
OK, I ran both programs and they both came up clear. The ESET scan came up with zero threats and it did not produce a log. I also attached my malwarebytes log here.

Attached Files


Edited by jessy108, 14 August 2009 - 06:51 PM.

  • 0

#6
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Things are looking up. I would like to take a deeper look to make sure nothing is hiding.


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • 0

#7
jessy108

jessy108

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
OK, finally got back to the computer and ran that scan for files and folders within the last 3 months. I attached the logs. Thanks so much for continuing to help me! :)

Attached Files

  • Attached File  info.txt   19.93KB   194 downloads
  • Attached File  log.txt   28.88KB   172 downloads

  • 0

#8
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
You're welcome



How is your computer running?



Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):


Adobe Reader 6.0.1
J2SE Runtime Environment 5.0 Update 4
Java™ 6 Update 3
Java™ 6 Update 7






Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to update.

http://www.adobe.com.../readstep2.html





Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u14-windows-i586.exe and select "Run as an Administrator.")





Download the HostsXpert 4.3 - Hosts File Manager.
  • Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.3 - Hosts File Manager
  • Run HostsXpert 4.3 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.



Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

  • 0

#9
jessy108

jessy108

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
My computer is running better then before I got the rootkit. Thank you so much for helping me in making sure that my computer was clean now.

I did run Combofix before you told me to but I think thats how I got rid of most of the bad files. I followed a problem on this website that was very close to mine and downloaded Combofix and renamed it so the rootkit would let me run it. That seemed to clean most of it up, just needed a few more tweaks apparently.

Before that, someone told me that because I could not get my security programs up and running I was going to have to format my entire computer! :) I found your website and fixed the problem! :)

Again, thanks so much for taking the time to assist me!!! :)
[/font]


Jessy
:) Big Geekstogo fan now!!

Edited by jessy108, 16 August 2009 - 09:55 PM.

  • 0

#10
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
You're welcome, glad I could help!



Your log looks clean, Great Job :)


Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


Now for some cleanup..
Please download OTC and save it to Desktop.
  • Please make sure you are connecting to the Internet
  • Double-click OTC.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    No Firewall Onboard

    You don't seem to have a firewall program installed. Using a firewall will allow you to allow/deny access for applications that want to go online. Select one of these, or another of your choice:

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

  • Install SpywareGuard - SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

  • McAfee Site Advisor <= McAfee Site Advisor protects your browser against malicious sites and warns you when you go to one.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP