[heir]

A couple to remove first:

Run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Files
  c:\users\michaelene\documents\azureus downloads\super collapse 3(cracked)
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done

Then:



Hey there, mrjhov79 !

OK! Well done, your log is clean again!

Time for some housekeeping.

Step 1.
Clean up:

We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

First:

• Click START then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  

Second:

Double-click OTL.exe to run it.
Click the CleanUp button
Click Yes to the reboot.

Now delete any tools/logs that is left over after you ran OTL CleanUp.


Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to download an update.

http://www.adobe.com.../readstep2.html

Remove the older versions and install the latest,


Second:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

• Click Start.
• Select Settings and then Control Panel.
• Select Automatic Updates.
• Click Automatic (recommended)
• Choose a day and a time when you know the computer will be on and connected to the internet.
• Click Apply then OK.

Third:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware

• SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
• SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Fourth:
Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls

• Comodo is a free fully functional firewall
• Online Armor (Free edition) personal firewall

Fifth:
On to personal Anti Virus programs.

One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs

• avast! 4 Home Edition an excellent free AV.
• AVG Anti-Virus Free Edition 8.5 is free for personal use.
• Avira AntiVir PersonalEdition, yet another good free AV.

Sixth:
Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers

• Trillian or,
• Miranda-IM

Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

[Advertisements]

Question????
I'm doing the cleanup per your instructions and right before I downloaded new spyware tools my computer acted as it was hijacked again. No prompt pops up asking to buy the "2010 Antivirus" programs but it did attempt to close the browser I was using but it was unsuccessful because I had more than one browser open and it had to ask if it was okay to close more than one browser at one time.

Does this mean my computer is still infected? Would it make more sense to just clear and reformat?

[mrjhov79]

Question????
I'm doing the cleanup per your instructions and right before I downloaded new spyware tools my computer acted as it was hijacked again. No prompt pops up asking to buy the "2010 Antivirus" programs but it did attempt to close the browser I was using but it was unsuccessful because I had more than one browser open and it had to ask if it was okay to close more than one browser at one time.

Does this mean my computer is still infected? Would it make more sense to just clear and reformat?

[heir]

Does this mean my computer is still infected?

Thats hard to say with that vague description. Can you please elaborate.

Would it make more sense to just clear and reformat?

That's up to you actually. You should backup important data.

If you decide not to reformat run this tool.

Download OTS to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.

• Open the OTS folder and double-click on OTS.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
• Under Additional Scans check the boxes beside
  
  

  Reg - ActiveX StubPath
  Reg - App Paths
  Reg - Approved Shell Extensions
  Reg - Desktop Components
  Reg - Disabled MS Config Items
  Reg - Drivers32
  Reg - Ext
  Reg - File Associations
  Reg - IE Explorer Bars
  Reg - NetSvcs
  Reg - Protocol Filters
  Reg - Protocol Handlers
  Reg - SafeBoot Minimal
  Reg - SafeBoot Network
  Reg - Security Center Settings
  Reg - Session Manager Settings
  Reg - Shell spawning
  Reg - Winsock2 Catalogs
  Reg - Uninstall List
  Evnt - EventViewer Logs ( Last 10 Errors)
  File - Lop Check
  File - Purity Scan
  

• Under the Custom Scan box paste this in
  
  

  
  %SYSTEMDRIVE%\*.exe
  %ALLUSERSPROFILE%\Application Data\*.
  %ALLUSERSPROFILE%\Application Data\*.exe /s
  %APPDATA%\*.
  %APPDATA%\*.exe /s
  %systemroot%\*. /mp /s
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  /md5stop
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

Edited by heir, 30 March 2010 - 06:23 AM.
formatting error

[mrjhov79]

I have attached the OTS log to this reply. Also the infection is certainly still affecting the computer on two separate occasions it attempted to close all browsers and began opening the Taskbar and Start Menu properties. It even moved my start button from the bottom left of the screen to the upper left.

Attached Files

•  OTS.Txt   335.15KB   129 downloads

[heir]

Download the GMER Rootkit Scanner. Unzip it to your Desktop.


Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[mrjhov79]

I attempted to run this twice, the first time it began to run but eventually locked up the computer. I shutdown and re-ran and here is the log it produce at completion. I tried to upload it but it continued to tell me i could not upload this type of file.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-31 22:06:21
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\MICHAE~1\AppData\Local\Temp\aglcipog.sys


---- System - GMER 1.0.15 ----

SSDT 859C38B0 ZwAlertResumeThread
SSDT 859C3990 ZwAlertThread
SSDT 8C89C9F8 ZwAllocateVirtualMemory
SSDT 8C00C5F0 ZwAlpcConnectPort
SSDT 8C8A4008 ZwAssignProcessToJobObject
SSDT 859C3600 ZwCreateMutant
SSDT 8C8A4D28 ZwCreateSymbolicLinkObject
SSDT 8C1190C8 ZwCreateThread
SSDT 859C3138 ZwDebugActiveProcess
SSDT 8C89CBC8 ZwDuplicateObject
SSDT 859C3FC0 ZwFreeVirtualMemory
SSDT 859C36F0 ZwImpersonateAnonymousToken
SSDT 859C37D0 ZwImpersonateThread
SSDT 8D1FDC88 ZwLoadDriver
SSDT 859C3EE0 ZwMapViewOfSection
SSDT 859C3520 ZwOpenEvent
SSDT 8C89C3E0 ZwOpenProcess
SSDT 8C89CAE8 ZwOpenProcessToken
SSDT 859C3360 ZwOpenSection
SSDT 8C89CC98 ZwOpenThread
SSDT 8C8A4F18 ZwProtectVirtualMemory
SSDT 8CFFB4E0 ZwResumeThread
SSDT 859C3C30 ZwSetContextThread
SSDT 859C3D10 ZwSetInformationProcess
SSDT 859C3218 ZwSetSystemInformation
SSDT 859C3440 ZwSuspendProcess
SSDT 859C3A70 ZwSuspendThread
SSDT 8E15A590 ZwTerminateProcess
SSDT 859C3B50 ZwTerminateThread
SSDT 859C3E00 ZwUnmapViewOfSection
SSDT 8C89C908 ZwWriteVirtualMemory
SSDT 8C8A4E18 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 822ED880 8 Bytes [B0, 38, 9C, 85, 90, 39, 9C, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 822ED894 4 Bytes [F8, C9, 89, 8C]
.text ntkrnlpa.exe!KeSetEvent + 13D 822ED8A0 4 Bytes [F0, C5, 00, 8C]
.text ntkrnlpa.exe!KeSetEvent + 191 822ED8F4 4 Bytes [08, 40, 8A, 8C]
.text ntkrnlpa.exe!KeSetEvent + 1F5 822ED958 4 Bytes [00, 36, 9C, 85]
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002760d13a9
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002760d13a9@001cef1a0bda 0x89 0xDC 0x3D 0xEB ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0002760d13a9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0002760d13a9@001cef1a0bda 0x89 0xDC 0x3D 0xEB ...

---- Files - GMER 1.0.15 ----

File C:\System Volume Information\SystemRestore\FRStaging\Users\Michaelene\Documents\Azureus Downloads\Norton Internet Security 2008 v15.5.0.23 Final [EDGE]-[RH]\NIS08_v15.5.0.23_Final\Norton Internet Security 2008 v15.5.0.23\More Activation + Fixing Errors Options\NIS08- Patch_v1 0 bytes
File C:\System Volume Information\SystemRestore\FRStaging\Users\Michaelene\Documents\Azureus Downloads\Norton Internet Security 2008 v15.5.0.23 Final [EDGE]-[RH]\NIS08_v15.5.0.23_Final\Norton Internet Security 2008 v15.5.0.23\More Activation + Fixing Errors Options\NIS08- Patch_v1\NIS08- Patch_v1.exe 702284 bytes

---- EOF - GMER 1.0.15 ----

Edited by mrjhov79, 31 March 2010 - 10:26 PM.

[heir]

Hmm... this is strange.


Step 1.
MBAM:

• Launch Malwarebytes' Anti-Malware.
• Update Malwarebytes' Anti-Malware.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 2.
OTL-scan:

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Standard Output.
• Underneath the option Extra Registry change it to Use SafeList.
• Underneath the option File Scans check the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
• Under the Custom Scan box paste this in
  
  

  netsvcs
  msconfig
  safebootminimal
  safebootnetwork
  activex
  drivers32
  %SYSTEMDRIVE%\*.exe
  %ALLUSERSPROFILE%\Application Data\*.
  %ALLUSERSPROFILE%\Application Data\*.exe /s
  %APPDATA%\*.
  %APPDATA%\*.exe /s
  %systemroot%\*. /mp /s
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  nvraid.sys
  /md5stop
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles /all
  %systemroot%\System32\config\*.sav

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Step 3.
RootRepeal:

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3

• Double click to start the program
• Click on the Report tab at the bottom of the program window
• Click the button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Shadow SSDT
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Step 4.
Things I would like to see in your reply:

• The conntent of the log from MBAM in step 1.
• The conntent of OTL.txt and Extras.txt from step 2.
• The conntent of Rootrepeal.txt from step 3.
• Information on how your computer is running now. (What are the symptoms?)

[heir]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.