0

can you tell me how the log says no rootkits found i just ran a scan with mba-m and as usaul it said i had worms trojans and rootkit.tdss on there why couldnt avebger detect those and worse then that when i select remove threts mba-m says the threats have been deleted but whean i run a scan the the rootkit.tdss is right back there. whats going on?

0

ok i did what you said and my computer still freezes when i connect to the internet and i still cant run combofix heres the avenger log

Did you reboot and try combofix?



If that doesn't work, let's try another powerful tool:

Please Download Kaspersky's AVP Tool

-- Save AVP Tool to your Desktop.
-- DoubleClick the AVP Tool setup file to run it.
Follow the prompts and it should install to your Desktop Folder
-- AVP Tool will open.
-- Click the Manual Cure Tab
-- Click the Gathering system information Button and let it run
-- When it finishes, click the link “Open folder” to access the folder where the report is saved.

Please save the log and post it for me.


THEN:
Please select the Automatic Scan Tab
Be sure the following boxes are checked:
• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• All other drives

-- Please click the Scan Button.
AVP Tool should Neutralize any objects it finds. If some are left un-neutralized, Click the Neutralize All button.
Note: If an object cannot be neutralized, select DELETE at the prompt.

When finished, please click the Reports Button and save the log where you can find it easily.

Please post that for me.

Also, let me know if you ran into any problems with these steps.
Note: AVP Tool should "self-uninstall" or prompt you to remove it upon exit, so be sure to save the log before closing the program.

PP:)

0

ok i got the log but before i get to that i got a few questions i've been looking around the net and few people with problems similer to mine have been told to disable systum restore because it could save infected files, and also i noticed more then a few files camp out in my temporary internet files folder couldnt i just delete everything in the folder to make sure everything is gone myself and i've spotted some suspicious stuff in the root of my c:/ drive like a folder called qoobox another one called pkbtemp with a 16 mb text file called syskeys, a file named w2ksect.bin and a hidden file named iph.ph now to the log this was before i removed the infections

Malwarebytes' Anti-Malware 1.41
Database version: 3234
Windows 5.1.2600 Service Pack 2

12/1/2009 3:02:24 PM
mbam-log-2009-12-01 (15-02-20).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 194562
Time elapsed: 1 hour(s), 13 minute(s), 0 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
C:\WINDOWS\svchost.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Net_Login (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_NET_LOGIN (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\netlogin (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\netlogin (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogin (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\ntuser.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\ntuser.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WLIZGP6B\ssv[1].txt (Worm.PALEVO) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP48\A0031896.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP50\A0031962.exe (Trojan.Banker) -> No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP50\A0031976.exe (Virus.Parite) -> No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP50\A0031977.exe (Trojan.Banker) -> No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP50\A0031986.dll (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\isvchost.exe (Virus.Parite) -> No action taken.
C:\WINDOWS\system32\B.tmp (Worm.PALEVO) -> No action taken.
C:\WINDOWS\system32\tdlclk.dll (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\ntuser.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\kyf21.tmp (Worm.Parite) -> No action taken.
C:\WINDOWS\Temp\laf1C.tmp (Worm.Parite) -> No action taken.
C:\WINDOWS\Temp\oma1.tmp (Worm.Parite) -> No action taken.
C:\WINDOWS\Temp\ruf22.tmp (Worm.Parite) -> No action taken.
C:\WINDOWS\Temp\rundll32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\bka1.tmp (Worm.Parite) -> No action taken.
C:\WINDOWS\Temp\fla1.tmp (Worm.Parite) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> No action taken.

0

ok i got the log but before i get to that i got a few questions i've been looking around the net and few people with problems similer to mine have been told to disable systum restore because it could save infected files,

That is not the proper procedure. We like to operate under the assumption that "an infected restore point is better than none at all" in the event that the repair process goes awry and we need to take a step back.
We flush System Restore AFTER the repair process is complete.
-- Also, many of the cleaning tools we use will set restore points before they run for this very reason.

and also i noticed more then a few files camp out in my temporary internet files folder couldnt i just delete everything in the folder to make sure everything is gone

Sure - or use a tool such as CCleaner or ATF-Cleaner....

i've spotted some suspicious stuff in the root of my c:/ drive like a folder called qoobox another one called pkbtemp with a 16 mb text file called syskeys, a file named w2ksect.bin and a hidden file named iph.ph w2ksect.bin now to the log this was before i removed the infections

Qoobox is a component of Combofix.
PKBTemp and Syskeys are components of FindWPP - they should have been deleted when you closed the logfile. You can safely delete those now.
w2ksect.bin is probably a component of your burning ROM.


--- Ideally, we'd like to get combofix to run. If it cannot be run successfully, I'd like to use AVP Tool as in my last post.

--- You forgot to post the MBAM log after fixing the baddies. Did you reboot after running MBAM?

PP:)

Edited by PhilliePhan: n/a

0

ok i did the gathering infomation thing but i cant get the log when i click on open folder theirs no log just a zip file then i did the autoscan but when it completed i noticed a lot of stuff was left untreated and was postponed odd. but right now i'm in the process of disinfection actually i'v been in the process since last night. it keeps saying it's going to take longer and longer to finish like last night it went from 1 hour to 3 hours then i went to sleep thinking it was going to finish overnight but when i got up to check if it was done IT WAS AT 17 HOURS is this normal?

0

IT WAS AT 17 HOURS is this normal?

Yes - That is normal. No worries. Just let it run and delete the baddies it is unable to neutralize.

-- Can you attach that Zip from AVPTool for me please.

Since combofix can't run and MBAM can't remove the baddies, I thought AVPTool would be the next best option.
If it doesn't get them, we'll have to manually remove them with an ARK tool.

-- When Judy had you run combofix the first time, did you install the recovery console?
-- Did you look in the Qoobox folder for combofix.txt?

PP:)

0

the scan is almost done and and about combofix, i did not get far enough to install anything everytime i tried to run the program it would say the contents might be comprisied and as for the zip it cant be opend are you sure you want it?

0

the scan completed and restarted my pc atlest it tried to now my computer just keeps rebooting its self right before it gets to the welcome screen i cant access my desktop now and the closest thing i have to a xp disk is a disk i made from my i386 folder it boots up and looks legit, is there a way i can repair windows with it? and i don't know you if you know this already but i cant use system recovery and when i did have the option i got the blue screen i don't have the option and just recently i lost the ability to go in to safe mode i'm in big trouble here. i dont want to but i'm slowly coming around to the idea of formatting my drive oh boy! the things i could do with all that hard drive space that and i just want to end this and get back on xbox live and play with my buddies ya know what i mean?

0

just recently i lost the ability to go in to safe mode

-- What do you mean by that - what happens when you try?
(tap F8 on restart)

-- Don't panic just yet :)
While a reformat is generally best in these cases, I suspect you may run into problems without the proper Windows CD.

-- Are you able to burn an ISO for a bootable CD?

PP

0

yeah the cd i have boots up and loads files and displys the blue welcome to windows xp start up screen i made it a month or so ago when i realized i might have a monster of a problem on my hands but, to answer your question yeah i can burn iso on this computer of coarse not the ill one. and as for safe mode last week or a little later i tried to go into safe mode and my computer restating itself i tried a few more times and same result so that's a no go. when all this started i figured i might have to reformat my drive and i saved some stuff movies,mp3's, a bunch of pictures some packed in rar and cbr format, and some programs can viruses, malware, whatever hide in those files i already know they can hide in the programs I'm not going to use any of those but what about the other stuff?

0

i would also like to know if a virus can survive a reformatting of the hard drive and in addition to cds and dvds i also used a a couple of flash drives (actually thay were mp3 players but thay double) to store data what i want to know is can viruses get on to the flash drives and infect other computers or reinfect the ill one? if i do format which i kinda want to do today just to end this ugly business but i want you input before anything goes down. oh and is it possible for a virus to destroy a pc?

0

about a mouth or so ago a i accidentally installed a second copy of windows xp, can a format get rid of this?

0

Hang on for a bit and let me go over the thread and try to answer those questions :)

Will post them shortly.

0

to answer your question yeah i can burn iso on this computer of coarse not the ill one.

I'd rather try a bootable recovery console, than the homemade XP CD, to be honest. Very leery of that.
With the recovery console, we could repair MBR and Boot.ini.
Unfortunately, my time is very limited these days.

Still, a reformat is the right way to go here, but, without a true Windows CD, the potential for error(s) is great.

-- Do you have a copy of your Windows Product Key? You'll need that.

and as for safe mode last week or a little later i tried to go into safe mode and my computer restating itself i tried a few more times and same result so that's a no go.

I would've liked to know that a few days ago ;)
If combofix had run successfully, it'd have told us if the safeboot key was borked....

when all this started i figured i might have to reformat my drive and i saved some stuff movies,mp3's, a bunch of pictures some packed in rar and cbr format, and some programs can viruses, malware, whatever hide in those files i already know they can hide in the programs I'm not going to use any of those but what about the other stuff?

Your movies / mp3s / pictures are probably OK. You have to be carefull copying executables and such.

Given that you copied i386 to make your XP disk + the modified files on your machine, I would be very worried that you are just going to reinstall some malware!
Better to buy an XP CD or talk to Microsoft to try for a cheap replacement, if you have your product key....

about a mouth or so ago a i accidentally installed a second copy of windows xp, can a format get rid of this?

Oh, yeah - Just use a tool such as Darik's Boot And Nuke - http://www.dban.org/ - to wipe the hard drive beforehand....

i would also like to know if a virus can survive a reformatting of the hard drive and in addition to cds and dvds i also used a a couple of flash drives (actually thay were mp3 players but thay double) to store data what i want to know is can viruses get on to the flash drives and infect other computers or reinfect the ill one? if i do format which i kinda want to do today just to end this ugly business but i want you input before anything goes down. oh and is it possible for a virus to destroy a pc?

Yes on all accounts except the reformat. Malware cannot survive a format unless you reinstall the malware....

You are dealing with trojans and worms, not viruses. But, yes, they can bring a system to its knees. Especially with all the rootkits these

I would say that there is a very good chance your flash drives are infected. If you have been using them with other computers, those compy's may well be infected also. You should scan the compys and the flash drives.

if you could you tell me if these instructions are accurate it would be a big help i've never done anything like this before. http://www.ehow.com/how_6026_format-hard-drive.html, scroll down to the windows xp part thanks man

I would definitely recommend trying a legitimate Windows CD.
'Course, you could try this first and see how it goes.
You should also have AV / Firewall / Anti-spyware tools burned to cd and ready to install first thing before connecting to internet....

PP:)

0

yeah i have my product key and lets say i try my disk and something goes wrong could i still buy a cd or could the damage be so bad that my pc is ruined for good. man i hope not and could you recommend a good free anti virus program also i noticed the site had nothing to say about my d drive couldn't malware hide in there what am i supposed to do about that

0

the boot and nuke site said i should use eraser for windows is this necessary to remove the second copy of windows?

0

yeah i have my product key and lets say i try my disk and something goes wrong could i still buy a cd or could the damage be so bad that my pc is ruined for good.

You're not going to ruin anything. Worse comes to worse, you can buy a legit OS CD and use that.
All you are doing is wiping the hard drive - no worries. If you run into problems with your current CD, wipe the HD again and use the new Windows CD.

could you recommend a good free anti virus program also i noticed the site had nothing to say about my d drive couldn't malware hide in there what am i supposed to do about that

Try Comodo AV + Firewall

Is D:\ a separate drive or partition. If partition, wipe it. If separate drive, scan to be sure not infected.

the boot and nuke site said i should use eraser for windows is this necessary to remove the second copy of windows?

Where does it say that?
If you run DBAN, it will wipe the drive and everything on it - doesn't matter how many copies of Windows are on it......

PP:)

0

d is a partition do i set it up the same as the c partion i just need to know this last thing then its go time

0

d is a partition do i set it up the same as the c partion i just need to know this last thing then its go time

Do you need a second partition?

Is d:\ your original recovery partition?

0

yes it is

Do you have a utility on the compy to burn recovery media from this partition? It would probably be START > All Programs > Tools or Accessories, if not obvious....

That would be best, if you are unable to do a system recovery from that partition.

0

no remember i cant get to my desktop because of the restart loop I'm stuck in, cant windows make a new recovery partition or is their a way i can do it Manuely?

0

you know i was thinking when i tried to poke arouind my d:/ drive it wouldnt let me i just got a white screen with a warnning saying the pc version of "move along sir nothing to see here" i couldint get to any files, maybe the malware condint eaither. maybe it was something else that stoped me from using the recovery something other then a malware if so maybe when i reinstall windows i could repair it some how thats possible right or is it just wishful thinking because makeing a new recovery partittion sounds very hard and i dont wanna go down that road anytime soon.

0

i forgot to say when my desktop first got hijacked (i got it back eventually) i never delt with anything like it before i freaked out and did recovery about three times and then when i tried the big flush i finely got the blue screen so maybe i fried something and if so you think i could repair it with a download?

0

ok i went ahead with my disk and so far so good super antispyware and mba-m updated just fine only isse is comodo wont i keep getting stuck at 30% i would uninstall but i really like the firewall what i'm thinking about doing is uninstall the reinstall just the firewall and use avg antivirus i herd avg is the best free av what do you think

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.