Posts by PhilliePhan

Kaspersky found a few files I cannot get rid of...including one rootkit

This one obviously is Avast quarantine - renamed with that .vir extension. You ought to be able to empty the quarantine /delete it with no problem.
C:\Program Files\Alwil Software\Avast4\DATA\moved\iaStor.sys.vir Infected: Rootkit.Win32.Tdss.ai 1

The others don't bother me - HP bundles that Weatherbug and it's merely mild adware.

Your MBR looks OK - I'm not seeing anything in the logs. 'Course, I might be missing something or this particular malware family has evolved yet again.

-- If you are still having issues, perhaps you could try a fresh run of Combofix. If you do that, delete your old copy and download a fresh one to the Desktop and run it from there.

PP:)

for atapi.sys: (it's reporting atapi512.sys but it downloaded atapi.sys)
Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.

Those all look good.
Though, previous scan results for atapi.sys are useless since it is normally a legit file and modifications are case by case. Make sure you scan your copy and get those results - though sometimes even this yields no flags on an infected file....

-- Did you run GMER and TDSSKiller again? Clean? Judging from what you posted, I would imagine that they would be.

Still being redirected? Maybe we can try flushing DNS....

PP:)

Any further suggestions on diagnostics would be welcome...and thanks again for your patience so far.

Well . .. we may need to backtrack a bit - I wonder if there are more infected files.

Let's cover a bunch of bases at once and see what shakes out:

1) Please download jpshortstuff's GooredFix.exe to your Desktop.
-- Make sure all browsers are Closed and then DoubleClick GooredFix.exe to run it.
A dialog box should pop up:
"GooredFix will automatically check for and remove infection. Click Yes to continue or No to exit."
-- Click Yes and allow the tool to run. It should go pretty quickly.
-- Look for GooredFix.txt on your Desktop and post that log for me.

2) Please download mbr.exe and place it in your C:\ Drive
-- Click START > RUN > type cmd ENTER
At the prompt, type or Copy and Paste: mbr -t > C:\Logit.txt
Let it run and please post the C:\Logit.txt

3) Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left …

I honestly have no idea about computers so anything is helpful. I'm on a different computer at the moment, turned my laptop off. Afraid to turn it on again until something can actually be done about it.

Sounds like quite a mess!

-- Do you have a flash drive?
-- Are you able to run the MBA-M step in the linky below? What about DDS and posting that scanlog?

-- Do you have your Windows Vista disk?

http://www.daniweb.com/forums/thread134865.html

PP:)

what would happen if I just tried to delete that file and copy the new copy over?

Access would likely be denied - you'd need to try a more circuitous route:
-- Rename the existing iaStor.sys to iaStor.sys.OLD
if it will allow you to rename it....
-- Then, copy the clean version into the folder.
-- Reboot
-- Now, you ought to be able to delete iaStor.sys.OLD

You could give that a go.

-- Can you burn an ISO? If the above doesn't work, maybe we can bypass Windows altogether and operate via boot CD?

PP:)

I finally got to it, sorry! something went wrong...it's asking for a disk?
WINDOWS - No Disk
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6b7c 75b6bf7c

That is odd - haven't seen that one before. Could it be referencing the HD because of the infected iaStor.sys? I wonder . . . . .

Try rebooting and then trying the Avenger step again. If that fails, we can try another avenue....

PP:)

I'll be ecstatic if we're this close - this machine would be HARD to duplicate.
But I admit I'm intrigued on how you're going to replace a .sys file.

Hopefully this is the only infected file - when dealing with rootkits, it's tough to smoke them all out.....

Swandog46's Avenger is good for replacing these drivers. Let's give it a go and see how it shakes out:

-- Place iaStor.sys on the C:\ Drive

-- Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight Everything in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

Will check back as time permits.

PP:)

I'll look for the file on another computer

Good luck - I'd attach it for you, but I don't have it on my machines.
Neither does Judy.
Plus, I am not sure about the legality of us distributing it......

I think you can download IATA96ENU.exe from here and then extract iaStor.sys from the installation package. It says IATA88ENU.exe, but it has been updated......

Download IATA96ENU.exe to the C:\ Drive. Then, to extract the files to a folder (c:\Files), the command line would be something like this:
c:\iata96enu.exe -a -a -p c:\files

Look in C:\files\drivers\x32 for iaStor.sys

If you are able to do that, let me know and we'll have a go at replacing this - that will be a bit more complex than you might think....

PP:)

the first time I ran GMER it hung up. I rebooted and ran it again and these are those log..........

No worries on any of that - we just need to get ahold of a clean copy of iastor.sys and replace the infected one.

PP:)

Hey meksikatsi,

Can you open a command prompt and type or copy&paste

dir /a /s iastor.sys > C:\loggit.txt ENTER

And post me the Loggit.txt please.

As you can see from the previous logs, iaStor.sys is infected. But TDSSKiller could not disinfect it and it could not find a clean copy to replace it.
If we can't find a clean copy on your compy, you'll need to come up with one - either from Windows disk or DL or from another compy.

PP:)

Find the worm in the registry does work but that also seem like a lost cause.

Not in this case - here we are looking at infected system files. Most likely atapi.sys and/or iastor.sys.
TDSSKiller ought to address that and disinfect them - if we're lucky...

I'll keep my fingers crossed :)

-- But, yeah - if starting from scratch is a viable option, then that is the best course of action.

I had to cold start the system and choose an earlier configuration to get the machine started again but it has now been stable (no avast messages) for about 12 hours so hopefully the nasty was contained in those deleted files...there were 4.

Hi meksikatsi,

Those deletions look pretty benign to me - It's the MBR rootkit that we need to be concerned with.
-- Honestly, in these cases I recommend wiping the hard drive and reinstalling Windows. It is easiest and most effective.

-- Also, Combofix should be run from the Desktop

Anyhoo, if you want to take a whack at removing this infection, let's try the following:

* Since I anticipate limited availability over the weekend, I'd like to run both of these steps at the same time.

FIRST:
Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php
or
http://majorgeeks.com/GMER_d5198.html --> You'll need to extract it from the ZIP if you DL from MGs.

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
* When GMER opens, it should automatically do a quick scan for rootkits.
When the quick scan finishes, click the Save Button and save the scanlog to your Desktop as GMER One.log.

-- If upon running GMER you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected …

PP - running MalWareBytes no....is that MBAM? Anyway, last time I ran it nothing was found...

Also, what is an ARK tool please?

Anti-Rootkit tool (GMER, for example).

At this point, I would suggest a run of Combofix, if you are able:
-- If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

I'll try to check back in a timely manner - been pretty busy these days and my online time is limited.

Cheers :)
PP

since that's OK at the moment, I appreciate your attention and I'll keep you posted on this thread in about 3 days...again, MANY thanks.

Happy to help!

Bear in mind that this family of malware is often rootkitted - not a good thing to leave unattended. I would definitely recommend that you run an ARK tool along with your AV and an anti-malware app such as MBAM and see what they turn up.....

Cheers :)
PP

any advice? thanks in advance!!

Do you have your Windows disk?

If not, are you able to burn an ISO for a bootable disk?

Let me know and we'll see what we can do.

Cheers :)
PP

Download the free version of Mal-ware Bytes and install and run it in safe mode till you get not more infections showing up.

Run MBAM in Normal Windows boot - if it doesn't run in normal boot, then try Safe Mode. Be sure to Reboot after running MBAM.

Ideally, I would recommend posting the logs requested in the steps linked below:

http://www.daniweb.com/forums/thread134865.html

With any luck, a volunteer will be able to advise you further.

Cheers :)
PP

Thanks for the update, Paul - Surf safely.

PP:)

Some says that Windows System Restore can reolved the problems.

That is not the best course of actions in these cases.

The "solution" that you linked advises the use of MBAM - That is the best way to start to attack these malware.

@ Paul

Can you give us a status update? Post the MBAM log?

PP:)

Is it possible to download Malwarebytes to the flashdrive and just run it to clear this up?

Hi Paul,

That would be a good first step - Transfer MBAM from the flash drive to the ill compy and give it a go.
Have MBAM fix what it finds and then REBOOT.

Post the log and we'll go from there.

Cheers :)
PP

Hey PP! Your right I should have shot this past you. I guess I got to excited.

Any clue how this might have been downloaded?

You are in good hands with Judy - she is probably more up to date than I am on the latest threats.

If I am not mistaken, this is part of an older family of password logging malware. I have no idea how long it could've been on the machine.
If this compy was one that we/you dealt with during the last infection, then I imagine it would've been between now and then.

If this was part of your employee network, well. . . it could've come from anywhere.

I am starting to hit one of my "busy periods," but will be around if you and Judy need a second opinion. At this point, my only suggestion would be to run some sort of ARK tool, but I'm sure Judy has that covered.

Cheers :)
PP

Hey Scott,

I didn't see you were back - should've dropped a PM on me :)

Looks like you and Judy are cruising along.

-- That baddie removed by MBAM is an older "banker" trojan designed to harvest passwords and other sensitive info. We couldn't tell you what or how much data has been compromised, but you should be aware that this was on one of your compys.....

Best :)
PP

:| it worked..!!! . . .
WOW.. is all i can say..
you are most deffinately THE computer gOd.. *kaden bows in your presence* **giggLes**

offer you my first born perhaps..??

Happy to help :)
(I'll take the first born . . . . since you offered ;) )

Actually, I am happy I got to poke around with boot disks - It's been a while and I forgot the limitations of recovery console. It's always good to refresh one's knowledge....

Well.. i think i am most likely going to just wipe him clean.. especially if this is the best course of action.. i was going to retire old DeLL aNd get myself a better computer in March .... it was just my luck that it got corrupted before i had the chance to do that.. lol
*lesson learned*

That would be best if you are going to give the Dell away.
When you reinstall, make sure to get all the security programs (AV / Firewall etc... + All Windows Updates) installed before doing anything else.

Stay away from the P2P stuff.

Yeah - I know that prolly won't happen, but bear in mind that, with P2P, you are lowering your defenses and inviting all the bad sh!t onto your compy. You literally have no idea what is coming in and from where.
Not to mention that a poorly configured client could offer possibly unlimited access to your machine.....

Hate to …

Yeah - you should stay away from Limewire - as far as P2P goes it is one of the worst offenders we see....

-- That's a lot of files, but only 17GB....
I've got only 13000 files in my D&S folder.

-- Once you get the stuff you want to save on the External drive, you can scan it with your Kaspersky and see if anything turns up. So, if you're feeling lucky, you could copy other folders as well (pix & music, etc...).

Once all is transferred to your satisfaction, we can try to clean the ill computer. Or, you can just wipe the hard drive and reinstall Windows.
That would be easier and most effective, but you'd lose all your programs and data.

I have some work I need to wrap up, so I'll have to catch up with you later - probably Tuesday night (EST).

Let me know how the transfer shakes out and what you want to do with the ill compy.

Cheers :)
PP

sorry i didn't see you sitting on the 4th page..!!
*smackshead*

okay i do indeed see the docu/settings folder.. but when i right click to copy it doesn't give me the option to put it anyplace.. just to copy.. where is the external hd..?? i also see a pics folder for my fodos.. but i don't see the stories anyplace.. (they were on my desktop)

OK - When you used the Places Tab and selected Computer, it showed you four Icons.

The external hard drive is this one --> 500GB Hard Disk: Expansion Drive
RightClick the folders you want to copy and choose copy and then select the External Hard Drive Icon and paste....
Or, drag and drop might work.
Been a while since I tried any of this....;)

Heck, you could even copy the entire 60GB drive, but it'd be risky if it is infected.
Best the just stick with your documents and pictures.

-- If your stories are on the Desktop, then the Desktop Folder would be in Documents and Settings

PP:)

so is this success..??
aNd if so how now..??
what can i do to copy them (if that's what i am supposed 2do)
can i open the files listed or..??

Yeah - Great!

You should be able to do this the easy way. Just navigate to the Files/Folders that you want to save and Copy&Paste them to your external drives.

-- Do you see a "Documents and Settings" Folder?
If so, just copy the whole thing to your External Hard Drive (500GB Hard Disk: Expansion Drive).

Let me know if you can do that or if you are having problems.

PP:)

should it be taking this long..??

Hard to say - depends on a number of different factors.

With any luck, it'll give you access and you can just copy and paste the stuff you want the save to the external drives.

Otherwise, it's back to command line for a bit.

Either the drive will open or you'll get the error "cannot mount volume" - if you get that error, click Details and let me know what it says.

1st says: 60GB Hard Disk: 56 GB Filesystem
2nd says: 500GB Hard Disk: Expansion Drive
3rd says: Gigaware: 8.0GB Filesystem
4th says Filesystem

does that sound right..?? am i in the right place..??

Yeah - that's great . . . . . And now the moment of truth. It's either going to let us do this the easy way or the hard way..........

DoubleClick on the 60GB Hard Disk and let me know what happens. Either you will get access or an error message will pop up.

Let me know.

:) alright..!! is says the disk was created successfully..!!! Yay..!!

just let me know what to do next..

OK - Attach the Thumb Drive and the External Hard Drive to the ill computer.

Pop in the Ubuntu Live CD and boot to it and select the option to Try Ubuntu without any change to your computer

Good so far?

Then, click the Places tab and select Computer.
It should list all of the drives connected to your compy.

Let me know what they are.

PP:)

*fingers crossed as well and much tighter than yours..!!*

LOL!

Let me know when you're good to go.

i have started the dl on my new viao.. but what kind of cd do i use for this burn..??

A regular CD-R or a DVD will work.
It's a large distro, but should fit on a CD.

When burning ISOs, I use ImgBurn - it's one of those "can't do without it" freewares.....

With any luck, we can boot this up and it will recognize all of your drives - that way, we can get away from command line and just "point and click."
I'll keep my fingers crossed.......

PP:)

Yeah - it can be frustrating..... No worries:)

It looks like we won't be able to accomplish what we need to do via the Recovery Console.

We need a better option. Can you burn an ISO?
If so, download Ubuntu Live CD and burn it to a CD.

Let me know if you have any trouble.

PP:)

OK - I figured that was a bit of a long shot via recovery console.

Let's do this:

Remove the external Hard Drive.
Attach the USB thumb drive.

Boot to recovery console and at the command prompt, type the following in bold very carefully:

DIR <space> "%userprofile%\" >> E:\Peek.txt ENTER

DIR <space> "%userprofile%\Desktop" >> E:\Peek.txt ENTER

DIR <space> "%userprofile%\My Documents" >> E:\Peek.txt ENTER

Be sure to use the quotation marks - basically everything in bold needs to be typed.

Let me know if you have any error messages. If not, there will be a file called Peek.txt on the USB drive. Please post that for me.

Best Luck :)
PP

:?: another question.. i recently purchased a new SONY vaio with windows 7 on it.. i was reading something about an EasyTransferCable i can purchase which claims to move documents and photos and the like from your old computer transferring them onto the new one.. might this be another option..??

I am not sure that would work given the state of the ill compy.
I suppose you could try.

BTW - Do you have a USB thumb drive?

What I'd like to try is this:

Attach the external hard drive.
Attach a thumb drive, if you can.

--- Boot to Recovery Console and access the command prompt.
-- At the prompt, type:
CD <space> D:\ ENTER
CD <space> E:\ ENTER
CD <space> F:\ ENTER
CD <space> G:\ ENTER
CD <space> H:\ ENTER

Tell me the results.

Then, at the command prompt, type:
CD <space> "%userprofile%\desktop" ENTER

at the new command prompt, type: DIR ENTER
Locate the stories you want to save and let me know the names.
For example: My Story.doc

Then, at the command prompt, type:
CD <space> system~1\_resto~1 ENTER
Then, type: DIR ENTER

Let me know if there are any Restore Point Folders listed.
They will look like RP203 RP204 etc....
Basically, RP and a number.

Let me know if those exist and then exit out of Recovery Console and we'll go from there.

PP:)

is this something which will work as well perhaps..?????

I have no idea what that is - might have helped if the poster left some sort of explanation....

well i managed to get 2the recovery console.. after connecting the external hd usb,.. i tried typing in the command as you suggested only to get the following: 'the parameter is not valid try /? for help'
but when i type /? nothing happens..

There are a number of reasons for this - everything has to be done properly (+ there are spaces in the command that are hard to see) or the command will fail. The drive labels and the folder paths need to be exact.

--- Does your compy recognize the external hard drive?
--- What is its drive label? (C:\ , G:\, etc...)
--- Are you able to locate the folders with the files and pictures you want to copy? Do you know the paths for them?
Example: C:\Documents and Settings\My photos
That's just an example.
If you do not know the exact path, then we'll need to locate them.

as far as cooking with gas... is that something i can burn onto a disk and feed to the dell or..?? aNd if so which cd might i need to attempt that..

There are ISOs for Hiren's CD and others. If you are able to burn an ISO, then you can create these boot disks.
Hiren's and the …

how exactly do i access the area to copy my photos & such..?? Most of what i have read talks about typing "r" to start a recovery.. i am kinda lost now.. i mean after i get it up should i plug in my external hd or ???

Yeah - make sure your external hard drive is formatted properly and then connect it to the ill compy.

Once you are able to boot to recovery console, you will have access to a command prompt and basic DOS commands.

Then, say for instance the following:
External Hard Drive ----> G:\
Your photos are in a folder ---> C:\My Documents\My Photos

You then use the copy command to move them:

At the command prompt, type copy C:\My Documents\My Photos G:\My Photos ENTER

And that should do the trick.

There are other commands we can use as well to address some other issues.
Frankly, there are other bootable disks that would give us more options such as Hiren's Boot CD

If you are able to create that, then we'll be cooking with gas......

Cheers :)
PP

i have also purchased an external hard drive just in case i am able to access my photos and such.. lesson deffinately learned here..!!!
I am going to print this out (the Recovery Console Instructions) and take it home to be sure i can get thru every part of it.. I will check back here afterwards and await your reply..

Great!
Once you get recovery console running, there are a number of options that will be open to you. I think the first would be to carefully copy your photos and other data to the external drive. Don't copy any programs or files you didn't create yourself for the time being - gotta be sure they are not infected.
Your photos and documents should be fine.

Then we'll poke around and see if we can get the compy up and running.

Thank You Again..

Happy to help :)
PP

i was reading that purchasing some antivirus software may help.. I am not sure which kind to get aNd "if" it will even be of any help for my situation..

NO - that is not going to help at this point.

at this point i am looking into just taking it into GeekSquad.. as I don't know where else to turn..

That should be your last resort - I doubt they will do anything more than wipe your hard drive and reinstall Windows. You'll lose all your important data.

i am concerned with getting my files recovered mostly..
i am a photographer,.. also a writer,.. my life is locked in there,.. and unfortunately I was dumb enough to never back up anything I kept in there.. *sigh* so getting these items back is very important for me.. :(

Yup - always gotta back your stuff up! Lots of people learn the hard way - you're not the first and certainly won't be the last....

andplease let me know if you have any other questions or should need any further information..

We may be able to salvage your compy if you are able to do this:

Boot to the Recovery Console from your Windows XP CD

-- Let me know if you are able to do that and we'll see what we can do.

Best Luck :)
PP

also i tried to re-install XP with the Dell issued purple OS disk with no response..
can you help me..?? any suggestions..??

-- Can you explain more as to what you tried to do with XP Disk?
Did the drive recognize the disk? Did you try to boot to the XP Disk itself to access the recovery console?

-- Also, what happens when you try to boot to Safe Mode?

PP:)

This would be easier if we could get a CFScript to run properly, but we can do this manually.

Anyway, ran the online scan which picked up some things but didn't fix them. Should it have?

No - It is just a good scanner. We need to remove these manually.

FIRST:
Please Download ATF-Cleaner.exe by Atribune to the Desktop.

• Click on ATF-Cleaner to run it
• Where it says Select Files To Delete, Check the Select All Option
• Click Empty Selected > OK

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

THEN:
You'll need to manually delete these:
C:\Documents and Settings\Ronnie\Local Settings\Application Data\Microsoft\Messenger\xkx-kerryn-xsx@hotmail.co.uk\ObjectStore\CustomEmoticons\PqRNSyrnii04hiFLA2FfqIm7QemA=.dt2
C:\Documents and Settings\Ronnie\Application Data\Microsoft\MSN Messenger\4145184867\CustomEmoticons\TFR1C.dat

These two may be false positives, but probably no harm in deleting them anyway just to be certain.

F:\OSO.exe --> If this is a thumb drive, you'll need to …

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe

You should probably post a DDS log as per the "Read Me" sticky post because it looks like MBAM missed this.....

Sorry for the late reply - I have zero Forum time at the moment.

It looks as though MBAM was able to remove some of the components of the baddie:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\uvc7jk640c (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wab (Trojan.Dropper) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\spool\prtprocs\w32x86\00002941.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00006683.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ronnie\Application Data\Macromedia\Common\850600261.dll (Hijack.Sound) -> Quarantined and deleted successfully.

With those being removed along with the items you deleted, I am not sure what remains - let's have a fresh scan with Kaspersky's online scanner. With any luck, the malware has not been able to reconstitute itself.

Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.

Hi there,
Thanks for your perseverance.
I only scanned the one file for now just to make sure the results are what you expect. I scanned .068, the results are below along with the peek.txt.
Is it ok for me to try and delete the Found files manually (I managed to delete .067 ok) and maybe try and do the same with the ones you highlighted in red.

All those in red are related baddies and need to go.

-- Try booting to Safe Mode and then open the command prompt and try all of the commands again and post the new C:\peek.txt.

I am surprised MBAM doesn't get this. You should also try updating MBAM to the latest definitions and running the Full Scan in Normal Windows boot.
Please post me that log.

Reboot after running MBAM.

This particular baddie should not be putting up such a fight....

Happy New Year :)
Pp

I think the following address might be wrong: del /f "C:\documents and settings\NetworkService\Application Data\Macromedia\Common\8506002619.exe" >>%systemdrive%\Peek.txt
Instead of networkService it should be ronnie.
Done a search but didn't delete it before your ok.

Your logs indicated the Network Service Folder. Are you certain it is not there?
- See if C:\peek.txt was created. If so, please post that for me.

I want to look at those C:\FOUND.* items. If my memory serves correctly, they are baddies.
Please upload them for analysis here --> http://virusscan.jotti.org/

Let me know what you find.

Cheers :)
pp

The dos (headed c:\windows\system32\cmd.exe) is blank with the cursor flashing (if that's the correct expression).
Task manager showes it running but it's been a couple of hours with no change?

A batch file is the simplest of the simple - this one takes about 2-3 seconds to complete.

Works just fine on my XP box.

Try this - RightClick FixIt.bat and rename it FixIt.cmd and see if it will run properly.

If that fails, please try this:
Open a command prompt (START > RUN > type cmd > ENTER)
At the prompt, Copy & Paste each line in Red below one at a time and hit ENTER after each line (lines end with peek.txt).
(You could do it all at once, but I'd rather try line by line)

Please post the peek.txt and let me know if any errors occurred.

del /f "C:\FOUND.068" >>%systemdrive%\Peek.txt

del /f "C:\FOUND.067" >>%systemdrive%\Peek.txt

del /f "C:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe" >>%systemdrive%\Peek.txt

del /f "C:\documents and settings\Ronnie\Application Data\Macromedia\Common\850600261.dll" >>%systemdrive%\Peek.txt

del /f "C:\documents and settings\NetworkService\Application Data\Macromedia\Common\8506002619.exe" >>%systemdrive%\Peek.txt

reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WAB /f >>%systemdrive%\Peek.txt

reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run /v WAB /f >>%systemdrive%\Peek.txt

dir /a /s "C:\Program Files\Kontiki" >>%systemdrive%\Peek.txt

dir /a /s "C:\Program Files\Kazaa Lite" >>%systemdrive%\Peek.txt

dir /a /s "C:\Program Files\BearShare Applications" >>%systemdrive%\Peek.txt

dir /a /s "C:\program files\ewido" >>%systemdrive%\Peek.txt

notepad %systemdrive%\Peek.txt

PP:)

Hope I'm not doing something wrong.

I don't understand how you could possibly be doing anything wrong - not much to mess up :)

That is odd . . . No log pops up? Even if the batch file doesn't do anything, a log ought to pop up.

Based on the previous scanlogs, your machine is for the most part free of malware. Just a few minor cleanup items. So, I'm not sure what the problem could be in executing a simple batch file......

-- Were you able to uninstall combofix with no problems?

-- What does it say in the dos box when you run the batch file?

PP:)

Hi there,
I don't understand why it's not working.
Everything seem ok, I drag the .txt file over, the green bar shows then the program runs.

That should've worked.

No worries - let's do this:

Let's remove Combofix and the files/folders it created:
• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

-- Then, please download the attached FixIt.zip and RightClick it and extract the FixIt.bat from the ZIP to the Desktop.
DoubleClick FixIt.bat to run it - should go really quickly.
A log will pop up upon completion - please post that for me.

PP:)

Well . . . For some reason this isn't working.

That last one should've worked.
We'll just go ahead and remove those remaining items manually. I'll put something together to do that as soon as I get a bit of time.

PP:)

Hi, hope this worked this time.
Command switches used :: c:\documents and settings\Ronnie\Desktop\CFScript.txt.url

Nope - Same problem.

RightClick on the attachment and choose to save it to the desktop as CFScript.txt
Then, please try again.

Hang in there - we'll get it :)

PP

Hi, here's my latest log.
Cheers.

Hi Ronnie,

That did not run properly. You must download the CFScript .txt file to the desktop. Once the actual file is on the desktop, then you drag that over the combofix icon to start combofix.

Let's try that step again. I will attach a new CFScript.

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

Cheers :)
PP

Shall I carry on with your requests in the meantime.?

Go ahead with the CFScript / Combofix step and we'll deal with the others later.

What's up on the AV front?

PP:)