Posts by PhilliePhan

No, I didn't touch it, it just hasn't moved. Same situation, 8 hours later.

Bloody hell.

I suppose it would be too much to ask for something to go right just once to make things easy on us...... Somebody is laughing at us.

I guess we'll have to power off and reboot. Then try the last step again complete with a fresh download of combofix.
--Rename combofix again at download as you did before to combo-fix, just to cover that base.

Let me know how that shakes out. I won't have another break for a few hours. Will check back then.

PP :)

It went through all it's usual motions, started the scan, then... just stopped. I've been sitting at "Complete Stage_2" for the best part of half an hour, with no sign of life from the box itself, and I'm not sure what to do.

If you didn't touch it or do anything to cause it to stall, then just let it keep running. Overnight if you have to....
If it still hasn't completed, then we'll address that. Sometimes this will happen with some tougher malware, though given the previous runs there may indeed be a stall.
Let's just be patient and see what happens.

PP :)

I'm thinking I'll probably reformat once the computer is safe enough for me to lift my files off anyway. I've never done it before though, it should be interesting :-P.

OK - Let me know if you are definitely going to do that.
Otherwise there is a ton of other things we would need to do regarding your outdated Java and others, Security Programs, that error on boot (BIOS not found - probably your Promise hard drive controller) etc...

A reformat would render all that moot. Let me know & I can help you with that if you need it. Be sure you can find that Windows disk.
Also, you can use imgburn to burn an ISO of SP3 . . .. Guess you'll cross that bridge when you get to it.

OK - back to the problem at hand:

-- c:\program files\Mail.Ru -- You installed and use this? Just checking.

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

And . . . We'll go from there :)
PP

Ok, that worked! Posting from the ill machine now.
Here's my new combofix log:

Great!

There is still some malware showing that we need to address - I will post something for you as soon as I can - probably won't be for a few hours as I am tied up at the moment.

A few things while I work that up:
-- Keep the ill machine offline

-- Disable SpyBotSD Tea Timer
http://russelltexas.com/malware/teatimer.htm

-- Remove ALL P2P stuff, at least until we are finished. I generally don't lecture about this - If you want more info on the ever increasing danger of P2P, I'll be happy to provide it. I will say that 90% of the machines I see infected with WPP or varaint have multiple P2P apps.....
Uninstall or, at the very least, disable:

Program Files\LimeWire
Program Files\BitTorrent
Program Files\DNA
Program Files\KCeasy

I'll post the next fix as soon as I can.

PP :)

You ever get that feeling like that somewhere someone is laughing at you? :/

All the time :)

Let's do this:
At the command prompt type: netsh int ip reset c:\resetlog.txt ENTER

Then type: netsh winsock reset ENTER

Then, Reboot and see if that works. If so, try combofix and recovery console again.

-- I can't remember if you said you have Windows Disk, but you can install recovery console from that, too.....

PP :)

Ok, this is my MBAM log, post-reboot. I can't get back online on my tower, though.

OK - MBAM did not remove much of what was showing in last combofix log.

See if you can restore internet with the steps at bottom of the Combofix linky:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix#manual_recovery

There is also info on manually installing recovery console - try that if still no internet.

Let me know if you run into trouble.

PP :)

I can't download MBAM at the moment. I think their server is down :x.

Try here:
http://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

I haven't done anything yet, haven't restarted. I could download MBAM on this laptop and transfer it via flash drive, I guess, but I'll just leave the tower ticking over for now.

That's a good idea. Do that for MBA-M and run it.
Be sure to have it remove all it finds.

Then, Reboot.

Then see if you can access internet and DL a fresh combofix on ill compy and install recovery console and run combofix.
If no joy, then we'll install recovery console manually. No worries.

How are you holding up? Not too frustrated, I hope....

I will say this - If you have your Windows disk, I would still recommend a reformat after we clean the machine and you are able to pull your important data off somewhat safely. We can probably get it back and running in pretty good shape, but infestations such as this one can leave a system a bit unstable and you can never really trust that the machine is secure.
I do enjoy the challenge posed by a particularly nasty piece of malware, but if it were my machine, that is what I'd do........

Post me that MBAM log and let me know how you fare with the rest.

I'll be home in about 4 hours to check back in.

PP:)

One ComboFix log:

:)

The machine still doesn't seem right, though :/.

That's not surprising - we are nowhere near finished.... :)

But - you are starting to make good progress!

-- Let's restart eventlog.
Command prompt: type sc config "eventlog" start= auto ENTER
Don't reboot - just leave it for now.

-- Are you able to now download programs to the ill compy?
If so, please do this:
--- Download and run MBAM as per Step #8 in the linky below:
http://www.daniweb.com/forums/thread134865.html
Make sure to remove all it finds and post me the log.

THEN:
--- DELETE your current copy of combofix.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You should not need to rename it this time and it should be able to install Recovery Console.

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Post me that log as well and we'll see where that leaves us.

Cheers :)
PP

ComboFix is currently running atm, it's just made me reboot because it found the rootkit, which can only be good!

Having said that.... apparently I don't have Microsoft's system restore kit or something installed, so it says it won't attempt the fix of "some serious infections". Hopefully that won't be a problem.

That's the least of your worries . . LOL!

Actually, the Trinity Rescue Kit and Avira Tool operate much in the same way as the Recovery Console except TRK is Linux.

-- I realized why FindWPP didn't work properly - LOL - command.com prompt. I had a minor "brain cramp."

Let me know how combofix shakes out - keeping my fingers crossed it completes properly..... :)

PP

The command prompt certainly is useful. I gotta learn a bit more about how to play with it, I think.

Oh yeah - very useful to learn the various commands available to you!

That said, this is odd - that log looks as though my batch only partially ran properly - odd.

At least it was able to change this:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\pump.exe \"%1\" %*"

Back to what it is supposed to be:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

The rest is odd...

---- Try running Win32kDiag.exe again and see if same error.
If it won't run, try combofix below.
If it does run, post me the log.

ComboFix is on my desktop, too.

See if you can Run Combofix now - let me know.
type %userprofile%\desktop\combo-fix.exe /KillAll ENTER
You may not be able to update it - no worries.

PP :)

It won't run. It doesn't give me an error message or anything, it just doesn't do anything after I double click it :/.

-- What about command prompt:
type %userprofile%\desktop\FindWPP\RunThis.bat ENTER

-- See if you are now able to copy combofix to the desktop. Do that, if possible.

PP :)

Yep, it let me extract FindWPP.

OK - Run RunThis.bat in the FindWPP folder and see if it runs. If the log pops up, save it to the desktop. Put it on the re-writable disc to transfer it, if possible.

PP :)

I managed to get the files off the flash drive with no apparent problems, but it won't let me run Win32kDiag. Same error, not the required permissions. I haven't touched FindWPP, though.

-- Can you RightClick on it and Run as Administrator?

-- Did you try command prompt?
type %userprofile%\desktop\win32kdiag.exe ENTER

-- Can you RightClick and extract the FindWPP folder from the ZIP to the desktop?

PP :)

After that reboot, I tried to copy from the CD using the script, and it just says "Incorrect function."

Well . . . crap. It's not making things easy, is it?
-- You did change the source directory to the correct letter (probably D or E:\), right? (sorry - gotta check)

Try to copy them from the flash drive.

If that does not work, let's go ahead and try to run combofix from the flash drive. You'll not be able to update it, but run it anyway - If it runs, post the log.

PP :)

The third: "[SC] ChangeServiceConfig SUCCESS".

Good - that's what I thought. It can't be stopped, but it can be disabled.

At the prompt, type sc query "eventlog" and tell me what the State is.
If it is still running, we'll need to reboot and then repeat the query to make sure it is not running.
('course, I am assuming this is replaced file - usually it is, but there have been others)

Then, let's try to copy FindWPP and Win32kDiag.exe to the desktop again. If you can't copy and paste, try the copy command.

Assuming external drive is, say, G:\ the command would be:
copy G:\Win32kDiag.exe "%userprofile%\desktop"
copy G:\FindWPP.zip "%userprofile%\desktop"

Obviously, if not G:\ , you'll need to change accordingly.

Let's see how that works.

Sorry about the delay - doing 10 things at once here :)
PP

I'll try whatever you think will work.

We should probably try burning the tools onto a non-rewritable disk (not the ISOs, just the disk of tools). That way, we can use command line to copy them to desktop. Let me know if that is workable.

I am a little reluctant to try the flash drive just yet - I am fairly certain the malware has replaced the legit eventlog.dll and once we deal with that, we can make some headway with tools on the desktop. We just need to get them on there.

What happens when you type the following command at the prompt:

dir /s %windir%\eventlog.dll

Note it is dir <space> /s <space>%windir%\eventlog.dll

If error there, try:
sc stop "eventlog" ENTER

What happens?

If error there, try:
sc config "eventlog" start= disabled ENTER

What happens?

PP :)

I had no joy with "cmd", but "command.com" does bring up the DOS prompt, which is encouraging.

That should come in handy.

-- Do this: Open a command prompt and type exactly as I have here in red:
dir /s %windir%\eventlog.dll > "%userprofile%\desktop\logit.txt" & hit ENTER

Logit.txt will be on the desktop - I need to see that, however possible.
I just need the various paths to eventlog.dll and the exact size in bytes for each. You'll not need to copy everything.

-- One of the options I was keeping in reserve in the event that nothing else works (nothing could be transferred to the Desktop of ill compy an then run) is to run Combofix directly from the flash drive.

Perhaps we should go ahead and try that? What do you think?
You won't be able to update it, but it should run and make some progress. Let me know if you want to jump ahead and try that.

But before that, give me the eventlog.dll info.

PP :)

Ok, well, everything is downloaded, burnt, and I'm ready to go. I believe Trinity is on a re-writable CD/DVD, too.

Great! - Trinity offers 4 AV scanners, but only Clam is onboard. It needs to update and download and rewrite itself. This is a legit option that uses freeware as opposed to pirated software.
(I wish they would add an option for MBAM or combofix to be downloaded and run...)

I do have one slight possible problem, though. I note that both Avira and Trinity say that I might have to go into the BIOS and change the boot order to allow me to boot from the CD. .....Will that be an issue?

I doubt it - that message is not referring to your "system BIOS" - probably looking for a drive controller. Not a big worry at this time.
-- With any luck your compy will detect the CD on startup and offer the option to boot from it. We'll cross that bridge when we come to it.
Those CDs are strictly a last option in the event that nothing else works - Hopefully we'll not have to use them. (they are good to have around, though - hold onto them)

Let's start with the CD with all the tools on it.
-- See if you are able to transfer FindWPP to the ill computer.
RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop. Hopefully you won't be …

Well . . . things don't look too bad outside of all the P2P stuff. You are playing with serious fire there. A lot of forums won't help you unless those are removed.....

-- What is this folder?: C:\System32

-- Some forum volunteers would likely wipe this registry key:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

I'll leave that up to you - My feeling is that "people are going to do what they are going to do" . . .LOL.

I will say that you dodged a very big bullet - malware purveyors are really starting to take advantage of P2P stuff. I've seen a lot of borked machines.
Well. . . That's the extent of my lecture.

PP :)

Have done this myself, but stress to the user NOT to reboot . . . .

Yup - but you have to stress that really hard and still people will reboot when prompted to "reboot so changes take effect" or whatever the dialog box says....

PP :)

NEXT: Download Trinity Rescue Kit.ISO and use ImgBurn to burn the ISO to a second CD

In re-acquainting myslef with TRK, I realize that I should've added that ideally this should be on a Re-Writable CD, if possible.

PP :)

Back on original computer - windows must have redid the key registry.
I will post the log, note: I will be gone for 3+hours I have to catch the bus home, but I'll let you take a look for now.

Great - Now we are cooking with gas! Or . . . however the saying goes.

I didn't think it would be too bad given all that you did prior to combofix. Looks like it replaced the infected file - hopefully you can run programs now.

I'll have a closer look and get back to you.

PP :)

Windows vista,
You think it's that bad huh?
I'm going to restart... I don't think that will make it worse. I will look for the recovery.

Tap F8 on reboot and see if Recovery Console is option. If so, choose it and let me know.
If not, do Safe Mode with Command Prompt.

Let me know.

Might not be that bad - rather err on the side of caution.

It really does - and yes I apparently had it previously - it didn't ask to download it. ... Do you think I should restart?

-- What OS?
-- Do you have your Windows OS disk?

-- You should know if recovery console is installed because it will give you that option on reboot. Have you seen that option?

Well . . . That puts a wrinkle in things.

-- Did you install the recovery console?

Let's try this:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Let us know how you fare.

PP :)

Of course I think System Restore itself is so mis-understood anyway. So many seem to think it is the "end all and be all" of fixing, when in reality many times it does more harm than good. . . .

I don't know that it does more harm than good, but I'll agree with the misunderstood part.

I liken this argument to users who have disabled malware via msconfig.
A lot of volunteers will ask those users to remove those items and restore normal startup . . .. Why? Why do this?
Why allow malware that has previously been stopped from running to start and potentially "phone home" for reinforcements??

That, to me, is a dumb practice (and yes, I used to do that back before I really considered the consequences). I think in the past when we were all too dependent upon HJT, you needed to do this to get a good look at things.
But with DDS / RSIT et al, that is no longer necessary. We can see what has been stopped and deal accordingly.....

PP :)

I know there ARE forums which tell people to turn it off.....

I think those are few and far between these days.
When I was volunteering at Majorgeeks in 2004, it was policy to have users turn off System Restore before cleaning.
I was doing this at other forums as well until Blender set me straight. She was the one who first suggested (to me) that an infected point is better than none at all.
I then took that argument to chaslang at MGs and he changed the policy there.

A similar process took place in the forums regarding the whole "don't force Safe Mode" idea.

PP :)

Hey, I'm glad you managed to sort your comp out..... After I'd done that, I rebooted to try and get into safe mode, and that was when the real problems hit me. Prior to the reboot, although the system had immediately slowed right down, I hadn't suffered any exe lockout.

This baddie comes in different flavors and different degrees of difficulty. Most often, there is a rootkit component that makes removal a bear.....

What I can do, though, is burn files from here onto a CD and then try running them on the computer, though I don't know if it will let me. If you can give me a list of what to pick up, I'll get right on it.

Great! We can try that - You'll need three CDs. I'll post the list at the bottom of this post.

I'm not sure how to actually get you logs from my main PC onto here, unless one of the tools is an AV, though.

That's where the Flash Drive comes into play. Allows give and take from the ill machine. Plus, we can run combofix from the flash drive...

Regarding a flash drive, I've never needed one until now. If you think it's important I'll get a cheap one on monday (damn sunday trading laws!), but I'm kind of loath to risk infecting it and possibly spreading the infection, if there's a good chance of that. The same goes for my external HD, really. Having said that, …

When dealing with an infection System Restore should be left alone until the computer is deemed clean. THEN, and only then, you should set a new and clean restore point by turning off System Restore and turning it back on. But until the computer is clean, leave it alone.

Actually, that is not entirely true, Judy. :)

Many forums will have users set a fresh restore point directly before beginning the cleaning process - that goes along with the "infected point better than none at all" argument.... Likewise, some fix tools will also set points before their runs.
So, if a user normally operates with System Restore OFF, I would ask them to turn it on prior to cleaning.....

-- I was going to write some stickies addressing this and other practices, but currently awaiting OK from Daniweb leadership....

Cheers :)
PP

The computer itself has been slowed down by this to such a degree that it's essentially non-functional. It takes almost 10 minutes to boot up. More irritating, however, is that it's now completely unable to open any exe files, at all.. . . .

Are you able to access the internet and download files with the ill computer? I know you can't run programs, but can you download them?

I have no flash drive, but I do have a USB HD that I use to back stuff up from time to time. In the event that I can't fix this, and have to reformat, would it be possible to connect that up and transfer some files onto it before I restart the machine over? Or would the virus just infect the external HD too? I don't even know if it will let me do that in it's current state, but it's worth a try, I guess.

There is a good chance that any re-writable media will get infected.
-- Are you able to burn tools onto a CD if I gave you a list of what we need?
-- Why not purchase a cheap flash drive?
-- If it came to it, we could back up your files to your external drive, but you do run the risk of infecting it.

Let me know where you stand.

If you are able to download to the ill machine, please download FindWPP.zip and RightClick on …

Can some one please help!!

Let's have a quick look to see what we are dealing with:

Please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

Cheers :)
PP

I was able to download and run Vundo, but it said it did not find anything

Well . . . That's not good.

-- Try this:
Get a command prompt (start > run > type cmd > OK\
Type or Copy&Paste ipconfig /flushdns at the prompt and hit ENTER.
See if that helps at all.

-- You will probably need to purchase a flash drive and use a friend's computer or a compy at your local library or coffeeshop to download some more comprehensive cleaning tools such as MBAM and Combofix.
That would be the easiest course of action.

PP :)

Thank you for researching that for me.
I tried to delete the file and got this error message: "Cannot delete zrqabm: access is denied

I do not have access to a clean computer where I can download those programs unfortunately.

What about the link for VundoFix?
If you cannot get that link to work, please do this:

Download the attached VundoFix.zip and extract Vundofix.exe to your Desktop. Do not run it from the ZIP!

* Double-click VundoFix.exe to run it.
* When VundoFix opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK

*****Note: It is possible that VundoFix encountered a file it could not remove.*****
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot.

Please post the Vundofix log for me. ---> C:\VundoFix.txt

PP :)

Here is the attachment you requested, and I am currently testing out Mozilla. Will let you know if it lets me access that website. Thanks!

Yep - that's a baddie.
http://virusscan.jotti.org/en/scanresult/09720eaf5c44c34795dc5068ac91f0bb70aa5e8b

Go ahead and DELETE zrqabm.dll

-- See if you are able to access and run VundoFix as per the linky below:
http://vundofix.atribune.org/

--- Do you have a flash drive you can download tools to from a clean computer. Or, perhaps burn them to cd?

PP:)

So I ran HiJack this and found zrqabm.dll and fixed it.
I then ran the scan and found the file.

-- Are you able to ZIP zrqabm.dll and attach it to your next reply? Please try that for me.

-- Download and Install Firefox browser (linky below) and tell us if you have the same problems as with IE.
http://www.mozilla.com/en-US/

PP :)

I tried to download, but when I clicked on the link you provided, the page loaded like what it does when I try to go to AVG's website (internet explorer cannot display the page)

--- Are you able to RightClick on the DDS link I posted and select "Save As" and then save it?

--- Run a scan with HijackThis and Check the Box next to this line and then Click "Fix Checked."
O20 - AppInit_DLLs: ,avgrsstx.dll zrqabm.dll

--- Please do a search of your machine for this file: zrqabm.dll
It will likely be in the System32 Folder - Be sure to enable the viewing of hidden files.

Then, once you find the file's location see if you can do this:

Go here ---> and use the Browse Button at the top of the page to navigate to zrqabm.dll and and Submit it for analysis. Let us know what you find.

Best Luck :)
PP

Hi Katrina,

See if you can do this:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Cheers :)
PP

I thought the Thread title says, Infected computer Please Help....huhhh

Did you see anything in the HJT or MBAM logs that warrants running Combofix?

I once had a poster tell me that a virus had turned his cursor into a dinosaur......LOL! Can't always take things at face value :)

I think Brian is on point here.

Cheers :)
PP

I am fairly certain at this stage that its a F.P.

It is.

Update your MBAM to database version 2886 or later and you should have no more issues with this.

Cheers :)
PP

Once again thank you so much for your help. It is greatly appreciated

You're welcome, Monica :)

If all is working properly, please mark this one as solved.

Cheers :)
PP

You are welcome - Happy to help :)

Everything looks OK to me. I think you are good to go - How are things working now?

--- I am still a bit worried about those files you scanned, but if they came back clean it would be best to err an the side of caution and leave them alone.

Let's remove Combofix and the files/folders it created:

-- First, change the name of Combofix back to Combofix.exe

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Let me know how things are working and if Combofix was successfully removed.

Cheers :)
PP

Combo Fix Log

Ok - You are making good progress.

Now:
-- Download the attached file CFScript.txt to your Desktop
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

Then:
Please download JavaRa.zipto your Desktop and Extract it to its own folder.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish - I really don't need it, though.
-- Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

NEXT:
Check and see if MBA-M can be updated and will run now (in Normal Windows Boot) and, if it does, do a Full Scan and have it remove what it finds and post that log too....

Also - I do not know what these are:
c:\program files\Common Files\qyroj.dat
c:\windows\puguk.dat
c:\windows\anolod.dat
c:\windows\ewopoho.dat
c:\windows\carupy.com
c:\windows\ydaqi.dat
c:\windows\system32\ezivufely.dat
c:\program files\Common Files\potup.lib
c:\program files\Common Files\sakefifo._sy
c:\program files\Common Files\xipywixe.lib
c:\program files\Common Files\ewaloc._sy
c:\program files\Common Files\yjur.db

Go here ---> and use the Browse Button at the top of the page to navigate to each of those items …

here are the logs I was given

AllRightyThen! Let's now do this:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.

PP :)

this is the log that popped up...

OK - Let's do this next:

Please Download Win32kDiag from a linky below and save it to your Desktop. Leave it there for now.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

THEN:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.

PP :)

I cannot get Hijack this to run and am stuck at this point...I need a little help!!

Please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

PP :)

Malwarebytes' Anti-Malware has successfully blocked access to malicious IP: 212.117.169.16

This belongs to a server that you are trying to contact:

inetnum: 212.117.160.0 - 212.117.175.255
netname: SERVER-LU
descr: root eSolutions
country: LU
admin-c: AB99-RIPE
tech-c: RE655-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: ROOT-MNT
source: RIPE # Filtered

role: root eSolutions
address: 35, rue John F. Kennedy
address: L-7327 Steinsel
address: Luxembourg
phone: +352 20.500
fax-no: +352 20.500.500
e-mail: info@root.lu

HERE are some of the sites they host. Torrents, warez and pron. No wonder MBA-M block access.....

PP:)

Files Infected:
C:\Program Files\Microsoft Works\cpitv11.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Works\pibase11.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\MATLAB71\toolbox\compiler\mcr\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.
C:\Program Files\MATLAB71\toolbox\datafeed\datafeed\bbdatafeed.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.
C:\Program Files\MATLAB71\toolbox\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.

These look a lot like legitimate items to me. Very likely a bunch of False Positives.
You should probably hold off on any further action until Judy can have a closer look.

PP :)

I wonder if SAS has those keys set for removal on reboot?

Plus, I don't see the HKCR key that it flagged on the scan....

Odd.

Plus, this doesn't seem a big deal to me - looks like an orphaned key that should be easy to remove.

PP:)