Possible Failed Rootkit Removal

[Larceny82]

Oh. My. Word...I can't believe I had a brain-fart last that long. I created another Ubuntu live CD and reinstalled Ubuntu, so now I will have Internet access at will so it won't take me ages to get stuff uploaded to you. *facepalm* Anyway, here are the documents you requested from the scan over a week ago.

[thisisu]

Quick question, are you running scans with SAS or MBAM on your own?

[Larceny82]

Quote:

Originally Posted by thisisu

Quick question, are you running scans with SAS or MBAM on your own?

The only thing I've run since that was a quick test to see if combo fix would get me connected.

[thisisu]

Are you using the paid versions of SAS or MBAM?

[thisisu]

Quote:

Originally Posted by Larceny82

In the super antispyware quarantine folder are all the afd.sys and afd registry entries. Is there a way to get them out cleanly?

I may have missed this earlier but you should not be running SAS on your own unless requested to.

Quote:

C:\Users\Larceny\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 02-18-2012 - 15-21-06.log
C:\Users\Larceny\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 02-18-2012 - 16-54-35.log

This may be what keeps quarantining afd.sys and other internet related drivers.

For good measure, please uninstall SAS, MBAM, and Spybot - Search & Destroy and leave them uninstalled for the remainder of malware removal.

Reboot your PC after you have uninstalled all 3 of these.

Now download a NEW ComboFix.exe from here. Place it on your desktop.

Fixing items using ComboFix
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

KillAll::
ClearJavaCache::
Driver::
SASDIFSV
SASKUTIL
!SASCORE
File::
c:\windows\system32\dds_trash_log.cmd
Folder::
c:\program files\SUPERAntiSpyware
c:\windows\$NtUninstallKB41664$
MIA::
c:\Windows\system32\drivers\afd.sys
c:\Windows\system32\drivers\netbt.sys
c:\Windows\system32\drivers\tcpip.sys
c:\Windows\system32\drivers\tdx.sys
c:\Windows\system32\drivers\nsiproxy.sys

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

[Larceny82]

Copy that. I'm at work now, but with a working edition of Ubuntu, you'll have these shortly after I get home tonight.

[Larceny82]

Quote:

Originally Posted by thisisu

For good measure, please uninstall SAS, MBAM, and Spybot - Search & Destroy and leave them uninstalled for the remainder of malware removal.

Do you recommend using standard Control Panel Add/Remove Programs? Because I've also used Revo Uninstaller in the past...

[thisisu]

Quote:

Originally Posted by Larceny82

Do you recommend using standard Control Panel Add/Remove Programs? Because I've also used Revo Uninstaller in the past...

I typically just use the standard Control Panel for most applications. If I encounter any difficulties then I may use Revo Uninstaller.

[Larceny82]

Quote:

Originally Posted by thisisu

I typically just use the standard Control Panel for most applications. If I encounter any difficulties then I may use Revo Uninstaller.

Okay, I'll get those uninstalled and get the new logs up tonight.

[Larceny82]

Newest Logs, definitely seemed to run smoother. Internet in general seems to be running smoother too.

[thisisu]

Quote:

Originally Posted by Larceny82

Newest Logs, definitely seemed to run smoother. Internet in general seems to be running smoother too.

Latest logs are clean.
I guess it was one of those 3 security applications after all.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

[Larceny82]

Quote:

Originally Posted by thisisu

Latest logs are clean.
I guess it was one of those 3 security applications after all.

I can't thank you enough and I apologize for all the delays in the process!

Quote:

Originally Posted by thisisu

Be safe!

Yes sir!

[thisisu]

Quote:

Originally Posted by Larceny82

I can't thank you enough and I apologize for all the delays in the process!

You're welcome and no problem

[Larceny82]

Didn't think I'd be back so soon...so since my last post, I went to work, came home played Portal, slept, played Portal, went to work, booted into Ubunto to watch TV, booted into windows, downloaded and installed Microsoft Security Essentials and a .NET framework as well as Avast!, rebooted and can't log in to Windows completely. As windows loads, the entire thing freezes. Safe mode loads fine however.

[thisisu]

Hi,

It may be a problem with both MSE and Avast trying to load while in Normal Mode.

You should uninstall both for testing purposes and see if that helps.

By the way, you should only have one Antivirus installed, uninstall the rest. There are more details about why in the Read and Run Me First thread.

[Larceny82]

You were exactly correct. I loaded safe mode, uninstalled avast and the computer booted right up. Thanks again.!

[thisisu]

Quote:

Originally Posted by Larceny82

You were exactly correct. I loaded safe mode, uninstalled avast and the computer booted right up. Thanks again.!

You're welcome.