6 Hidden Objects all over again

Exactly what objects are you referring too? Attach a log. Many hidden objects can be normal.



Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.

See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

 

Since you seem to have run the READ & RUN ME, I'll assume you forgot to attach the log from MGtools but you do have it installed.

Shutdown ALL protection software before you run the below.

Now download The Avenger by Swandog46, and save it to your Desktop.

See the download links under this icon http://www.majorgeeks.com/images/dll.gif

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

It is of no use to us until Avenger ( or any other fix ) runs properly. Let's try a different way.

Download and save combofix.exe directly on to your Desktop. Do not run it yet. Just save it!

Uninstall Avira and Malwarebytes and then reboot your PC.

After reboot, let's try the below fix with ComboFix. If for any reason, ComboFix does not run in normal boot mode, try again in safe mode.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now make sure that you are in normal boot mode and also only run GetLogs.bat if ComboFix successfully ran.

Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

 

You're welcome. One more fix with ComboFix.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

That did not work. Did you have any problems running ComboFix? Was all protection shutdown? I still see PC Tools Firewall.

Try repeating all of last fix after booting into safe boot mode. Attach new logs.

 

Still did not work! Something else may be hiding that is blocking the fix. However please try it again in safe boot mode and then we will see if we need to try some other method and also possibly may need to run some other scans.

 

Avenger????? Did you mean you ran the previous ComboFix procedure in safe mode?

 

Okay there is definitely something else hiding on your PC. The bad driver files are starting to multiply.

Please run GMER per the below and attach the GMER log

GMER - running with a random name


Also run the below online scan from ESET and attach the log from ESET. Note it will likely tell you about the process.exe file in the MGtools folder. It is not a problem.

Using ESET's Online Scanner

 

Please uninstall PC Tools Firewall.

Also if you have not disabled Daemon Tools ( disk emulation per step 4 of the READ & RUN ME, please do this now ).


Now please download the current version of combofix.exe and save it directly onto your Desktop



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run a new scan with GMER save the log to attach.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• the new GMER log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay the registry keys we were trying to fix still did not get removed. There could be a permissions issue with the registry key. Let's try a fix to this and then see what happens.


Now download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm.cmd
• Now double click on resetperm.cmd to run this script. Be patient as this may take awhile to run.

Once it finishes, reboot your PC.

Now assuming the above ran properly, repeat the whole fix from message # 19 again.

 

I don't know what you mean. The link works just fine I guessing that you are not "downloading" it but rather are trying to run it. The output you showed ( and that is not a message it is the script showing what it is running ) is what is inside of the resetperm.cmd file.

You need to downloaded it and save it to your PC as requested and try running it.

Are you familiar with running the Registry Editor?

Also side note, you should uninstall this >> Ask Toolbar

 

Almost forgot. I also want you to run the below scan.

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %allusersprofile%\application data\*.exe
  

• Now click the Run Scan button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

 

Okay now the reset of permissions appears to have worked because those items are not longer showing in GMER.

Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:OTL
DRV - File not found [Kernel | Unavailable | Unknown] -- globalroot\C:\WINDOWS\system32\drivers\41223D.sys -- (41223D)
IE - HKU\S-1-5-21-1455177488-1803624957-2378349180-1006\..\SearchScopes\{9F0F5B57-C7AD-4E78-8279-E9EAB2BAB777}: "URL" = [URL]http://websearch.ask.com/redirect?client=ie&tb=AVR-3&o=APN10400&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=^ABY&apn_dtid=^YYYYYY^YY^US&apn_uid=c254ad52-6c57-46bf-a6c6-b889205dc600&apn_sauid=44680646-3236-4963-9F8B-6CA5280DDC0D[/URL]
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
[2012/07/26 21:15:59 | 000,002,344 | ---- | M] () -- C:\Documents and Settings\M.Fevzi Ozaydin\Application Data\Mozilla\Firefox\Profiles\6ba90qyz.default\searchplugins\askcom.xml
[2008/10/31 01:50:57 | 000,013,434 | ---- | C] () -- C:\Program Files\Common Files\ziry._dl
[2008/10/30 23:33:13 | 000,014,474 | ---- | C] () -- C:\Documents and Settings\M.Fevzi Ozaydin\Application Data\sipeher.dl
[2008/10/30 23:33:13 | 000,014,311 | ---- | C] () -- C:\Program Files\Common Files\wybyge.dat
[2008/10/30 23:33:13 | 000,010,691 | ---- | C] () -- C:\Program Files\Common Files\uwexaw._dl
[2008/10/30 21:24:15 | 000,012,410 | ---- | C] () -- C:\Documents and Settings\M.Fevzi Ozaydin\Application Data\nafe.dat
[2008/10/30 21:24:14 | 000,019,998 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\giwubisyc.pif
[2008/10/30 21:24:14 | 000,015,128 | ---- | C] () -- C:\Program Files\Common Files\uwan._sy
[2008/10/30 21:24:14 | 000,014,662 | ---- | C] () -- C:\Program Files\Common Files\nubyzip.lib
[2012/07/15 11:14:06 | 000,001,150 | ---- | M] () -- C:\bmnuq.txt
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Looks good. Let's get one more log from GMER just to make sure the below are really gone.

Code:

Reg             HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start                                                                1
Reg             HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type                                                                 1
Reg             HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath                                                            \systemroot\system32\drivers\TDSSmhct.sys
Reg             HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group                                                                file system

 

All clean.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Press and hold the Windows key http://forums.majorgeeks.com/chaslang/images/Windows_Logo_key.gif and then press the letter R on your keyboard. This opens the Run dialog box.
   • Copy and paste the below into the Run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome.

Try the below.

http://homepage.ntlworld.com/interactive/

http://www.mathmaniacs.org/lessons/01-binary/

http://www.math.grin.edu/~rebelsky/Courses/152/97F/Readings/student-binary