Almost fanatically careful, but still not enough!

Discussion in 'Malware Help (A Specialist Will Reply)' started by karendanette, Aug 13, 2010.

  1. karendanette

    karendanette Private E-2

    Hi Guys,

    I've had my Toshiba Notebook since January 2009, and have taken excellent care of it. With the exception of Facebook - no games or apps - I am extremely careful. Within the last week, my computer started crashing randomly. I checked add-ons and a search for DLM Control revealed that it is a rootkit.

    A couple of months ago, Paypal advised me of attempted purchases that were caught and refunded, and more recently, I was unable to retrieve an online payment from ING Direct. I have been concerned, but am not sure how bad this could be and don't know if you can tell from the scans.

    I have completed the steps and am attaching my logs. SAS and MAB found no threats. I appreciate your help.

    Thanks,
    Karen
     

    Attached Files:

    karendanette, Aug 13, 2010
    #1
  2. karendanette

    karendanette Private E-2

    Here is the MGlogs.zip file. Again, thanks.
     

    Attached Files:

    karendanette, Aug 13, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware in your logs. What issues are you presently having.

    You should install a firewall!!
     
    TimW, Aug 14, 2010
    #3
  4. karendanette

    karendanette Private E-2

    Hi Tim,

    Right now, everything seems okay. I notice that the rrlog.txt I attached has no views, and same for the MGlogs.zip file. The ComboFix.txt file has one view, and in it, though I don't know what most of it means, I saw one file deletion, one hidden file called catchme.dll, and locked registry keys.

    The RRlog.txt is the one that caused the most alarm. Again, I do not understand how to read the logs, and I don't know if the scans correct problems as they find them, but there were files that were invisible to the Windows API, locked to the Windows API, visible to Windows API but not on disk, and files with allocation size mismatch. As I say, I don't exactly know what those mean, but they appear to be evidence of rootkit activity.

    I would like to know if the problem is solved; if my financial information may have been compromised; if someone can tell if there was in fact a rootkit, and if so, whether or not it's still there. Thank you.
     
    karendanette, Aug 14, 2010
    #4
  5. karendanette

    karendanette Private E-2

    Regarding installing a firewall, I did turn it off for the scans yesterday, but I have relied on the one that comes with Vista. I understand there are better ones out there, but I don't have as much time now with my husband being in Afghanistan again this year, and four children at home. I have difficulty making decisions without quite a bit of research, which is time-consuming. Are external firewalls programed to set themselves up, or do you have to program them?
     
    karendanette, Aug 14, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your financial info is safe, but our standard advice for anyone suspecting malware is to use a different computer to change all your online passwords. I saw no rootkit activity. Most of what you need to do is to clear out your old restore points. I will give you instructions for that now. Plus, do look at the link at the end for How to Protect yourself. In that link will be some recommendations for a firewall, as Vistas firewall is only one way. I would recommend you use PCTools firewall ( without ThreatFire).

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
    TimW, Aug 14, 2010
    #6
  7. karendanette

    karendanette Private E-2

    Hi Tim,

    Thank you very much for helping me. To be clear, are you saying there never was evidence of rootkit activity, or that it may have been and it was fixed in the scans. I will re-read the "How to Protect..." post, and try the firewall you recommended. Again, I appreciate your help. Karen
     
    karendanette, Aug 14, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I did not see any evidence of a rootkit. And you are most welcome. Safe surfing. :)
     
    TimW, Aug 14, 2010
    #8
  9. karendanette

    karendanette Private E-2

    Tim,

    Thank you, again, for your help. From your two responses, I understand that there never was rootkit activity, so none was repaired in the scans. I'm unsure what was causing my computer to crash, but am happy to say that it hasn't happened since I received help from this site.

    I sincerely appreciate what all of you do in helping others; it is a great service you provide. Thanks for recommending the firewall. You saved me hours of time in research. I installed it, and it was not complicated at all as I had feared it would be. I won't take up any more of your time, as I know you are busy, but thank you again!!!

    Karen
     
    karendanette, Aug 15, 2010
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are quite welcome, Karen. I hope you stay around and avail yourself of the knowledge here in the forums. :)
     
    TimW, Aug 16, 2010
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds