malware/trojan in my hardrive

Welcome to Major Geeks!

Pleas follow the below instructions in the order given.



Download TDSSKiller from Kaspersky to your directly onto your Desktop

• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
• If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123tdk.com).
  • If you do not see the file extension, please refer to: How to view hidden, system files & folders!
• Allow the application to run if prompted by Windows or any security programs you have installed
• It will start the scan and run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.
• Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
a-squared Free 4.5
Java(TM) 6 Update 20
McAfee Security Scan Plus


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Maureen Jones.DESK4\Local Settings\Temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Right click Start and select Explore. This will bringup Windows Explorer. Either navigate to the folders via Windows Explorer or just copy and paste the folder names into the Address bar and click Go. For example, copy and paste the below

C:\Documents and Settings\Maureen Jones.DESK4\Local Settings\Temp

after clicking Go, the above folder will show in Windows Explorer. Verifiy that it does. Then select files with your mouse and right click on them to select Delete.

 

Okay there is a bad driver/service that showed in your TDSSkiller log which is part ot the problem and it caused some of the items we removed to come back at reboot. Let's try this a different way.

• Please download GMER and save it to your Desktop:
  • Unzip (extract) the gmer.exe file to your Desktop.
• Make sure the executable file is named gmer.exe otherwise the instructions below will not work properly.
• On you Desktop, click the Start button and select Run
• Then in the Run box copy & paste the below exactly as written
  • "%userprofile%\desktop\gmer.exe" -protect
• Then click OK.
• You may have to do this more than once to get it to run properly due to the malware..
• After you get GMER running from the above, GMER will hopefully show the rootkit. Select right click on the bad service and choose Disable Service on the content menu.
• See the picture below which is just an example of an older TDL infection. The bad service you are seeing/looking form will vary based on the infection but you may see the vbma9589.sys or vbma9589 names. If you don't see it, stop here and tell me, if you did see it and Disabled it, just continue.

http://forums.majorgeeks.com/chaslang/images/GMER/kungs_service_Select_Disable.png

• If this works properly GMER will disable the service ok and you will get the below prompt telling you to reboot.

http://forums.majorgeeks.com/chaslang/images/GMER/kungs_service_disabled.png

• Click OK to reboot.
• After your PC reboots, run TDSSkiller again and if it delects the bad service that we are interested in, change the default action to delete at the top then click on Continue.
• TDSSkiller may ask you to reboot the computer to complete the process. Click on Reboot Now.

If the above is all successful, we may be able to run ComboFix now, but we will run it with the below instructions.

• On you Desktop, click the Start button and select Run
• Then in the run box copy & paste the below exactly as written
  • "%userprofile%\desktop\combofix.exe" /stepdel
• Then click OK.
• When finished, ComboFix should create a combofix.txt log for you to attach to your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• the new TDSSkiller log
• C:\combofix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Do you have all the options checked as shown in the snapshot? What names did you see?

If you rerun TDSSkiller, does it still show the same problem file as last time?

 

That's the one! Are you saying that it will not let you select Disable Service? If that is the case, see if you can disable it after boot in safe mode.

 

Did you try running the "%userprofile%\desktop\gmer.exe" -protect command a few times to see if it would work. sometimes it takes few tries and you must run it this way. You cannot just double click on gmer.exe.

If you still cannot run it in safe boot mode, then from safe boot mode first try running the below.

Run C:\MGtools\FixACLS.bat by double clicking on it. Then immediately afterwards trying running "%userprofile%\desktop\gmer.exe" -protect


Also from normal boot mode, please do the below.

Also, please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :regfind
  vbma9589

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

 

Okay it does not show up at all in SystemLook.

Did you try running this command several times as requested? Sometimes you need to run it a few times to get it to work.


Also let's run a slightly different fix with Avenger.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now let's run SystemLook again but with a slight change to what we input.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :filefind
  vbma*.sys
  shsvcs.dll
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

Now download Junction,zip to your Windows folder

• Please download Junction.zip and save it to your Windows folder (i.e, C:\Windows\Junction.zip This assumes C:\ is your Windows boot drive.)
• Now unzip it and put junction.exeinto the Windows folder (i.e., C:\Windows\junction.exe)
• Do not try to run it right now. We will run something that uses it later.

Now we need to reset the permissions altered by the malware on some files.

• Download and save inhertit.exe to your Desktop: Inherit.exe
• It must be in your Desktop or the below fix will not work!

Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

• A command prompt window opens and also a license agreement from SysInternals will appear for Junction.
• Accept the license agreement and the scan will begin.
• Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything else while it is scanning.
• The command prompt window should close when it finishes.
• While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Then attach the below logs:

• C:\avenger.txt
• the new log from SystemLook
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Also after finishing my instructions in message #14, please do the below too.


Please download Rootkit Unhooker and save it to your desktop. Click here.

• Double click RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Ensure the following are checked (ticked):
  • Drivers
  • Stealth Code
  • Files
  • Code Hooks
• Uncheck the rest, then click OK. An initial scan will be performed.
• When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
• Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
• Save the report somewhere you can find it. Click Close to exit.
• Attach the report to your next reply.

You may get a warning about parasite detection. Please click OK to continue.
Also if you look under Device Manager in the System Devices section, do you see something like [cmz vmkd]

If you don't know how to bring up Device Manager, you can right click My Computer and select Properties. Then click the Hardware tab and then select Device Manager.

 

Okay please complete the instructions in message #14

 

You need to download and run the new version of MGtools.exe as requested. You are trying to upload the same old log which means you did not run the program again as requested which would have created a new log. Renaming the file will not help since the contents would still be the same.

I need this log to continue.

Also please rerun TDSSkiller and attach the new log.

 

Okay we have made some good progress.

Now I want you to go back to Device Manager and see that [cmz vmkd] item is still showing. If it is, right click on it and select Uninstall.

We have some other things to do now too.

First can you tell me what the below are for?
O23 - Service: eBLVD - ENC - C:\Program Files\eBLVD\ebhost.exe
O23 - Service: SHDSERV - Unknown owner - C:\Program Files\Shield\shdserv.exe


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: MediaBar - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\Program Files\iMesh Applications\MediaBar\ToolBar\iMeshMediaBarDx.dll
O3 - Toolbar: MediaBar - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\Program Files\iMesh Applications\MediaBar\ToolBar\iMeshMediaBarDx.dll
O4 - HKLM\..\Run: [DataMngr] C:\PROGRA~1\IMESHA~1\MediaBar\DataMngr\DataMngrUI.exe
O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

After clicking Fix, exit HJT.

Now since you were unable to run ComboFix previously, we will use it in the below fix, but first we need to get the current version. So delete the copy of ComboFix.exe that is currently on your Desktop and download and save ( but not run yet ) this one >> combofix.exe


Now we need to use ComboFix but we will run as indicated below.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now see if you can run scans with both SUPERAntiSpyware and Malwarebytes that you previously could not run.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• logs from SUPERAntiSpyware and Malwarebytes if they ran.
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

The below is in Add/Remove Programs

eBLVD Host Software 7.0

Does that ring a bell? What about their website? http://www.eblvd.com/about.aspx

This also may somehow be related to the Shield program which may be related to some kind of backup or "roll back" software like this: http://support.horizondatasys.com/ics/support/default.asp?deptID=4443


At anytrate, since we were able to run the other tools now, we have found some more to fix.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're logs are clean. Since you did not tell me how things are working, I will assume all is good.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

In Internet Explorer, Tools, is Internet Options grayed out?

 

Okay I don't see anything in your logs that would indicate a problem with this being related to malware. Also since you say it is not grayed out and also since the Internet Options icon was not missing from Control Panel, it is not likely to be the standard issue that the Intecpl.cpl file is missing or corrupted from the C:\Windows\system32 folder. However it is still worth check to see if this is some how related, so check the below link

http://support.microsoft.com/kb/216583

If the above does not help, try the following.


Go to this link: http://www.dougknox.com/index.html

Click on "Windows XP Fixes" left side of page), click on "Fix Internet Options Restriction" (left column) then download and run the "xp_fix_internetoptions.vbs" file and run it.

 

Does the C:\windows\system32\Intecpl.cpl file exist? This looks like something you will need to work out in the Software Forum. It may be necessary to repair Internet Explorer. However I'm curious about something.... what happens if you completely shutdown ZoneAlarm?


Keep the below on the back burner if it becomes necessary to reinstall Internet Explorer:

Windows Internet Explorer 8 for Windows XP

 

Also, please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1


Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

Code:

:filefind
inetcpl.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

The ZoneAlarm issue you will have to post in the Software Forum or you will have to reinstall it.

 

Okay the inetcpl.cpl file does exist. I just had a typo in what I asked you to look for in a earlier message. I typed intecpl.cpl instead of inetcpl.cpl.

Your problem does not appear to be due to malware. And it does not appear to be due to this file being missing either. So if you completely disabled ZoneAlarm and still had the problem, I suggest that you post in the Software Forum about this since it would then be an issue with a Windows setting somewhere.


NOTE: The reason I'm suggesting disabling ZoneAlarm is because it sometimes can be configured incorrectly and it can block popup of other windows/forms like what happens when you click Internet Options. If you cannot get Zonealarm to come up so that you can configure it, you may want to just uninstall it and then reboot. You can always reinstall later and this may be required if it is broken anyway.

 

You're welcome. One other thing you may want to test before posting in the Software Forum is to see if behavior for Internet Options is exactly the same if you boot in safe mode and report this in the Software Forum thread you start.

 

Okay but you don't need to access the internet to see if Internet Options will open when you click on it. That is all you really need to test.

 

Okay then as suggested earlier, you will need to continue in the Software Forum as you are not having malware problems. Possibly a reinstall of IE8 may solve your problems but I'm not sure.

 

You're welcome. Surf safely!