RogueAV, rootkit, bluescreen...

Hi there Duckfeet

Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:
  
  Code:

  c:\windows\System32\drivers\25cf2bb7.sys

• At the upload site, click once inside the window next to Browse.
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
• Next click Submit file
• Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
• Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

Then do the same for the below file and also let me know the results:

 

Let's try other online scanners then, and if that doesn't work I'll have you zip it and I'll examine the file.

1. Try any of the below online scanners for the file you couldn't scan at jotti.


Virus.org

Kaspersky

Virus Chief

2. Avira AntiVir Personal - Free Antivirus is the anti virus that is installed and being used now, so we have some remnants of Symantec to kill off which could be the cause of some instability. I see nothing actually installed now from symantec, but there are items that remain from an incomplete uninstallation.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Driver::
Symantec Lic NetConnect service 

File::
c:\program files\Common Files\Symantec Shared
c:\documents and settings\All Users\Application Data\Symantec

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

3. Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.

4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

I am not seeing any malware in the logs. Hmmm Let's do this:

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):be,f9,5b,dd,c5,38,b6,eb,80,91,9a,96,dd,2f,04,8d,b0,7f,a7,41,2d,
   80,8b,89,6e,5e,e5,2f,61,e8,c5,af,2b,9a,aa,56,6a,18,d5,86,00,00,00,00,00,00,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ac812391-b2fe-444f-b790-e803f85a3d69}]
@Denied: (Full) (Everyone)
"Model"=dword:000000ec
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Next... (and hopefully it will allow us to)

Scan your computer with the ESET FREE Online Virus Scan

• Click the ESET Online Scanner button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
• Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
• Double click on the esetsmartinstaller_enu.exe icon on your desktop.
• Place a check mark next to YES, I accept the Terms of Use.
  
• Click the Start button.
• Accept any security warnings from your browser.
• Leave the check mark next to Remove found threats and place a check next to Scan archives.
• Click the Start button.
• ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List of found threats.
• Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
• Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log and the log from running combofix

 

It does not look to us like this computer is infected with Virut. In fact I am not seeing anything much in the logs. I feel like you should uninstall Avira since you are having so many issues with it and do a clean installation of it afterwards, but let me confer with Chaslang before we do anything. Thanks for your patience. I appreciate it.

 

Right, I've spoken to Chaslang who has given us something to do next:

1. Please ensure that you now download a fresh copy of combofix and make sure that it is directly on the desktop where we need it to be run from.

2. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Driver::
ffg0f4a
25cf2bb7.sys

File::
C:\WINDOWS\system32\drivers\ffg0f4a.sys 
C:\WINDOWS\system32\drivers\25cf2bb7.sys

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

3.

• Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter ( the quotes are required).

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive called "TDSSKiller.txt" please attach this log to your next reply.

4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. and also the log from TDSSKiller

5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

One of us will get back to you ASAP but I'd rather I had Chaslang's final word on the matter, thanks for your patience duckfeet

 

Duckfeet we are not seeing any malware in the logs. I can only suggest that regarding the BSOD's and Avira and any other issues with the machine that you post in the software forum

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!