Win32RootKit.TDSS removal

I am new and I am sure that it shows. My experiences with this Trojan parallel another members but I do not know how to attach my message to his. So I am posting a new thread although it does not seem that I should be. I am attaching the logs that I received from MGtools and comboFix. I hope they are helpful in some way.

I followed the instructions that were here. They were very helpful. However, SuperAntiSpyware and Malwarebytes would not run although they seemed to install. I tried them on another computer and they ran fine, so I feel sure that the Trojan is responsible.

I am not sure if I still have a problem and I am not sure how to figure that out. If you have any suggestions of what to do next, I would greatly appreciate it.

 

Download
- Pocket Killbox
- ExplorerXP
- RegASSASSIN

Run RegASSASSIN

• Click "I Agree"
• Copy & Paste the following RegKey to be deleted:
  
  Code:

  HKEY_LOCAL_MACHINE\SOFTWARE\UAC

• Close all windows and reboot your computer.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Code:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.shopping.hp.com/webapp/shopping/generic_subcategory.do?storeName=storefronts&landing=storefronts&category=esp_notebooks&subcat1=esp_notebooks&catLevel=2
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

After clicking Fix, exit HJT.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
  
  Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Run MBAM

Run SAS

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip
• MBAM
• SAS

Make sure you tell me how things are working now!

 

First, let me thank you for taking the time to read my logs and write the steps for the remaining work for me to do. Second, I am sorry to say that I messed up several of the steps. I am new to solving issues such as this and need to learn to READ BETTER.

Here is what I did.
I downloaded Pocket Killbox, ExplorerXP, and RegASSASSIN, then ran RegASSASSIN, inserting the key. The reply was that it was invalid, but it allowed me to continue which I did. I closed the windows and rebooted.
I could not find MGTools anywhere although I had previously downloaded it. After I downloaded it (to my desktop) and executed it, I remembered that it was downloaded to my C drive. Oops! So I went to C and double-clicked on MGTools.exe and could not figure out (until much later) why analyse.exe was not displayed. Oops again! So I totally missed this whole section. I messed up a couple of more times. I finally finished the steps outlined, but since I messed so many of them up, I am not sure what my next step should be. I did not see where to use ExplorerXP. Did I miss that too?

I am attaching my logs so that you can decipher whatever is available there.

If you can have the patience with my mistakes, perhaps you can let me know what I should do now.

 

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Here are the results of running c:/mgtools/getlogs.bat. Thanks for your patience and assistance.

 

The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u13 available from Sun Microsystems.

-----------------------------------------------------------

Using Add or Remove Programs in the Control Panel; uninstall the following:

-----------------------------------------------------------

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to ASKService ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

ASKService

Click on the "Back" Button. Click the 'Scan' button.

Place a checkmark in the box next to the following lines:

Code:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.shopping.hp.com/webapp/shopping/generic_subcategory.do?storeName=storefronts&landing=storefronts&category=esp_notebooks&subcat1=esp_notebooks&catLevel=2
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe

Click on the 'Fix checked' button. Wait for HijackThis to finish.

Close HijackThis

-----------------------------------------------------------

1) I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation.

2) Now we need to use ComboFix to remove a bad service.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\Documents and Settings\Jim\Local Settings\Temp\UAC822c.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIO10.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIO3.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIO41.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIO5.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIO6.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIO7.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIO8.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIO9.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIOA.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIOB.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIOD.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\MAR1.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\MAR2.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\MAR3.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\MAR4.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\MAR5.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\MAR6.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\MAR7.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\MAR8.tmp
C:\Program Files\bad.dll
C:\Program Files\AskBarDis\bar\bin\askBar.dll
C:\Program Files\AskBarDis\bar\bin\AskService.exe

Folder::
C:\Program Files\AskBarDis
C:\Program Files\bad.dll

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://farm4.static.flickr.com/3014/3035535531_512f04c6a2_o.gif
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

3) FYI:

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

4) Now Run Ccleaner!

5) Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

6) Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Thank you very much for your continued assistance and patience.

I downloaded the Windows update to try to prevent the Conficker worm. I hope that was okay. I also downloaded and ran Microsoft Malicious Software Remover.

I went a little slower and the instructions worked out better. Thanks for your patience with me.

On the step for ASKService, there was no O23 listed. I proceeded with the other ones that were there.

After clicking Fix Checked, SuperAntiSpyware popped up and notified me of a home page change to msn.com, which I denied.

While running ComboFix, the computer rebooted and when it rebooted, I went into my user (where I have been running everything from). Skype, AVG, SAS, and a notification popped up. I closed each of them quickly. Then FastScan (Database 7307) ran. I was not sure if this is part of ComboFix or something else. I let it run.

CCleaner found a new version which I downloaded and installed.

I am attaching the logs you requested. Thank you again for your help and patience. I am not sure how things are running, as I just finished following these directions. I will be using the computer quite a bit more today, so I will send another reply if I have any problems. I look forward to your reply so that I can know if there are other things I need to do to continue the cleanup.

I did have one other question. You suggested that I clean up my desktop, which I tried to do. Can you give me any guidelines for what should be allowed to stay on the desktop? Thanks again.

 

Download to your desktop OSAM Autorun Manager Portable from http://www2.online-solutions.ru/en/download_file.php?p=131097

This is a RAR archive and you will need a program like 7-zip, http://downloads.sourceforge.net/sevenzip/7z464.msi to unpack the archive.

Install 7-zip

Right click on osam_autorun_manager_portable.rar, select "7-Zip" -> Extract to "osam_autorun_manager_portable"

Open osam_autorun_manager_portable, double-click osam.exe.

When OSAM begins to run, click "Next" until you get to "Close" then click on "Close"

Press the second button in the top menu ("Save Log" button).

The standard Windows "Save as" dialog will appear.

You need to save a report in the .log format (not .html).

Save the log file somewhere you can find it.

Attach the OSAM log to your next reply.

 

That went really smoothly. Thanks for the very clear directions. I am learning to read more carefully. Thanks for the tutoring.

The OSAM:Autorun Manager did not close after Save Log was completed. Should I exit the program?

I am attaching the requested log file.

 

1. Start OSAM, click "Next" until you get to "Close" then click on "Close".
2. Click on the "Settings" button in the top menu: and then change the value for "Disable objects using the driver" option to "Always".
3. Disable the following entries by removing the checkmarks in the checkboxes:

Code:

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys  (File not found)
"Conexant Setup API" (UIUSys) - ? - C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS  (File not found)
"MCSTRM" (MCSTRM) - ? - C:\WINDOWS\system32\drivers\MCSTRM.sys  (File not found)
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys  (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys  (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys  (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys  (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys  (File not found)
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys  (File not found)
"ayyzmwj8" (ayyzmwj8) - "Microsoft Corporation" - C:\WINDOWS\system32\drivers\ayyzmwj8.sys  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"catchme" (catchme) - ? - C:\DOCUME~1\MARILY~1\LOCALS~1\Temp\catchme.sys  (File not found)
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys  (File not found)

[Explorer]
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{42071714-76d4-11d1-8b24-00a0c9068ff3} "Display Panning CPL Extension" - ? - deskpan.dll  (File not found)
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Encryption Context Menu" - ? -   (COM-object registry key not found)
{88895560-9AA2-1069-930E-00AA0030EBC8} "HyperTerminal Icon Ext" - ? - C:\WINDOWS\system32\hticons.dll  (File not found)

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll  (File not found)

4. Once you have finished with the disabling the items, press the "Apply" button.
5. Press the "Close" button.
6. Press the "Reboot now" button.

Once your computer has rebooted.

1. Start the OSAM again - you will see the report about deleted entries.
2. Press the "Settings" button to change the value for "Disable objects using the driver" option back to "For undeletable objects only".
3. Also you can use the "Jump to file" function to delete the inactive trojan files.
4. And then use the "Delete from storage" function to delete the disabled items.
5. Exit OSAM

-----------------------------------------------------------

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Are we getting there? Thanks again for all of your assistance. Here is what happened when I followed the directions.

I did the disable objects step. There were 3 items that I could not find. They are under Explorer.

I had trouble with the instructions numbers 3 and 4 after the reboot. I was not really sure what to do but I pointed at each file with a different color flag and right-clicked. Then I did Delete from Storage for each of the files that I could find. Was that what I needed to do? I was not really sure where to find Jump to file or Delete from storage, but found them by right clicking on different files.

Attached is the MGlogs.zip. What is next?

 

Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  Note: The scan can take some time. DO NOT run any other programs while the scan is running​
• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

Attach RootRepeal.txt in your next reply.

 

I started RootRepeal on Friday evening. It is now Sunday morning and it is still running. It appears that it is re-scanning C:/Program Files/. Could I have a problem? I did not disable AVG which runs nightly or my screensaver. Do I need to stop the process and disable those before it runs? It has found at least two files that it is displaying as problems.

Thanks again for your help.

 

RootRepeal shouldn't take this long to run. Kill the process. Disable AVG and try running RootRepeal again.

 

Approximately how long should RootRepeal take to scan? I have three drives, C, D, and G (a 500G external drive). I aborted RootRepeal, disabled AVG and SAS, and started RootRepeal again last night. It has been going about 21 hours and it is still scanning C.

 

OK, let's not use RootRepeal; as it seems to be taking way too long to run on your system.

Download GMER

1. Click-on the "Download Exe" button, this will generate a random name for GMER, accept the default file name and save the file to your Desktop.
2. Double click the file you just downloaded.
3. Click the Rootkit tab and then click the Scan button.
4. IMPORTANT: Do NOT use the computer while the scan is in progress
5. Do not select the "Show all" checkbox during the scan.
6. When it finishes, click the Copy button. This will copy the results to your clipboard.
7. Paste the clipboard into a notepad file and save it to a log (like gmer.log).

Post the GMER log with your next reply.

 

GMER went much faster. I am attaching the results.

Thanks again for all of your help.

 

Now we need to use ComboFix to remove some stuff.
[*]Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
[*]If it is not on your Desktop, the below will not work.
[*]Open Notepad and copy/paste the text in the below code box into it
(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Driver::
ae5ycy1u

[*]Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
[*]At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
[*]You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
[*]Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://farm4.static.flickr.com/3014/3035535531_512f04c6a2_o.gif
[*]Follow the prompts.
[*]When it finishes, a log will be produced named c:\combofix.txt
[*]I will ask for this log below
Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

Post the log from Combofix.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

ComboFix needed updating, which I allowed to happen. When the computer rebooted, FastScan ran (I think it might be SuperAntiSpyware) and I was not sure what to do, so I allowed it. I hope that it is okay.

I am posting this just after I completed ComboFix, so I am not sure how the computer is running. I will continue using the laptop and let you know.

Is there anything else that I need to do to be sure this monster (the Trojan) is really dead and gone?

Thanks for your help and training. I have learned a lot and I have maintenance to do on my desktop system as well. Where can I find the basic maintenance that should be done on any computer and how often it should be done?

I really appreciate all of the help.

 

I'll address all your questions after I am fairly certain this thing is gone.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

 

That went well. I am attaching the log. Thanks again for all of your help. And Happy Easter to you.

 

Now we need to use ComboFix to remove some stuff.

• Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIO4.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIO6.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\DIOB.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\etilqs_s9bOK6YyOVjCTWwJqfpr
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\hpodvd09.log
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\img017.bmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\img0211.bmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\img023.bmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\img024.bmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\img029.bmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\jusched.log
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\log.txt
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\MAR2.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\MAR3.tmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\TWAIN.LOG
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\Twain001.Mtx
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\Twunk001.MTX
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\Twunk002.MTX

Folder::
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (12)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (13)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (14)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (15)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (16)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (17)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (18)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (19)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (10)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (11)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (32)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (22)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (33)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (23)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (34)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (24)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (35)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (25)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (36)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (26)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (37)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (27)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (38)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (28)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (39)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (29)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (30)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (20)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (31)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (21)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (42)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (43)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (44)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (45)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (46)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (47)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (40)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (41)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (7)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (6)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (9)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (8)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (2)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (3)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (4)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\dynastg (5)
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\OIS
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\plugtmp
C:\Documents and Settings\Marilyn Ballas\Local Settings\Temp\plugtmp-1

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://farm4.static.flickr.com/3014/3035535531_512f04c6a2_o.gif
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip
• C:\combofix.txt

Make sure you tell me how things are working now!

 

ComboFix asked to be updated, which I allowed. Then while creating a restore point, a dialogue box came up to say that pv.cfexe encountered a problem and had to be closed. I chose not to send the report to Microsoft (I think that is what I usually choose).

ComboFix finished then I ran C:\MGtools\GetLogs.bat and the logs are attached. It all seemed to work pretty well. Since I just completed those steps I do not really know how the computer is working. So far so good.

Thanks again for all of your help.

 

I'm still seeing some stuff in your logs that makes me think there is still some malware on your system, that we aren't seeing.

-----------------------------------------------------------

Download:
- ISeeYouXP by ShadowPuterDude

Double-click ISeeYouXP.exe, ISeeYouXp will be extracted to C:\ISeeYouXP; and a shortcut to ISeeYouXP.bat will be placed on the Desktop.

Double-click the ISeeYouXP shortcut to run ISeeYouXP.

Possible Error Messages

• If your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS
  
  To fix the above error message, choose the download below which is appropriate for your system
  • For Windows XP Pro: download and run: XPproFix
  • For Windows XP Home: download and run: XPHomeFix
  • For Windows 2000: download and run: W2KFix
  
  Then run ISeeYouXP.bat again and attach the log.

• A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem

After attempting to fix the above errors, run ISeeYouXP.bat and attach the log.

IMPORTANT NOTE:

Vista Users

UAC must be turned off to run this script.

Turning Off/On UAC in Vista
1. Open the Control Panel.
2. Under User Account and Family settings click on the "Add or remove user account".
3. Click on your user account.
4. Under the user account click on the "Go to the main User Account page" link.
5. Under "Make changes to your user account" click on the "Change security settings" link.
6. In the "Turn on User Account Control (UAC) to make your computer more secure" click to unselect the "Use User Account Control (UAC) to help protect your computer". Click on the Ok button.
7. You will be prompted to reboot your computer. Do so.

In order to re-enable UAC just select the above checkbox and reboot.

To Run ISeeYouXP right-click on the batch file and select "Run as Administrator"

NOTE: For Win9x and WinMe users! ISeeYouXP does not support Win9x and WinMe.

Attach the log from ISeeYouXP, it will be on your Desktop.

 

Okay. I ran ISeeYouXP and there is a log which cannot be attached. It is 650K which exceeds the 250K limit. What do you want me to do to get this file to you?

Then I noticed the message from ChasLang and I do not understand how to do what is requested there.

So I still have problems. What do I need to do to overwrite those files?

Thanks again for all of your help.

 

Zip the log and then attach it.

I will give you instructions on how to replace those files after I examine the ISeeYouXP log.

 

Here is the zipped ISeeYouXP.txt.

Let me know what to do next. Thanks again.

 

Sigh of relief! Thanks. I am glad that my files are okay.

Is Shadow_Puter_Dude still reviewing the zip file from ISeeYouXP? Or are you taking over the case?

This is a wonderful gift you (all of the MajorGeeks) are supplying to the world. Thanks very much for your help.

 

The ISeeYouXP log shows nothing new. There were a couple of tmp files that appeared suspicious to me. After discussing them with Chaslang, we have come to the conclusion they are not malicious.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
5. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
6. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. Go to add/remove programs and uninstall HijackThis.
12. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
13. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
14. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Okay. I cleaned up all of the logs and programs that we had used in finding the malware. I thought that I remembered something called Avenger, but I could not find it. Does it go by other names? Most of the programs did not appear in the Add/Remove Programs in Control Panel. So I just deleted them.

I disabled system restore, rebooted and enabled system restore.

I will start working through the Protect from Malware later today.

I purchased and installed SuperAntiSpyware and MalwareBytes Anti-Malware programs. I set these up to run on a daily basis.

Now I have a few more questions:
Should I use Internet Explorer as my browser? Currently I use Firefox as I have less problems with my system hanging.
I currently use AVG as my virus remover. Is that okay?
I also use AdAware. Is that okay?

My system seems to be very slow on startup. Is there something I should do for that? It is noticeably slower the last 3 days.

One last thing. Thank you so very much for your support in this trial. I do not know what I would have done if I had not found out about MajorGeeks. Thanks for the services you provide.

 

No, if it's not there then it is not there.

If you are happy with the browser you are using, then there is no need to change.

AVG is fine

AdAware is fine.

Sometimes that happens after disinfecting a heavily infected system. After a couple of days things should return to normal.

 

Thanks again for all of your help. If I should encounter problems in the near future, should I post a new thread or continue on with this one?

 

I have some other "dumb" questions. Are SuperAntiSpyware, MalwareBytes, and AVG compatible? While working through the How to Protect against Malware, I was reading about the problems with AVG8. Since I have AVG 8.5 free edition, I wondered if I should rely on SAS and MalwareBytes.

My computer still starts very slowly. After working through "How to Protect" should I defrag or what steps should I take to make the system start up faster?

Thanks again for all of your help.

 

AVG 8 has had some problems and has integrated Anti-Spyware. However, it does not take the place of SAS or MBAM. In my experience MBAM plays well with other AV/AS/AM applications. I have no personal experience with SAS and it's compatiblity with other applications.

You do not need both MBAM and SAS resident on the sytem.