The first scan located mostly infection already removed by ComboFix to it's Qoobox folder, and it looks like it mistook a Panda active scan file as malicious (one way to eliminate the competition). The second scan just show infection held harmless in System Restore, which we will be clearing out shortly anyway. Looks cleaned up at this point. Before we do some last steps to finish our work, post back how things are running now please.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
If you are being redirected, and the desktop is locked like that, we do have some additional checking to do here. We do need a scan that shows the HijackThis and running process entries, which seem to be blocked in other results so far.
Download subinacl.msi from here to your desktop, then click the file to start the installer.
Accept any agreements, and allow it to install SubInACL.exe to it's "C:\Program Files\Windows Resource Kits\Tools\" folder.
Once you have done that open Notepad (Start - Run, type notepad then press Enter) and copy the following text into a new file:
cd "%programfiles%\Windows Resource Kits\Tools" subinacl /subdirectories %SystemDrive% /grant=everyone=f
Save the file to the desktop as "permdo.bat"
Make sure to use the quotes "" in the name.
Then double-click on permdo.bat. A window should open and you will see some procedures run --- this is normal. Once they have completed the changes the window should close.
------
Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after:
cd\ win32kdiag -r -f
Once that completes press any key to finish the scan. Post the new Win32kDiag.txt log with your next reply (it should be located on the desktop).
--------------
See if can now run a scan using HijackThis, and post that log. If you cannot get HijackThis to run go here and download HijackThis 1.99.1. Unzip that downloaded file, then click on that copy of HijackThis.exe to open HijackThis. Run a scan using that and post the log back here please.
--------------
And run a new ComboFix scan. Post that C:\ComboFix.txt log along with the Win32kDiag.txt log and the HijackThis log please.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
Logfile of HijackThis v1.99.1 Scan saved at 6:52:09 AM, on 9/10/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876)
ComboFix 09-09-09.04 - David 09/10/2009 6:58.3.1 - NTFSx86 Running from: c:\documents and settings\David\Desktop\456out.com AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} * Created a new restore point .
((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 ))))))))))))))))))))))))))))))) .
c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Good, that gives us any easier way to change unwanted proxy settings, and shows a suspect file as well.
Make a copy of the following list, then close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window and select Paste. Then click the red MoveIt! button.
A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".
-----------
Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:
Remove found threats Scan unwanted applications
Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.
If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.
Post back that Eset log, the OTM log and a new RSIT log please.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
User: David ->Temp folder emptied: 1571940 bytes ->Temporary Internet Files folder emptied: 40770142 bytes ->Java cache emptied: 65905 bytes
User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes
User: LocalService ->Temp folder emptied: 0 bytes File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 32969 bytes
User: NetworkService ->Temp folder emptied: 0 bytes File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 32902 bytes
Good - post the Eset scan log and the new RSIT log when ready and we'll review then.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
Thanks for sticking with me I have had trouble finding time to get online in the last couple of days.
I am still unable to run RSIT
When I try to re-download I get "Cannot copy RSIT:Access id denied. Make sure that the disk is not full or write-protected and that the file is not currently in use"
When I try to run without downloading to desktop I get "Autolt Error Error: Variable used without being declared"
Seems like an unseen rootkit there, or a similar issue. Let's see if we can locate and disable it when it is vulnerable.
I have not used the following method recently, so my steps may not quite match what you see there.
listsvc dir c:\windows\system32\drivers
Open Notepad (Start - Run, type notepad and press Enter).
Copy/paste the above text (inside the Code box) into the open text box, then save this to your C:\Windows folder as "servcheck.bat"
It should then be C:\Windows\servcheck.bat (important)
-------------------
Reboot, and at the boot options screen select the following:
Microsoft Windows Recovery Console
If you are given the option, enter the number for the appropriate Windows installation (usually #1), Windows will then prompt you to enter the Administrator account password if one was created (if one was not created then just press Enter).
At the prompt type the following, pressing Enter after each:
cd C:\windows
batch servcheck.bat c:\windows\servicelook.txt
exit
When you hit Enter after typing exit your computer will reboot. Do Not press any key until the system has completely rebooted, then after the reboot be sure to remove your XP CD from the CD-ROM drive.
Then locate and post back here the contents of c:\windows\servicelook.txt please.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
i am not very good with computer. computer has a redirecting virus. how do i get rid of it. remember i'm not to good on computer. could you take me step to step
Welcome to BullGuard forums mat3150. You need to wait for a response in the new thread you posted, so please no posting in other people's requests. Interrupts the flow of things. Post the log when ready grinaldo and we will review then.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
I tried going through the windows recovery console but when I do that all I get is a blank screen with flashing cursor. Did a little digging and I though I had an issue in as much as my Windows CD is SP1 I am now on SP2? I did a little more googling and tried to follow the advice to ugrade but cannot get away from the blank screen and flashing cursor.
I do not know what is more frustrating, this darn virus or my lack of knowledge!!!
Any help you can give me is (as always) appreciated.
I sense it is an issue with either the disk, or the CD drive itself. Time to redirect our energies then. FYI - it has been my experience that, for access to the Recovery Console for just the use of the Windows commands, like we were intending, different Service Pack disks can be used.
See if you can click and get the Win32kDiag.exe to run, then follow the prompts from that and post back the Win32kDiag.txt log it creates on the desktop please.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
Have the RSIT.exe file on your desktop. Click here and download Inherit.exe to your desktop. Then for now just drag RSIT.exe into the Inherit.exe file. Once it completes the permissions changes it makes, a "Finish" popup showing "OK" should appear. Just click the OK button to close that.
Then try to run the RSIT scan again please.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
Forgot to answer your question. Yes, if no malware folder "junction" tricks remain, the Win32kDiag log will be very short like that.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
Inherit.exe downloaded as requested and RSIT dragged. I am still unable to run RSIT though (Error message about line -1 variable used without being declared). I am able to delete the file from desktop though but when I re-save the RSIT file I receive the same error message.
I read back through some of the posts and see I really misread what you had posted - I had read the redirects are still occurring. And so tied that with Desktop issues there, and started seeking malware afresh. RSIT, and I think HijackThis, but are compiled using an AutoIt software, and it's that software's script that shows that variable error. Let's just check to make sure no access is being blocked that AutoIt or RSIT requires to run.
Download MS Sysinternal's Junction.zip from here to your desktop, then unzip that. Then in that folder locate the Junction.exe file, and place a copy of that directly on your desktop.
Go to Start - Run, and copy/paste the following command line, and then press OK:
Once that completes a log.txt will open in Notepad. Paste those contents back here please.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
Junction v1.05 - Windows junction creator and reparse point viewer Copyright (C) 2000-2007 Mark Russinovich Systems Internals - http://www.sysinternals.com
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...
. Failed to open \\?\c:\\Documents and Settings\David\Desktop\hijackthis\HijackThis.exe: Access is denied.
... Failed to open \\?\c:\\Program Files\AVG\AVG8\avgcsrvx.exe: Access is denied.
...
... Failed to open \\?\c:\\Program Files\Trend Micro\David.exe: Access is denied.
Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.
Failed to open \\?\c:\\Program Files\Windows Defender\MsMpEng.exe: Access is denied.
...
. Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.
..
...
.\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
That shows why things weren't work right there. I can't quite tell how that log should be, with the forum hyperlinking. And no RSIT example. If one is not there place a copy of RSIT.exe on the desktop, then run that same scan step again.
Then email the log from that as an attachment to jintan AT malwarecrypt.com (replace the "AT" with @). Please place "Submitted Files - grinaldo/bg/junctions" as the email Subject.Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.
Currently it is Sunday, March 14, 2010 1:43 AM (GMT +1) There are a total of 76.176 posts in 17.594 threads. In the last 3 days there were 5 new threads and 68 reply posts. View Active Threads
Who's Online
This forum has 31130 registered members. Please welcome our newest member, Ibot. 29 Guest(s), 1 Registered Member(s) are currently online. Details Ibot
The new RSIT log too please.
|