Posts: 851
Threads: 31
Joined: Jan 2011
Reputation:
21
04-23-2011, 08:15 PM
(This post was last modified: 04-23-2011, 08:45 PM by Deltron.)
HJT Log
DDS - DDS.txt
DDS - Attach.txt
OTM Log
OTL Log
MBR Check
Would you like me to attempt to run ComboFix again in Safe Mode?
Posts: 528
Threads: 3
Joined: Oct 2009
Reputation:
31
04-23-2011, 09:00 PM
(This post was last modified: 04-23-2011, 10:29 PM by Quintus.)
- Step 24
Please run HijackThis as an administrator. Click Do a system scan only and place a check next to the following line(s) if present:
F2 - REGystem.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Yparitefeda] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\okidulof.dll",Startup
O4 - HKUS\S-1-5-18\..\Run: [D1T2EUR7FZ] C:\Windows\TEMP\Lbe.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [iCEyocHtffAu] C:\ProgramData\iCEyocHtffAu.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [D1T2EUR7FZ] C:\Windows\TEMP\Lbe.exe (User 'Default user')
Then, close all other open windows and click Fix Checked. You are to reboot your system afterwards.
If you are having a problem running HijackThis as an administrator (Windows Vista and Windows 7), please follow the steps below.
- On your desktop, right-click the HijackThis icon and select Properties.
- Navigate to the Compatibility tab and put a check on the Run this program as an administrator box.
- Click Apply > OK.
- HijackThis should prompt you to run it as an administrator every time you open it.
- Step 25
Run OTL.exe.- Copy and paste the following text written inside of the code box into the Custom Scans & Fixes box located at the bottom of OTL.
Code: :OTL
MOD - C:\Windows\System32\config\systemprofile\AppData\Local\okidulof.dll ()
SRV - (KMService) -- C:\Windows\System32\srvany.exe ()
DRV - (lulrds) -- C:\Windows\System32\drivers\xfmjiwda.sys File not found
DRV - (catchme) -- C:\Users\Tyler\AppData\Local\Temp\catchme.sys File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O13 - gopher Prefix: missing
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xnf.exe" -a "%1" %* File not found
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xnf.exe" -a "%1" %* File not found
[2011/04/23 19:18:15 | 000,565,248 | ---- | C] (WinTrust) -- C:\ProgramData\iCEyocHtffAu.exe
[2011/04/23 17:11:27 | 000,000,000 | ---D | C] -- C:\Users\Tyler\AppData\Local\{B705BA1D-EA5E-482E-84BC-F509EA157C68}
[2011/04/21 12:04:51 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/04/23 19:59:11 | 000,000,252 | -H-- | M] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011/04/23 19:58:52 | 000,000,252 | -H-- | M] () -- C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
[2011/04/23 19:56:35 | 000,020,512 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/23 19:56:35 | 000,020,512 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/23 19:45:21 | 000,000,120 | ---- | M] () -- C:\Users\Tyler\AppData\Local\Txorakezako.dat
[2011/04/23 19:34:44 | 000,000,000 | ---- | M] () -- C:\Users\Tyler\AppData\Local\Amava.bin
[2011/04/23 19:18:15 | 000,565,248 | ---- | M] (WinTrust) -- C:\ProgramData\iCEyocHtffAu.ex
[2011/04/23 18:16:25 | 000,000,214 | ---- | M] () -- C:\Windows\System32\winset.ini
[2011/04/23 18:03:39 | 000,002,486 | -HS- | M] () -- C:\ProgramData\58bx7eu82nw807u43225osy0i56032q6uj62
[2011/04/23 18:03:19 | 000,001,316 | -HS- | M] () -- C:\ProgramData\594429988
[2011/04/23 18:03:19 | 000,001,316 | -HS- | M] () -- C:\Users\Tyler\AppData\Local\58bx7eu82nw807u43225osy0i56032q6uj62
[2011/04/23 12:53:40 | 004,327,899 | ---- | M] () -- C:\ComboFix.exe
[2011/04/21 21:51:17 | 000,011,582 | -HS- | M] () -- C:\Users\Tyler\AppData\Local\qi8851w3107x74l474w68yr5a83t63620w0j8r0j68
[2011/04/21 21:51:17 | 000,011,582 | -HS- | M] () -- C:\ProgramData\qi8851w3107x74l474w68yr5a83t63620w0j8r0j68
[2011/04/23 18:03:19 | 000,001,316 | -HS- | C] () -- C:\ProgramData\594429988
[2011/04/23 18:03:19 | 000,001,316 | -HS- | C] () -- C:\Users\Tyler\AppData\Local\58bx7eu82nw807u43225osy0i56032q6uj62
[2011/04/23 18:03:10 | 000,002,486 | -HS- | C] () -- C:\ProgramData\58bx7eu82nw807u43225osy0i56032q6uj62
[2011/04/23 13:55:21 | 000,000,252 | -H-- | C] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011/04/23 13:55:19 | 000,000,252 | -H-- | C] () -- C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
[2011/04/21 19:35:51 | 000,011,582 | -HS- | C] () -- C:\Users\Tyler\AppData\Local\qi8851w3107x74l474w68yr5a83t63620w0j8r0j68
[2011/04/21 19:35:51 | 000,011,582 | -HS- | C] () -- C:\ProgramData\qi8851w3107x74l474w68yr5a83t63620w0j8r0j68
:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"
:Files
C:\32788R22FWJFW
C:\Windows\TEMP\Lbe.exe
c:\windows\system32\bi276.dll
c:\progra~2\iCEyocHtffAu.exe
:Commands
[purity]
[emptytemp]
[resethosts]
[CLEARALLRESTOREPOINTS]
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot when it is done. If it does not, please reboot your system.
- You will need to post two logs:
- The log that you will see upon rebooting your system.
- A new OTL log (don't check the boxes beside LOP Check or Purity this time).
- You then need to extract the bootkit_remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use '7-Zip'.
- After extracting bootkit_remover.exe to your desktop, double-click on the executable to run the program (Windows Vista and Windows 7 users should run it as an administrator).
- A black screen will be shown with various messages.
- Right-click on the screen and click Select All.
- Press CTRL + C.
- Open Notepad and press CTRL + V.
- Post the output back here.
- Step 27
Download TDSSKiller from 'here' and save it to your desktop.
- Make sure all other windows are closed and to let it run uninterrupted.
- Run the file. Windows Vista and Windows 7 users should run it as an administrator.
- Then select Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- Once done, simply click Close.
- Click the Report button and copy and paste the contents of the log into your next reply. A log file will be created in the C:\ directory as well.
- Step 28
Please download Malwarebytes' Anti-Malware 'here'. This is a scanner which I will ask you to use.
- Double-click mbam-setup.exe to install the application.
- Make sure a check mark is placed next to Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform Full Scan, then click Scan. The scan may take some time to finish, so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart. Restart if it tells you to.
- The log is automatically saved by Malwarebytes' Anti-Malware and can be viewed by clicking the Logs tab in the interface.
- Copy and paste the entire report in your next reply.
- In your next post, please provide the following:
- A Fresh HijackThis (HJT) Log
- Bootkit Remover Log
- Doesn't Do Squat (DDS) Logs
- Malwarebytes' Anti-Malware Scan Log
- OTL Log
- TDSSKiller Log
- Format of Response
Code: [b]Step # [/b]
[b]Problems Encountered: [/b]
[b]Step # [/b]
[b]Problems Encountered: [/b]
[b]Step # [/b]
[b]Problems Encountered: [/b]
[b]Step # [/b]
[b]Problems Encountered: [/b]
[b]Link To Requested Logs: [/b]
- Comments:
- Uninstall µTorrent and update Java.
- Do see any log here? (C:\ComboFix)
- Give me these
- C:\TDSSKiller.2.4.21.0_21.04.2011_00.09.41_log.txt
C:\TDSSKiller.2.4.21.0_21.04.2011_00.10.15_log.txt
C:\TDSSKiller.2.4.21.0_21.04.2011_00.10.49_log.txt
Posts: 851
Threads: 31
Joined: Jan 2011
Reputation:
21
04-23-2011, 09:16 PM
(This post was last modified: 04-23-2011, 09:37 PM by Deltron.)
When running Bootkit Remover:
ATA_PASS_THROUGH_DIRECT is not supported by your disk controller.
SCSI_PASS_THROUGH_DIRECT will be use for disk I/O
Step # 24
Problems Encountered: N/A
Step # 25
Problems Encountered: N/A
Step # 26
Problems Encountered: Error message. See post above.
Step # 27
Problems Encountered: N/A
Step # 28
Problems Encountered: N/A
Link To Requested Logs:
MBAM is currently scanning. I will post the results when finished.
Comments
Posts: 528
Threads: 3
Joined: Oct 2009
Reputation:
31
Did you reboot before scanning with MBAM?
Posts: 851
Threads: 31
Joined: Jan 2011
Reputation:
21
(04-23-2011, 09:33 PM)Quintus Wrote: Did you reboot before scanning with MBAM?
Yes.
Posts: 528
Threads: 3
Joined: Oct 2009
Reputation:
31
Are you disconnected from the Internet? Did Bootkit Remover produce no log? Also, do you know how to navigate through the CMD?
Posts: 851
Threads: 31
Joined: Jan 2011
Reputation:
21
04-23-2011, 09:43 PM
(This post was last modified: 04-23-2011, 09:44 PM by Deltron.)
No, yes, sorta.
The log was gibberish.
Posts: 528
Threads: 3
Joined: Oct 2009
Reputation:
31
I see. We'd have to run other tools then. Have you had a recent BSOD? Any weird pop-ups?
If you know how to, check what's inside C:\ComboFix using the CMD.
Posts: 851
Threads: 31
Joined: Jan 2011
Reputation:
21
I get a BSOD every time I shut down, restart, etc. No weird pop-ups.
Posts: 528
Threads: 3
Joined: Oct 2009
Reputation:
31
And this occurred only after the infection streak?
How did it go?
|