Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Rogue Antivirus
#31
HJT Log
DDS - DDS.txt
DDS - Attach.txt
OTM Log
OTL Log
MBR Check

Would you like me to attempt to run ComboFix again in Safe Mode?
#32
  • Step 24

    Please run HijackThis as an administrator. Click Do a system scan only and place a check next to the following line(s) if present:

    F2 - REGConfusedystem.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [Yparitefeda] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\okidulof.dll",Startup
    O4 - HKUS\S-1-5-18\..\Run: [D1T2EUR7FZ] C:\Windows\TEMP\Lbe.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [iCEyocHtffAu] C:\ProgramData\iCEyocHtffAu.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [D1T2EUR7FZ] C:\Windows\TEMP\Lbe.exe (User 'Default user')


    Then, close all other open windows and click Fix Checked. You are to reboot your system afterwards.

    If you are having a problem running HijackThis as an administrator (Windows Vista and Windows 7), please follow the steps below.
    • On your desktop, right-click the HijackThis icon and select Properties.
    • Navigate to the Compatibility tab and put a check on the Run this program as an administrator box.
    • Click Apply > OK.
    • HijackThis should prompt you to run it as an administrator every time you open it.
  • Step 25

    Run OTL.exe.
    • Copy and paste the following text written inside of the code box into the Custom Scans & Fixes box located at the bottom of OTL.

      Code:
      :OTL
      MOD - C:\Windows\System32\config\systemprofile\AppData\Local\okidulof.dll ()
      SRV - (KMService) -- C:\Windows\System32\srvany.exe ()
      DRV - (lulrds) -- C:\Windows\System32\drivers\xfmjiwda.sys File not found
      DRV - (catchme) -- C:\Users\Tyler\AppData\Local\Temp\catchme.sys File not found
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
      O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
      O13 - gopher Prefix: missing
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      O33 - MountPoints2\F\Shell - "" = AutoRun
      O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
      O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
      O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xnf.exe" -a "%1" %* File not found
      O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xnf.exe" -a "%1" %* File not found
      [2011/04/23 19:18:15 | 000,565,248 | ---- | C] (WinTrust) -- C:\ProgramData\iCEyocHtffAu.exe
      [2011/04/23 17:11:27 | 000,000,000 | ---D | C] -- C:\Users\Tyler\AppData\Local\{B705BA1D-EA5E-482E-84BC-F509EA157C68}
      [2011/04/21 12:04:51 | 000,000,000 | -HSD | C] -- C:\Config.Msi
      [2011/04/23 19:59:11 | 000,000,252 | -H-- | M] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
      [2011/04/23 19:58:52 | 000,000,252 | -H-- | M] () -- C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
      [2011/04/23 19:56:35 | 000,020,512 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
      [2011/04/23 19:56:35 | 000,020,512 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
      [2011/04/23 19:45:21 | 000,000,120 | ---- | M] () -- C:\Users\Tyler\AppData\Local\Txorakezako.dat
      [2011/04/23 19:34:44 | 000,000,000 | ---- | M] () -- C:\Users\Tyler\AppData\Local\Amava.bin
      [2011/04/23 19:18:15 | 000,565,248 | ---- | M] (WinTrust) -- C:\ProgramData\iCEyocHtffAu.ex
      [2011/04/23 18:16:25 | 000,000,214 | ---- | M] () -- C:\Windows\System32\winset.ini
      [2011/04/23 18:03:39 | 000,002,486 | -HS- | M] () -- C:\ProgramData\58bx7eu82nw807u43225osy0i56032q6uj62
      [2011/04/23 18:03:19 | 000,001,316 | -HS- | M] () -- C:\ProgramData\594429988
      [2011/04/23 18:03:19 | 000,001,316 | -HS- | M] () -- C:\Users\Tyler\AppData\Local\58bx7eu82nw807u43225osy0i56032q6uj62
      [2011/04/23 12:53:40 | 004,327,899 | ---- | M] () -- C:\ComboFix.exe
      [2011/04/21 21:51:17 | 000,011,582 | -HS- | M] () -- C:\Users\Tyler\AppData\Local\qi8851w3107x74l474w68yr5a83t63620w0j8r0j68
      [2011/04/21 21:51:17 | 000,011,582 | -HS- | M] () -- C:\ProgramData\qi8851w3107x74l474w68yr5a83t63620w0j8r0j68
      [2011/04/23 18:03:19 | 000,001,316 | -HS- | C] () -- C:\ProgramData\594429988
      [2011/04/23 18:03:19 | 000,001,316 | -HS- | C] () -- C:\Users\Tyler\AppData\Local\58bx7eu82nw807u43225osy0i56032q6uj62
      [2011/04/23 18:03:10 | 000,002,486 | -HS- | C] () -- C:\ProgramData\58bx7eu82nw807u43225osy0i56032q6uj62
      [2011/04/23 13:55:21 | 000,000,252 | -H-- | C] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
      [2011/04/23 13:55:19 | 000,000,252 | -H-- | C] () -- C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
      [2011/04/21 19:35:51 | 000,011,582 | -HS- | C] () -- C:\Users\Tyler\AppData\Local\qi8851w3107x74l474w68yr5a83t63620w0j8r0j68
      [2011/04/21 19:35:51 | 000,011,582 | -HS- | C] () -- C:\ProgramData\qi8851w3107x74l474w68yr5a83t63620w0j8r0j68

      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
      ""=""%1" %*"

      :Files
      C:\32788R22FWJFW
      C:\Windows\TEMP\Lbe.exe
      c:\windows\system32\bi276.dll
      c:\progra~2\iCEyocHtffAu.exe

      :Commands
      [purity]
      [emptytemp]
      [resethosts]
      [CLEARALLRESTOREPOINTS]
    • Then click the Run Fix button at the top.
    • Let the program run unhindered; it will reboot when it is done. If it does not, please reboot your system.
    • You will need to post two logs:
      • The log that you will see upon rebooting your system.
      • A new OTL log (don't check the boxes beside LOP Check or Purity this time).
    • You then need to extract the bootkit_remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use '7-Zip'.
    • After extracting bootkit_remover.exe to your desktop, double-click on the executable to run the program (Windows Vista and Windows 7 users should run it as an administrator).
    • A black screen will be shown with various messages.
    • Right-click on the screen and click Select All.
    • Press CTRL + C.
    • Open Notepad and press CTRL + V.
    • Post the output back here.
  • Step 27

    Download TDSSKiller from 'here' and save it to your desktop.
    • Make sure all other windows are closed and to let it run uninterrupted.
    • Run the file. Windows Vista and Windows 7 users should run it as an administrator.
    • Then select Start Scan.
      • If an infected file is detected, the default action will be Cure, click on Continue.
      • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • Once done, simply click Close.
    • Click the Report button and copy and paste the contents of the log into your next reply. A log file will be created in the C:\ directory as well.
  • Step 28

    Please download Malwarebytes' Anti-Malware 'here'. This is a scanner which I will ask you to use.
    • Double-click mbam-setup.exe to install the application.
    • Make sure a check mark is placed next to Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Full Scan, then click Scan. The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. Restart if it tells you to.
    • The log is automatically saved by Malwarebytes' Anti-Malware and can be viewed by clicking the Logs tab in the interface.
    • Copy and paste the entire report in your next reply.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • Bootkit Remover Log
    • Doesn't Do Squat (DDS) Logs
      • DDS.txt
      • Attach.txt
    • Malwarebytes' Anti-Malware Scan Log
    • OTL Log
    • TDSSKiller Log
  • Format of Response

    Code:
    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Link To Requested Logs: [/b]
  • Comments:
    • Uninstall µTorrent and update Java.
    • Do see any log here? (C:\ComboFix)
    • Give me these
      • C:\TDSSKiller.2.4.21.0_21.04.2011_00.09.41_log.txt
        C:\TDSSKiller.2.4.21.0_21.04.2011_00.10.15_log.txt
        C:\TDSSKiller.2.4.21.0_21.04.2011_00.10.49_log.txt
#33
When running Bootkit Remover:

ATA_PASS_THROUGH_DIRECT is not supported by your disk controller.
SCSI_PASS_THROUGH_DIRECT will be use for disk I/O

Step # 24
Problems Encountered: N/A

Step # 25
Problems Encountered: N/A

Step # 26
Problems Encountered: Error message. See post above.

Step # 27
Problems Encountered: N/A

Step # 28
Problems Encountered: N/A

Link To Requested Logs:

MBAM is currently scanning. I will post the results when finished.

Comments
#34
Did you reboot before scanning with MBAM?
#35
(04-23-2011, 09:33 PM)Quintus Wrote: Did you reboot before scanning with MBAM?

Yes.
#36
Are you disconnected from the Internet? Did Bootkit Remover produce no log? Also, do you know how to navigate through the CMD?
#37
No, yes, sorta.

The log was gibberish.

#38
I see. We'd have to run other tools then. Have you had a recent BSOD? Any weird pop-ups?

If you know how to, check what's inside C:\ComboFix using the CMD.
#39
I get a BSOD every time I shut down, restart, etc. No weird pop-ups.
#40
And this occurred only after the infection streak?

How did it go?


Possibly Related Threads…
Thread Author Replies Views Last Post
  Vista security 2011 Rogue anti-virus help! Mr. Jewtastic 8 3,337 05-08-2011, 07:46 PM
Last Post: Quintus

Forum Jump:


Users browsing this thread: 5 Guest(s)