Brutal Malware - help
- Thread starter skein4
- Start date
- Status
Skein
You are doing great!
If the final runs do not get the below
Then do this in MWBAM click More Tools-Run Tool.
Then copy paste the 2 lines in the box above one at a time to the file name box click open and follow prompts to delete.
Mike
You are doing great!
If the final runs do not get the below
Code:
C:\Documents and Settings\DELL\Local Settings\Temp\TDSSa8f6.tmp
C:\Documents and Settings\DELL\Local Settings\Temp\TDSSa96e.tmpThen do this in MWBAM click More Tools-Run Tool.
Then copy paste the 2 lines in the box above one at a time to the file name box click open and follow prompts to delete.
Mike
Mike- those C: files you listed were not found.
Momok: I was able to download Combofix for the first time and was running it when the computer restarted. When it started up, AvirGuard caught a number or registry changes:
google.com/ie
microsoft.com/isapi/redir.dll?....a bunch more stuff
microsoft.com/wlink/?linkID=....numbers
microsoft.com/wlink/?linkID=...numbers
microsoft.com/wlink/?linkID=....numbers
ie.search.msn.com/{sub....
autorun
load
scrnsave.exe
Also, a red shield shows up in the tray and a window pops up saying "Your computer might not be safe/No Firewall turned on/Click this balloon to fix this problem" I did not click the balloon.
Then Combofix completed its scan. I ran it again, and both logs are attached. 1 is the first one, 2 is the second one.
Finally, a windows update downloaded and shows up on the restart/log off dialog box. I have been restarting without loading it. Should I load it?
Also attached are HJT, MBW, and SAS logs. It seems like something is still there. I'm going to sleep now but will check back first thing in the morning EST. Thanks,
Also, here is one more AV Scan log before I call it a night.
Momok: I was able to download Combofix for the first time and was running it when the computer restarted. When it started up, AvirGuard caught a number or registry changes:
google.com/ie
microsoft.com/isapi/redir.dll?....a bunch more stuff
microsoft.com/wlink/?linkID=....numbers
microsoft.com/wlink/?linkID=...numbers
microsoft.com/wlink/?linkID=....numbers
ie.search.msn.com/{sub....
autorun
load
scrnsave.exe
Also, a red shield shows up in the tray and a window pops up saying "Your computer might not be safe/No Firewall turned on/Click this balloon to fix this problem" I did not click the balloon.
Then Combofix completed its scan. I ran it again, and both logs are attached. 1 is the first one, 2 is the second one.
Finally, a windows update downloaded and shows up on the restart/log off dialog box. I have been restarting without loading it. Should I load it?
Also attached are HJT, MBW, and SAS logs. It seems like something is still there. I'm going to sleep now but will check back first thing in the morning EST. Thanks,
Also, here is one more AV Scan log before I call it a night.
Hi
Do this and run SAS again.
Before clicking Scan
Click the Preferences button.
Then Scanning Control.
In Scanner Options make sure the following are checked:
1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Leave the others as they are.
These are all OK allow them
Click the Red Shield and re-enable the Windows Firewall
or let me know if it will not start.
Mike
Do this and run SAS again.
Before clicking Scan
Click the Preferences button.
Then Scanning Control.
In Scanner Options make sure the following are checked:
1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Leave the others as they are.
These are all OK allow them
Code:
google.com/ie
microsoft.com/isapi/redir.dll?....a bunch more stuff
microsoft.com/wlink/?linkID=....numbers
microsoft.com/wlink/?linkID=...numbers
microsoft.com/wlink/?linkID=....numbers
ie.search.msn.com/{sub....
autorun
load
scrnsave.exeClick the Red Shield and re-enable the Windows Firewall
or let me know if it will not start.
Mike
Mike-
I turned on the firewall. Incidentally, I had those SAS instructions followed from a previous posting by you, so all the recent SAS logs I posted should have those preferences intact.
I went fully through the 8 steps and the logs are attached.
The computer keeps trying to restart. A dialog box from Windows Automatic Updates pops up saying it has downloaded updates and will restart in 5 minutes, then begins counting down.
Last- should I allow the computer to install updates on shutdown?
I'm off to work now, but will check for responses later today. Thanks,
I turned on the firewall. Incidentally, I had those SAS instructions followed from a previous posting by you, so all the recent SAS logs I posted should have those preferences intact.
I went fully through the 8 steps and the logs are attached.
The computer keeps trying to restart. A dialog box from Windows Automatic Updates pops up saying it has downloaded updates and will restart in 5 minutes, then begins counting down.
Last- should I allow the computer to install updates on shutdown?
I'm off to work now, but will check for responses later today. Thanks,
Hello Skein
Good job. I think we are almost there!
Use HJT Scan only select for removal (will this one not go I and others have recommended removal earlier?)
O3 - Toolbar: LikeVine - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\LikeVine\tbcore3u.dll (file missing)
Yes shutdown and let it install updates.
----------------------------------------------------------------------------------------------------------------------------------
D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
----------------------------------------------------------------------------------------------------------------------------------
After the above
Run SpyBot and do the Immunize (run scan also if you want)!
then
D/L http://www.javacoolsoftware.com/spywareblaster.html
install run update enable all protections
----------------------------------------------------------------------------------------------------------------------------------
After all the above recheck with SAS to ensure those tracking cookies are gone
----------------------------------------------------------------------------------------------------------------------------------
If you still have Windows update issues let me know and we will fix that.
Mike
Good job. I think we are almost there!
Use HJT Scan only select for removal (will this one not go I and others have recommended removal earlier?)
O3 - Toolbar: LikeVine - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\LikeVine\tbcore3u.dll (file missing)
Yes shutdown and let it install updates.
----------------------------------------------------------------------------------------------------------------------------------
D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
----------------------------------------------------------------------------------------------------------------------------------
After the above
Run SpyBot and do the Immunize (run scan also if you want)!
then
D/L http://www.javacoolsoftware.com/spywareblaster.html
install run update enable all protections
----------------------------------------------------------------------------------------------------------------------------------
After all the above recheck with SAS to ensure those tracking cookies are gone
----------------------------------------------------------------------------------------------------------------------------------
If you still have Windows update issues let me know and we will fix that.
Mike
Mike,
I think we missed something @message 56.
This appears in both Combofix logs
2008-11-10 23:10 . 2008-11-11 02:19 527 --a------ c:\windows\system32\TDSSrrvd.dat
This one is suspicious, but I don't know. As a dllcache file, I'd add it to the deletion list.
2008-10-15 08:32 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
Another thing to consider is the hard reset of the rou ter. It is unknown if this exploit is being used by this infection.
Rich
I think we missed something @message 56.
This appears in both Combofix logs
2008-11-10 23:10 . 2008-11-11 02:19 527 --a------ c:\windows\system32\TDSSrrvd.dat
This one is suspicious, but I don't know. As a dllcache file, I'd add it to the deletion list.
2008-10-15 08:32 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
Another thing to consider is the hard reset of the rou ter. It is unknown if this exploit is being used by this infection.
Rich
Mike
The TDSS file appears in both logs in that message. Since I do not understand all aspects of ComboFix, where do you look to see that it was cleared. Since this file appears in the file list, I do not interpret that it was marked for deletion.
Additionally, some of the history behind MBAB logs makes me pause. The major trojan gets knocked out, but trojan.fake returns, and finally the all-clear.
Another run of ComboFix perhaps?
Create comboscript file with single file: c:\windows\system32\TDSSrrvd.dat
Rich
The TDSS file appears in both logs in that message. Since I do not understand all aspects of ComboFix, where do you look to see that it was cleared. Since this file appears in the file list, I do not interpret that it was marked for deletion.
Additionally, some of the history behind MBAB logs makes me pause. The major trojan gets knocked out, but trojan.fake returns, and finally the all-clear.
Another run of ComboFix perhaps?
Create comboscript file with single file: c:\windows\system32\TDSSrrvd.dat
Rich
Hi Rich
Perhaps I am missing it but the 1st log from 11:58 has the tdss that is when it found and cleaned, the 2nd log at 12:15 has no reference to tdss as should be since it was cleaned in the first run.
The last log is what counts. But maybe I am missing something in that log can you post the item I am missing?
And it will not hurt to advise him to do download a new ComboFix and run again if you want.
Mike
Perhaps I am missing it but the 1st log from 11:58 has the tdss that is when it found and cleaned, the 2nd log at 12:15 has no reference to tdss as should be since it was cleaned in the first run.
The last log is what counts. But maybe I am missing something in that log can you post the item I am missing?
And it will not hurt to advise him to do download a new ComboFix and run again if you want.
Mike
I am speaking of Message #56
Which message # & which files are you referring to?
ComboFixLog1
ComboFix 08-11-11.01 - DELL 2008-11-12 23:58:49.1 - NTFSx86
ComboFixLog2
ComboFix 08-11-11.01 - DELL 2008-11-13 0:15:47.2 - NTFSx86
Search string = TDSSrrvd.dat
Matches occur in both files.
Landmarks in each file. Some extra spaces removed. Some [] removed.
ComboFixLog1
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13
ComboFixLog2
COLOR=RED]B]]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!/B][/COLOR
.((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13
That shows part of what was removed. But TDSSrrvd.dat survived.
2008-11-10 23:10 . 2008-11-11 02:19 527 --a------ c:\windows\system32\TDSSrrvd.dat
Where can we establish if this is a legit file?
Which message # & which files are you referring to?
ComboFixLog1
ComboFix 08-11-11.01 - DELL 2008-11-12 23:58:49.1 - NTFSx86
ComboFixLog2
ComboFix 08-11-11.01 - DELL 2008-11-13 0:15:47.2 - NTFSx86
Search string = TDSSrrvd.dat
Matches occur in both files.
Landmarks in each file. Some extra spaces removed. Some [] removed.
ComboFixLog1
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13
ComboFixLog2
COLOR=RED]B]]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!/B][/COLOR
.((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13
That shows part of what was removed. But TDSSrrvd.dat survived.
2008-11-10 23:10 . 2008-11-11 02:19 527 --a------ c:\windows\system32\TDSSrrvd.dat
Where can we establish if this is a legit file?
Hi Rich
You are correct I missed it
you must have good young eyes. I have old not so good eyes.
It is only the data file without the program itself it is useless!
But needs to be gone,
Skein to remove this file start MABAM don't scan click More Tools-Run Tool
Copy and paste the line in the box to "File Name" and click open.
Note: this runs another MalwareBytes stand alone program "FileAssassin" for deleting hard to delete or in use files.
Mike
You are correct I missed it
Code:
c:\windows\system32\TDSSrrvd.datyou must have good young eyes. I have old not so good eyes.
It is only the data file without the program itself it is useless!
But needs to be gone,
Skein to remove this file start MABAM don't scan click More Tools-Run Tool
Copy and paste the line in the box to "File Name" and click open.
Note: this runs another MalwareBytes stand alone program "FileAssassin" for deleting hard to delete or in use files.
Mike
OK- There were several messages before I could get back to my computer, so let me know if I missed a step.
1. Ran File Assassin on the TDSS DAt file
2. Restarted, all windows updates loaded.
3. HJT deleted the LikeVine registry. However it keeps showing up. It is a file I downloaded and know, so is it okay to keep? I deleted it per instructions, but unless there is a reason not to use it, will install it again. Thoughts?
4. Ran ATF Cleaner till clean
5. Spybot Immunize
6. Spyware Blaster
7. SAS, log attached.
8. Combofix, log attached
9. HJT, log attached.
Let me know if there is something that I missed. Thanks again. If we get to the point of clean, I will try and write a summary of steps that seemed to work, since this one seems to be making the rounds. Thanks,
1. Ran File Assassin on the TDSS DAt file
2. Restarted, all windows updates loaded.
3. HJT deleted the LikeVine registry. However it keeps showing up. It is a file I downloaded and know, so is it okay to keep? I deleted it per instructions, but unless there is a reason not to use it, will install it again. Thoughts?
4. Ran ATF Cleaner till clean
5. Spybot Immunize
6. Spyware Blaster
7. SAS, log attached.
8. Combofix, log attached
9. HJT, log attached.
Let me know if there is something that I missed. Thanks again. If we get to the point of clean, I will try and write a summary of steps that seemed to work, since this one seems to be making the rounds. Thanks,
Mike, I think you posted HJT findings for a different thread.......Rich
Skein
LikeVine may be among the good. The associated clsid also covers crap from some other vendors
The isotoolbar (vendor) was the most notorious At times it is difficult to judge how many of the vendors are really the same company.
Skein
LikeVine may be among the good. The associated clsid also covers crap from some other vendors
The isotoolbar (vendor) was the most notorious At times it is difficult to judge how many of the vendors are really the same company.
Mike-
Yeah, I think that HJT was not mine. Here is a new one after restart, just in case, and none of those issues are here. I understand, tho, since are answering dozens of these things at once! You are like those chess geniuses at the park that play 10 people at the same time...
Shall I still run SD Fix?
Yeah, I think that HJT was not mine. Here is a new one after restart, just in case, and none of those issues are here. I understand, tho, since are answering dozens of these things at once!
You are like those chess geniuses at the park that play 10 people at the same time...Shall I still run SD Fix?
Finishing up!
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
-------------------------------------------------------------------------------------------------------
D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
-------------------------------------------------------------------------------------------------------
The issue found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then
Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------------------------
Download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
These tools update so often they require downloading again later if needed.
Double-click OTCleanIt.exe-Click CleanUp
Yes to the "Begin cleanup Process?"
If prompted to Reboot click Yes.
OTScanit will delete when finished, if not delete it by yourself.
Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.
----------------------------------------------------------------------------------------------------------------------
Every 2 weeks or so run mbam and sas until clean. If they find something they can not clean then get back to us.
Additionally CCleaner, run now and every 2 weeks or so as mentioned above.
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to co-exist with other Virus scanners.
Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.
http://www.threatfire.com/Download/
----------------------------------------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
Hostman http://www.abelhadigital.com/
Mike
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
-------------------------------------------------------------------------------------------------------
D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
-------------------------------------------------------------------------------------------------------
The issue found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then
Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------------------------
Download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
These tools update so often they require downloading again later if needed.
Double-click OTCleanIt.exe-Click CleanUp
Yes to the "Begin cleanup Process?"
If prompted to Reboot click Yes.
OTScanit will delete when finished, if not delete it by yourself.
Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.
----------------------------------------------------------------------------------------------------------------------
Every 2 weeks or so run mbam and sas until clean. If they find something they can not clean then get back to us.
Additionally CCleaner, run now and every 2 weeks or so as mentioned above.
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to co-exist with other Virus scanners.
Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.
http://www.threatfire.com/Download/
----------------------------------------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
Hostman http://www.abelhadigital.com/
Mike
Mike-
I've run through your final instructions, and everything seems to be running peachy! Thank you, thank you, thank you. You and the folks here are doing a great service and I wish you the best. Let me know if it would be helpful to summarize the steps that worked for me...otherwise people can follow the blow-by-blow in the previous postings.
Many thanks and happy trails.
I've run through your final instructions, and everything seems to be running peachy! Thank you, thank you, thank you. You and the folks here are doing a great service and I wish you the best. Let me know if it would be helpful to summarize the steps that worked for me...otherwise people can follow the blow-by-blow in the previous postings.
Many thanks and happy trails.
- Status
Similar threads
Latest posts
-
How to play PS1 Doom on PC (and why you might want to)- amghwk replied
-
Modder builds a Nintendo Wii the size of a deck of cards- WhiteLeaff replied
-
PlayStation 5 Pro will be bigger, faster, and better using the same CPU- Squid Surprise replied
-
Apple is rolling out AirPlay support for TVs in hotel rooms
- RudyBob replied
