Hi, I have seen other post similar to the problem I am having. I use mozilla but get random ie pop ups and constant mouse clicking tones. The volume control mutes itself and I also get random advertisements playing in the background with no video. I use microsoft essentials and get multiple infection results almost everytime I run a scan. I tried restoring to an earlier date but the problem will not go away. Any help would be appreciated as this is the limits of my usual fixes. Thanks,
Solved Ie pop ups,mouse clicking,volume issue and advertisements heard
- Thread starter d7jrobin
- Start date
- Status
Broni
Posts: 56,041 +516
Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
I am trying to run DDS and the instruction box displays but nothing else seems to be happening. I have microsoft essentials turned off and my wireless disconnected. I am not sure if I have any other script protection on. I use windows xp home. Are their other scripts I need to disable. Thanks for the help,
Broni
Posts: 56,041 +516
Download Bootkit Remover to your Desktop.
- You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
- After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
- It will show a Black screen with some data on it.
- Right click on the screen and click Select All.
- Press CTRL+C
- Open a Notepad and press CTRL+V
- Post the output back here.
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 8cedfa5de235f2c6eceb00dafafd92fd
Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown boot code
Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
Press any key to quit...
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 8cedfa5de235f2c6eceb00dafafd92fd
Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown boot code
Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
Press any key to quit...
Broni
Posts: 56,041 +516
Open Notepad
Copy and paste following text into Notepad:
Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.
Run fix.bat by double clicking.
You may see a black box appear; this is normal.
When done, run remover.exe again and post its output.
Restart computer and let me know, how the machine is doing.
Copy and paste following text into Notepad:
Code:
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXITThen in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.
Run fix.bat by double clicking.
You may see a black box appear; this is normal.
When done, run remover.exe again and post its output.
Restart computer and let me know, how the machine is doing.
When I double click fix.bat it says windows cannot find remover.exe in dialog box. I closed it and ran remover again with same result:
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 8cedfa5de235f2c6eceb00dafafd92fd
Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown boot code
Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
Press any key to quit...
Am I doing this the right way? Thanks again
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 8cedfa5de235f2c6eceb00dafafd92fd
Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown boot code
Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
Press any key to quit...
Am I doing this the right way? Thanks again
I downloaded remover to the desktop but got the same results. I redownloaded dds to the desktop and was able to generate logs. Here are the logs from the first steps
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\0TD8cUuk.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RAuywQ7a.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-10 16:31:39
Windows 5.1.2600 Service Pack 3
Running: 4in2yrm3.exe; Driver: C:\DOCUME~1\JASON\LOCALS~1\Temp\awldypog.sys
---- Kernel code sections - GMER 1.0.15 ----
? cffukfi.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[740] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
? C:\WINDOWS\system32\svchost.exe[1892] C:\WINDOWS\system32\SHLWAPI.dll IMAGE_DOS_SIGNATURE not found;
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
---- EOF - GMER 1.0.15 ----
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\0TD8cUuk.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RAuywQ7a.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-10 16:31:39
Windows 5.1.2600 Service Pack 3
Running: 4in2yrm3.exe; Driver: C:\DOCUME~1\JASON\LOCALS~1\Temp\awldypog.sys
---- Kernel code sections - GMER 1.0.15 ----
? cffukfi.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[740] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
? C:\WINDOWS\system32\svchost.exe[1892] C:\WINDOWS\system32\SHLWAPI.dll IMAGE_DOS_SIGNATURE not found;
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
---- EOF - GMER 1.0.15 ----
Broni
Posts: 56,041 +516
If you have remover.exe on your desktop, please re-do steps from my reply #6.
Don't rush anything.
Make sure, you copy/paste ALL text from my code box. Don't try to type it manually.
Let me know, what happens.
Don't try, or run anything else. At this point, removing rootkit, you're infected with is the main goal.
Don't rush anything.
Make sure, you copy/paste ALL text from my code box. Don't try to type it manually.
Let me know, what happens.
Don't try, or run anything else. At this point, removing rootkit, you're infected with is the main goal.
Sorry about that. Hopefully I got it right this time. Heres the malware again and the two files as txt. Thanks,
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4300
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
7/10/2010 4:06:18 PM
mbam-log-2010-07-10 (16-06-18).txt
Scan type: Quick scan
Objects scanned: 169740
Time elapsed: 10 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\0TD8cUuk.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RAuywQ7a.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4300
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
7/10/2010 4:06:18 PM
mbam-log-2010-07-10 (16-06-18).txt
Scan type: Quick scan
Objects scanned: 169740
Time elapsed: 10 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\0TD8cUuk.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RAuywQ7a.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Here is the info from remover this time,
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
Press any key to quit...
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
Press any key to quit...
Broni
Posts: 56,041 +516
Good news 
More steps. We only removed the main culprit.
Now, I need:
1. Both DDS logs.
2. Update Malwarebytes, run "Quick Scan", post new log.
3. Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
More steps. We only removed the main culprit.
Now, I need:
1. Both DDS logs.
2. Update Malwarebytes, run "Quick Scan", post new log.
3. Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE 2. If Combofix asks you to update the program, always do so.- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt"
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
- Status
Similar threads
