also @ TechSpot: Android 4.0: Tracking Ice Cream Sandwich's Availability on Smartphones

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Solved] Yet another case of the System Check virus

Discussion in 'Virus and Malware Removal' started by talasker, Jan 18, 2012.

Page 1 of 3

  1. talasker Newcomer, in training

    Same thing everyone else has. I managed to run Malwarebytes and Super AntiSpyWare a few times ... and now things are sort of, kind of working again. But Windows Task Manager says there is something called "services.exe" and a number of exe files that look suspicious to me. In addition I still don't have full functionality.

    So ... any help you could offer would be most appreciated.

    Thank you.
    talasker, Jan 18, 2012
    #1

  2. Broni Malware Annihilator

    Welcome aboard [IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
    Broni, Jan 18, 2012
    #2

  3. talasker Newcomer, in training

    Malwarebytes log:

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.14.02

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Bob :: SUPERCOMPUTER [administrator]

    1/19/2012 8:12:33 AM
    mbam-log-2012-01-19 (08-12-33).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 196986
    Time elapsed: 5 minute(s), 50 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    talasker, Jan 19, 2012
    #3

  4. talasker Newcomer, in training

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-19 08:56:16
    Windows 5.1.2600 Service Pack 3
    Running: up0qpmmk.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\awrcraog.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\Citrix\ICACLI~1\RSHook.dll

    ---- EOF - GMER 1.0.15 ----
    talasker, Jan 19, 2012
    #4

  5. Broni Malware Annihilator

    Your MBAM version is outdated.
    Update, run another scan, post new log.

    Continue with other steps.
    Broni, Jan 19, 2012
    #5

  6. talasker Newcomer, in training

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.20.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Bob :: SUPERCOMPUTER [administrator]

    1/20/2012 5:32:27 PM
    mbam-log-2012-01-20 (17-32-27).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 200158
    Time elapsed: 5 minute(s), 53 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Documents and Settings\Bob\Local Settings\temp\w1 (Trojan.Agent) -> Quarantined and deleted successfully.

    (end)
    talasker, Jan 20, 2012
    #6

  7. talasker Newcomer, in training

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-21 08:10:27
    Windows 5.1.2600 Service Pack 3
    Running: up0qpmmk.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\awrcraog.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\Citrix\ICACLI~1\RSHook.dll

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\Bob\Cookies\K4I5TVZB.txt 0 bytes

    ---- EOF - GMER 1.0.15 ----
    talasker, Jan 21, 2012
    #7

  8. Broni Malware Annihilator

    Go on......
    Broni, Jan 21, 2012
    #8

  9. talasker Newcomer, in training

    Everytime I try and run the DDS application, it locks up the computer. It says it might take a while, but after an hour nothing happens. I've tried to run it half a dozen times sometimes with Avast running sometimes without ... and still no luck. Is there something I can try or something I haven't done or should do to make this work?
    talasker, Jan 21, 2012
    #9

  10. Broni Malware Annihilator

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
    Broni, Jan 21, 2012
    #10

  11. talasker Newcomer, in training

    I downloaded that program, but was unable to open it. I restarted and still couldn't open it. I downloaded it again, and still nothing. I tried to change the name of the file and again, it would not open and do it's thing.
    talasker, Jan 21, 2012
    #11

  12. Broni Malware Annihilator

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==========================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
    Broni, Jan 21, 2012
    #12

  13. talasker Newcomer, in training

    I followed your directions and downloaded aswMBR to your desktop. I could not get it to open ...

    I had more luck with Bootkit Remover. Here is the log:


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

    Size Device Name MBR Status
    --------------------------------------------
    1397 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
    talasker, Jan 21, 2012
    #13

  14. Broni Malware Annihilator

    Please download and run ListParts by Farbar (for 32-bit system)

    Please download and run ListParts64 by Farbar (for 64-bit system)

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
    Broni, Jan 21, 2012
    #14

  15. talasker Newcomer, in training

    ListParts by Farbar
    Ran by Bob on 22-01-2012 at 09:43:41
    Windows XP (X86)
    Running From: C:\Documents and Settings\Bob\My Documents\Downloads
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 28%
    Total physical RAM: 3327.04 MB
    Available physical RAM: 2378.89 MB
    Total Pagefile: 5210.46 MB
    Available Pagefile: 4391.19 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2001.39 MB

    ======================= Partitions =========================

    2 Drive c: () (Fixed) (Total:1397.25 GB) (Free:1055.75 GB) NTFS ==>[Drive with boot components (Windows XP)]

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 1397 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1397 GB 32 KB
    Partition 2 Unknown 10 MB 1397 GB

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 1397 GB Healthy Boot

    Disk: 0
    Partition 2
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes

    There is no volume associated with this partition.


    ****** End Of Log ******
    talasker, Jan 22, 2012
    #15

  16. Broni Malware Annihilator

    We have TDL rootkit there.

    Download GETxPUD.exe to the desktop of your clean computer

    • Double click on GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Insert blank CD into your CD drive.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Boot bad computer from the CD
    • Press Tool at the top
    • Choose Open Terminal
    • Type parted /dev/sda set 1 boot on
    • Press Enter
    • Type parted /dev/sda rm 2
    • Press Enter
    • Remove xPUD CD, reboot, run aswMBR and post the log
    Broni, Jan 22, 2012
    #16

  17. talasker Newcomer, in training

    I tried doing this. I was able to download the GETxPUD.exe. I was able to open it and start the get&burn.bat but I could not get the burner to do its thing. This is getting very frustrating. Nothing I download seems to work. As you pointed out I have a TDL rootkit, but it appears to be blocking every possible "fix."
    talasker, Jan 23, 2012
    #17

  18. Broni Malware Annihilator

    Create the CD on another healthy computer not on infected computer.
    Broni, Jan 23, 2012
    #18

  19. talasker Newcomer, in training

    I will do that tomorrow morning. Fingers crossed. And thank you for being patient and helping me with this.
    talasker, Jan 23, 2012
    #19

  20. Broni Malware Annihilator

    You're very welcome [IMG]
    Broni, Jan 23, 2012
    #20
Page 1 of 3