Jump to content

noahdfear

Trusted Malware Techs
  • Content Count

    336
  • Joined

  • Last visited

Posts posted by noahdfear


  1. I'm not seeing anything in your logs that identifies the source of the error messages. Please describe them in more detail.

     

    Download GMER

     

    Right click and extract it to it's own folder on the desktop.

     

    Open the program and click on the Rootkit tab.

    Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.

    Click on Scan.

    When the scan has completed, click Copy and paste the results (if any) into this topic.


  2. Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

     

    Filename: CFScript.txt

    Save As Type: All Files (*.*)

     

    http://forums.pcpitstop.com/index.php?s=&showtopic=163356&view=findpost&p=1552177
    
    Collect::[22]
    c:\windows\system32\drivers\xsqatwof.sys
    File::
    c:\windows\system32\drivers\Ndisprot.sys
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a989412-8707-11db-ad69-000ea65e656a}]
    

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

     

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

     

     

    Please note that I have instructed CFScript to collect some files ofr analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates.

     

    Thanks!


  3. Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

     

    Filename: CFScript.txt

    Save As Type: All Files (*.*)

     

    File::
    c:\documents and settings\AJ\Desktop\RohanBotEn1.0.2\NtProcDrv.sys
    c:\windows\system32\f12da82.dll
    c:\windows\system32\1dcf9f62.dll
    c:\windows\system32\drivers\EagleNt.sys
    c:\windows\system32\2bf2a34a.dll
    c:\windows\system32\15d14f90.dll
    c:\windows\system32\wcdrtc32.dl_
    c:\windows\system32\KFUeevI8.exe
    c:\windows\system32\Wh33B63f.exe
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At25.job
    c:\windows\Tasks\At26.job
    c:\windows\Tasks\At27.job
    c:\windows\Tasks\At28.job
    c:\windows\Tasks\At29.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At30.job
    c:\windows\Tasks\At31.job
    c:\windows\Tasks\At32.job
    c:\windows\Tasks\At33.job
    c:\windows\Tasks\At34.job
    c:\windows\Tasks\At35.job
    c:\windows\Tasks\At36.job
    c:\windows\Tasks\At37.job
    c:\windows\Tasks\At38.job
    c:\windows\Tasks\At39.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At40.job
    c:\windows\Tasks\At41.job
    c:\windows\Tasks\At42.job
    c:\windows\Tasks\At43.job
    c:\windows\Tasks\At44.job
    c:\windows\Tasks\At45.job
    c:\windows\Tasks\At46.job
    c:\windows\Tasks\At47.job
    c:\windows\Tasks\At48.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    c:\windows\Tasks\RegCure Program Check.job
    c:\windows\Tasks\RegCure.job
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6688565b-f946-11dc-9ac0-001617ea7e85}]
    Driver::
    NTProcDrv
    

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

     

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

     

    **NOTE - Allow ComboFix to update if prompted.


  4. You've definitely still got some nasties on board. Lets get them cleaned out. Please visit the following webpage for instructions for downloading and running ComboFix

     

    How to use ComboFix

     

     

    Download ComboFix by sUBs from here, saving the file to your desktop.

     

     

    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click ComboFix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

     

    **NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

     

    Should you internet for some reason not work again, a restart should fix it (I don't expect that to happen though). ;)


  5. Did you redo the Kaspersky scan as suggested? I would really like to know that it still reports clean.

     

    Remove the quarantine items via the MBAM interface>Quarantine.

     

    Hold off on clearing the restore points till verifying with Kaspersky that the system is clean.


  6. Hi tntroy61,

     

    Your log appears clean. That message basically tells you that your applications are trying to use more RAM than available, and it is increasing the amount of disk space available to store some of the data in RAM that it deems 'less important', allowing the 'more important' data to be processed through the faster RAM. Leo has a pretty good simplistic explanation here.

     

    How much memory is installed?


  7. Your log appears clean. If you want to double check, I suggest an online scan. Instructions follow if you want to.

     

    Do an online scan with Kaspersky Online Scanner

     

    Click Accept, when prompted to download and install the program files and database of malware definitions.

    • Click Run at the Security prompt.
    • The program will then begin downloading and installing and will also update the database.
    • Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Click View scan report at the bottom.
    • Click the Save Report As... button.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
    **Note**

     

    To optimize scanning time and produce a more sensible report for review:

    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
    Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

     

     

    Post the Kaspersky log here.


  8. Thank you.

     

    First, please open MBAM and select the Logs tab.

    Select the most recent scan and click View, then copy and post that log here.

    If there are several recent logs, post them all.

     

    Next, visit the following webpage for instructions for downloading and running ComboFix

     

    How to use ComboFix

     

     

    Download ComboFix by sUBs from here, saving the file to your desktop.

     

     

    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click ComboFix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

     

    **NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.


  9. Hi Mr Brightside,

     

    I sure would be interested in seeing what MBAM removed. Please see if it's still working after the system restore operation. If so, click the Logs tab and if there's a log present, select it then click View. Post it's contents here.

     

    System Restore will roll back a number of things, but it generally will not remove rogue files that have been dropped, so lets run a scan tool that might show us if any are present. Please download DDS and save it to your desktop.

    • Disable any script blocking protection
    • Double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      • DDS.txt
      • Attach.txt
    • Save both reports to your desktop.
    Please include the contents of the following in your next reply:

     

    DDS.txt

     

    I may ask for the Attach.txt log later, so keep it handy.


  10. Hi Loothawk,

     

    A bit more information would be helpful here. Log, please help me doesn't tell us much. ;)

     

    Please download DDS and save it to your desktop.

    • Disable any script blocking protection
    • Double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      • DDS.txt
      • Attach.txt
    • Save both reports to your desktop.
    Please include the contents of the following in your next reply:

     

    DDS.txt

     

    I may ask for the Attach.txt log later, so keep it handy.


  11. Great! Now open MBAM and remove any items quarantined. Do the same with your resident antivirus.

     

    Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.

    Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

    You can delete any other logs that were created/saved too.

     

     

    Glad I could help Kieron. Merry Christmas to you also. Surf safe! :)


  12. Lets make sure something hasn't been missed. Please do an online scan with Kaspersky Online Scanner

     

    Click Accept, when prompted to download and install the program files and database of malware definitions.

    • Click Run at the Security prompt.
    • The program will then begin downloading and installing and will also update the database.
    • Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Click View scan report at the bottom.
    • Click the Save Report As... button.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
    **Note**

     

    To optimize scanning time and produce a more sensible report for review:

    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
    Post the Kaspersky log here.

  13. Couple of very strange values in those keys. Since we have backups, lets nuke em.

    Highlight and copy the contents of the code box below.

    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_Dlls /f
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DriveConfiguration /f
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v LegacyDrive /f
    exit
    cls
    
    Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

     

    Reboot and let me know if everything still behaves normally.

×
×
  • Create New...