I saw some earlier posts and tried the suggested fixes, which restored my shortcuts, etc, but the infection is still on the system RogueKiller did help with the shortcuts. The TDSS software will not run, I even tried renaming it. Malwarebytes, ran but really didn’t do anything. I ran Combofix, really didn’t do anything I could see.
Avast still picking up the rootkit issue and blocking outgoing URL’s.
Now what?
Thanks
Malwarebytes, ran but really didn't do anythingwas it updated before you scanned...
I ran Combofix, really didn't do anything I could see.if you have the log...attach it
also attach aswMBR log http://forum.avast.com/index.php?topic=53253.0
I checked and updated Malware then ran a Quick Scan again. I attached the log. The aswMbr software won’t install or run. It opens the Windows do you want to run the program pop up but it just spins for a second then nothing. Same thing with the TDSSS program.
Hi run_forest_run, welcome to the forum.
To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
Do you have the combofix log? It shoul be found at C:\combofix.txt
Well on the Combofix log that would be a no. Interesting when I go to the C drive Combofix appears as computer icon and there are no sub folders folders, it just shows the attached DVD drive and external HD.
Hi run_forest_run,
Looks like combofix didn’t finish. Let’s try it again.
Locate the copy of combofix.exe on your desktop. Right click it and click delete.
Please read through the instructions to familarize youself with what to expect when the tool runs.
It is vitally important that combofix is renamed before it is even started to download
Please download ComboFix from Link 1or Link 2 to your Desktop.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop
[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.
[*]During the download, before you save it to your desktop, rename Combofix to jgh.exe
[]It is important you rename Combofix during the download, but not after.
[]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix
[*]Double click on ComboFix.exe (jgh.exe in your case) & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]
Please post back with
[*]combofix log
How is the computer?
Thanks
First thanks for your help. Ok Combofix ran for an hour and a half and I have attached the log. As far as the computer running it seems to be ok, running a little faster. I haven’t tried any programs other than Chrome and turned Avast back on.
One note to anyone reading this: Combofix when you run it doesn’t run right away. First you get the Windows 7 pop up to run the program, then a dialog window opens with a bunch of green scrolling text which then closes, then nothing for about a minute or two, then a C prompt window opens and begins its process. So not the normal program start and run process.
Follow up note: Avast has resume blocking outgoing URL’s and is still picking up the Alureon Rootkit
Hi run_forest_run,
Let’s see if we can get a look at this thing.
Delete te copy of aswMBR.exe you have.
Next
Download aswMBR.exe ( 511KB ) and save it to this folder C:\Program Files (x86)\Malwarebytes’ Anti-Malware\Chameleon
Next
Press the Windows key + R and in the Run box, copy and paste the following command then press Enter.
“C:\Program Files (x86)\Malwarebytes’ Anti-Malware\Chameleon\mbam-chameleon.exe” /o
A black DOS prompt will appear with a prompt to press any key to continue, please do.
Next
Double click the aswMBR.exe to run it
Click the “Scan” button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
Ok well call me stupid but obviously I need to create that folder in order to save to it, correct? That said, Windows 7 won’t let me create the folder with the special characters such as ’ and \ So not sure how to do that.
Explanation?
Thanks.
I have to run to work so I will be back at this later.
Hi run_forest_run,
You have MBAM installed so that folder is already there.
Try it this way (use Internet Explorer)
Your screen should look like the attached image. After you have saved aswMBR please follow the rest of the instructions.
Ok I followed the instructions to the letter and aswmbr.exe won’t run. I get the Windows pop up to run it but nothing happens. The first step on the run dialog I cut and pasted the command line and ran it. It came back with press any key to continue, then loading driver “DONE”, the a 2nd “press any continue” appears. I did then tried to execute the file. Nothing. Tried again this time not pressing the 2nd “press any key to continue” and still nothing. Tried 3 times.
So now what?
Thanks.
Hi run_forest_run,
This one is being quite stubborn. We’ll need a flashdrive and if possible your Windows7 disk. I included both sets of instructions for running FSRT, with and without the disk. Some machines have the System Recovery Options installed while othrs don’t. Either way will work though.
download
Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
[*]Use the arrow keys to select the Repair your computer menu item.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account an click Next.
OR
To enter System Recovery Options by using Windows installation disc:
[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
[*]Click Repair your computer.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account and click Next.
Once you have entered the System Recovery Options screen:
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Here you go.
Hi run_forest_run,
That gave us a look at it. Haven’t seen one of those for awhile.
We’ll do this in a couple of posts and from the System Recovery Options screen. We are also going to use the same flash drive we used before.
Download ListParts64 and save it to the flashdrive.
With the flash drive attached to the computer boot to the System Recovery Options screen as you did before.
[*]Select the command prompt
[*]Type e:\listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
[*]Listparts will start to run
[*]Check the box beside List BCD
[*]Press the Scan button
When finished scanning it will make a log Result.txt on the flash drive. Please copy and paste it to your reply.
Thanks and here you go…
Hi run_forest_run,
Sorry this is taking so long but I want to make sure we have all our ducks in a row.
From normal windows please do the following:
[*]click start
[*]type cmd into the search box
[*]right click on cmd that appears at the top and click Run as adminstrator
[*]type bcdedit /enum all >%userprofile%\desktop\log.log
(note: there is a space after bcdedit, a space after enum and one after all)
[*]hit enter
When it’s finished a notepad named log.log will be on the desktop.
Here is what was created. It doesn’t have anything on it far as I can tell. I tried twice to be sure.
The message I got both times from the cmd prompt after running the script was: ‘bcedit’ is not recognized as an internal or external command, operable program or batch file.
Hope that helps.
Still running…=;0)
Hi run_forest_run,
Don’t be alarmed if you still recieve some detections after this fix. We are only disabling the infection to start with.
There are some additional instructions included at the end in case you have difficulty in booting back to windows when you are finished.
From your flashdrive please delete Results.txt.
Next, download and save to your flashdrive the attached file Fix.txt
Next With the flash drive attached to the computer boot to the System Recovery Options screen.
[*]Select the command prompt
[*]Type e:\listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
[*]Listparts will start to run
[*]Press the Fix button
[*]ListParts will process the script in Fix.txt
[*]When finished please press the Scan button.
When finished scanning it will make a log Result.txt on the flash drive. Please copy and paste it to your reply.
Some additional instructions should you have problems booting to windows after running the fix. Use these only if problems occur.
[*]If given the option to do a Repair either cancel it or select “Start Windows Normally”
Did it boot to windows?
If the computer did not boot properly after selecting “Start Windows normally”
[*]reboot the computer
[*]while the computer is rebooting press the F10 to bring up ‘Edit Boot Options’ screen. (if it’s pressed too early you might get the bios screen instead. )
The correct screen looks similar to this (yours will say Vista)
http://www2.gmer.net/img/tdl4_minint.png
[*]If it says /minint or int/min after /NOEXECUTE=OPTIN,
hit the Backspace key until that entry reads:
/NOEXECUTE=OPTIN
[*]hit enter
Did the computer boot?
Let me know how you made out or have any problems.
Please post back with
[*]Results.txt
Ran the fix, then the scan, and Windows booted up ok. So no problems. Here are the results of the scan.
Thanks
Hi
Ok let’s see if we can get aswMBR to run now. Any detection so far?
Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it. If asked to download Avast’s database please do so.
Click the “Scan” button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
Please post back with
Thanks