So a friend ask me to fix her computer… After hours of removing malware I find I am left with a rootkit to deal with. MBAM keeps telling me ping.exe is attempting to establish an outbound connection to various IPs.
Ok so ran scan and then fix. Was expecting it to allow me to save a log but it rebooted upon finishing the fix cycle. so ran scan again once it booted back up and here are the results.
If this procedure requires system restore to fix the infection then things may be more difficult since I ran windows update after clearing all the malware before I found out there was a rootkit so it created an infected restore point.
It has been about 4 hours since fix/reboot and have not seen any more warnings from MBAM concerning outgoing traffic or any other warnings in the MBAM log so looking good so far.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Forgot to uncheck start with windows on MBAM so was running after reboot. Killed it before running requested scan.
OTL started up with windowss after reboot and spit out a log file.. Hope MBAM starting with it didn't mess up any post reboot fixes.
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
running combofix now. It will say in the report that it detected AVG, but AVG has been uninstalled for a while now and I can verify that no AVG program files or services are left on this box. It must be detecting some reg entries that never got completely removed on uninstall.
Yeah this one is quite resilient and I had already resorted to running combofix before I came here with no luck. And Microsoft safety scanner just messed things up to where it would not boot and had to be restored to repair when removing Fakerean.
Blue screened after a bit and then failed to restart windows… had to restore from OTL restore point to get it back up. Reaction to combofix removing conserv.dll?
OK I can remove it - it is the new variant - but I do need to see the netsvc name to remove it
You must have missed scripting this part
So run OTL again with this in the custom scans box
[*]Run OTL.
[*]Select All Users
[*]Under the Custom Scan box paste this in netsvcs
%SYSTEMDRIVE%*.exe
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open one notepad.
Looking at your other thread looks like the dropper posing as a service is :[/b] - [2009/07/13 20:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] – C:\Windows\SysNative\SECYPUSB.dll – (SMCB000)
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.