Security Shield

[ziggy783]

I followed instructions from the following url:
http://malwaretips.com/blogs/security-shield-virus/
until the end of step 4 (malwarebytes)
the issues that came up are as follows:
1) without internet access, i was unable to download the files myself and had to transfer them via memory stick after downloading on my currently functional computer
2) during step 2, IE never had the option checked for "use a proxy server for your LAN" (i.e. it was already unchecked). Firefox also did not have any proxy server established but I went ahead and clicked on "no proxy". It should be noted that the internet was able to access at that point my proper home page at that point, although I did not do any further web surfing to see if there was continued access to other websites.
3) During step 4, malwarebytes was unable to update (the update would simply "time out"). I went ahead and ran walwarebytes (withou a reboot beforehand, as per the instructions). After running for well over an hour, it detected several infections. Only the first box was unchecked. I checked the box so that all were checked and clicked on "remove selected" -- at that point the program appeared to freeze. I waited for quite a while and went ahead and restarted (in normal mode).
Unfortunately it led me back to right where I started (with security shield pop-ups). I did not complete any further subsequent steps.
Please assist.
Also, of note, when I ran OTL, at the end there was an error frame that said "Win32 Error. Code: 23. Data error (cyclic redundancy check)

As implied above, I am downloading/posting from my functional computer (Windows 7) and transferring recommended applications/programs to my infected computer (MS Vista Business).
aswMBR and OTL logs are attached.
Thanks for your help

 

[Jack]

Hello ziggy,
While in Normal Mode , are you able to connect to the Internet?

<hr />
Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Step 1 : Download and run Combofix
 
Download ComboFix from one of the following locations: 
Link 1  
Link 2  
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop  
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here  

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
  
  
  
  
  
• When finished, it shall produce a log for you. 
  [*]Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

 

[ziggy783]

Jack
Thanks for your help. I also am aware of the risks of this process, but this malware has rendered the computer rather useless at this point, so I have little to lose.
Regarding your inquiry, I am unable to access the internet in normal mode (as above, I was able to at least access the "home page" when i opened IE and Firefox in safe mode with networking). So I will be downloading Combofix on a different and transferring it to the infected computer via memory stick, and then installing it on the infected computer.
Before I proceed, should I install and run Combofix in normal mode or in safe mode (with networking)?
Thanks again.

 

[Jack]

Ok,run Combofix in Normal mode.
Also while were here,after running this utility,go ahead and perform a scan with:


Please download <a href="http://download.bleepingcomputer.com/farbar/FSS.exe" target="_blank"><>Farbar Service Scanner</></a> (FSS) and run it on the computer with the issue.
<ul>
<li>Make sure the following options are checked:
<ul>
<li><>Internet Services</></li>
<li><>Windows Firewall</></li>
<li><>System Restore</></li>
<li><>Security Center</></li>
<li><>Windows Update</></li>
<li><>Windows Defender</></li>
</ul>
</li>
<li>Press "<>Scan</>".</li>
<li>It will create a log (FSS.txt) in the same directory the tool is run.</li>
<li>Please copy and paste the log to your reply.</li>
</ul>

 

[ziggy783]

Here is what happened:
- I transferred ComboFix via memory stick to my infected computer desktop in normal mode. I double-clicked the exe file. Soon after I did that a Security Shield pop-up window came up that could not be dragged to move. But then there was an error frame that stated that some exe program (Starting with the letter "z" -- sorry, i should have written down the name) was not responding -- it seems like this was related to the Security Shielf virus because after ending the Security Shield application using task manager (& the virus pop-ups went away), I was able to click on "I accept" for ComboFix -- it seemed liked Combofix ran fine but at the very end there was a frame that popped up and went away so quickly that I didn't even have time to read it. I also searched for the "C:\ComboFix.txt " file (on my desktop, in C: under "my computer" and also using the "Start search" function). Interestingly, my internet access started working at this point (not sure if it was because of the "z" exe file not responding).
- I successfully ran the FSS program, and I have copied/pasted the log below.
- After restarting my computer again, there is no evidence of the security shield pop-up (so far) BUT the computer no longer has internet access. The usual wireless network I use is under "local only" access. Even after disconnecting and then re-connecting again, I still am on "local only" access.


Farbar Service Scanner Version: 25-06-2012 01
Ran by Paulgun (administrator) on 29-06-2012 at 10:03:24
Running from "C:\Users\Paulgun\Desktop"
Microsoft® Windows Vista™ Business Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll
[2009-09-25 14:08] - [2009-04-11 01:28] - 0086528 ____A (Microsoft Corporation) 30A08728740E71947AE1E073B5CE69B4

C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

 

[Jack]

1.Ok,ets try to run again this OTL fix.

If you have the paid version of Malwarebytes 1.6 or later installed, please disable it for the duration of this run.Also you should temporarily disable your antivirus.
<>To disable MBAM</>

Open the scanner and select the <>Protection</> tab.
Remove the tick from <>Start protection module with Windows</>.
Reboot and then run OTL.

<img src="http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg" alt="Posted Image" />


<ol>
<li>Please reopen <img src="http://malwaretips.com/blogs/wp-content/uploads/2012/06/otlicon.png" alt="Posted Image" /> on your desktop.</li>
<li><>Copy</> and <>Paste</> the following code into the <img src="http://malwaretips.com/blogs/wp-content/uploads/2012/06/customscanfix.png" alt="Posted Image" /> textbox.

:OTL
MOD - [2012/06/26 01:22:53 | 000,442,368 | ---- | M] () -- C:\Users\Paulgun\AppData\Local\zgmguisgzf.exe
O4 - HKLM..\Run: []  File not found
O4 - HKCU..\Run: [DW6]  File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O33 - MountPoints2\{e330de2a-e90b-11de-9c8c-00197ee642d9}\Shell\AutoRun\command - "" = F:\WDSetup.exe
O33 - MountPoints2\{f59e8bd1-3313-11dc-b3c6-00197ee642d9}\Shell - "" = AutoRun
O33 - MountPoints2\{f59e8bd1-3313-11dc-b3c6-00197ee642d9}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\WDSetup.exe
[1 C:\Users\Paulgun\Desktop\*.tmp files -> C:\Users\Paulgun\Desktop\*.tmp -> ]

[2012/06/26 01:32:30 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/06/26 01:23:30 | 000,018,944 | ---- | C] () -- C:\Windows\Installer\{50904225-4dab-82b5-0359-4c2b153d91d0}\U\800000cb.@
[2012/06/26 01:23:30 | 000,012,288 | ---- | C] () -- C:\Windows\Installer\{50904225-4dab-82b5-0359-4c2b153d91d0}\U\80000000.@
[2012/06/26 01:23:30 | 000,001,648 | ---- | C] () -- C:\Windows\Installer\{50904225-4dab-82b5-0359-4c2b153d91d0}\U\00000001.@

:files
C:\Users\Paulgun\AppData\Local\zgmguisgzf.exe
ipconfig /flushdns /c

:Commands 
[createrestorepoint]
[resethosts] 
[emptytemp]

</li>
<li><>Push </><img src="http://malwaretips.com/blogs/wp-content/uploads/2012/06/runfix.png" alt="Posted Image" /></li>
<li><>OTL may ask to reboot the machine. Please do so if asked.</></li>
<li><>Click </>the <>OK</> button.</li>
<li>A report will open. <>Copy</> and <>Paste</> that report in your next reply.</li>
<li>If the machine reboots, the log will be located at C:\_OTL\MovedFiles\<>mmddyyyy_hhmmss.log</>, where mmddyyyy_hhmmss is the date and the time of the tool run.</li>
</ol>
<hr />

2.Next,Let's repair some stuff that can be damaged by malware.
Download <><a title="External link" href="http://www.tweaking.com/content/page/windows_repair_all_in_one.html" rel="external">Windows Repair by Tweaking.com</a></> to your desktop.  Use the direct download link for the Portable version of Windows Repair by Tweaking.com
<ol>
<li>Double-click <>tweaking.com_windows_repair_aio.zip</> and extract the <>Tweaking.com - Windows Repair</> folder to your desktop.</li>
<li>Now open this folder and double-click <>Repair_Windows.exe</>.</li>
<li>Click the <>Start Repairs</> tab on the far right.</li>
<li>Click the <>Start</> button (bottom right)
Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.</li>
<li>Click <>Unselect All</></li>
<li>Put a checkmark in the following items:
<ul>
<li>Repair Windows Firewall</li>
<li>Repair Hosts File</li>
<li>Repair Temp Files</li>
<li>Remove Policies Set By Infections</li>
<li>Set Windows Services To Default Startup</li>
</ul>
Note: Leave everything else unchecked</li>
<li>Put a checkmark in <>Restart System When Finished</></li>
<li>Now click the <>Start</> button (bottom right)</li>
</ol>

 

[ziggy783]

So I have been running OTL for several hours and basically nothing has come up (no error prompt). I'm afraid to click the mouse on it as per the warnings that this could cause problems. But I'm concerned that OTL has frozen? I am not sure if I should turn off the computer (I would essentially have to power off because I am not able to access the start menu to restart -- the only thing visible is the OTL frame and the surrounding desktop wallpaper image -- nothing else, no icons, no start menu visible). Please advise. I will simply leave the infected computer on in the current state until you offer recommendations.
I should also mention that during the process of disabling MBAM, I was finally able to activate the updates (since I finally had internet access at that point). I clicked on "start trial" in order to uncheck the box that you had recommended in order to disable MBAM. But before I did that, Malwarebytes identified that same "z" exe program as a deleterious process and prompted me to decide how to proceed -- i clicked on "quarantine" before proceeding with the "start trial"
As usual, thanks for your assistance

 

[ziggy783]

Update: I may stand corrected about whether the OTL program is truly "frozen"
The green bar at the bottom of the frame has been moving so I am assuming that this indicates that the process is still active. I will leave this running through the night and then re-check in the morning.

 

[Jack]

Close the program, and then update and scan with Malwareytes...post the log when it finishes the scan...

 

[ziggy783]

I have pasted the MBAM log below.
The MBAM program ran properly and prompted a re-start. I accessed this log after the re-start.
A couple of notes:
- When I click on the "quarantine" tab on MBAM, there are 52 total items noted. Should I "delete all" at this point? If you recall, the exe program starting with the letter z was quarantined by me earlier.
- No more Security Shield pop-ups are coming up
- However, my wireless network status is now "local only" -- no internet
- Also, it appears that hidden files are being shown on the desktop
- Finally, I have not yet run Windows Repair by Tweaking.com -- should I do that at this point?
Thanks




Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18943
Paulgun :: PAULGUN-PC [administrator]

Protection: Disabled

6/30/2012 12:24:24 AM
mbam-log-2012-06-30 (00-24-24).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 474479
Time elapsed: 2 hour(s), 6 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 9
C:\Users\Paulgun\AppData\Roaming\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Users\Paulgun\AppData\Roaming\SmartShopper\cs (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Users\Paulgun\AppData\Roaming\SmartShopper\cs\db (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Users\Paulgun\AppData\Roaming\SmartShopper\cs\dwld (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Users\Paulgun\AppData\Roaming\SmartShopper\cs\report (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Users\Paulgun\AppData\Roaming\SmartShopper\cs\res1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Program Files\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Program Files\SmartShopper\cs (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Program Files\SmartShopper\cs\antiphishing (Adware.SmartShopper) -> Quarantined and deleted successfully.

Files Detected: 8
C:\Users\Paulgun\AppData\Local\{50904225-4dab-82b5-0359-4c2b153d91d0}\n (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\Windows\Installer\{50904225-4dab-82b5-0359-4c2b153d91d0}\n (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\Windows\Installer\{50904225-4dab-82b5-0359-4c2b153d91d0}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.
C:\Windows\Installer\{50904225-4dab-82b5-0359-4c2b153d91d0}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Windows\Installer\{50904225-4dab-82b5-0359-4c2b153d91d0}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\06292012_155455\C_Windows\Installer\{50904225-4dab-82b5-0359-4c2b153d91d0}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\06292012_155455\C_Windows\Installer\{50904225-4dab-82b5-0359-4c2b153d91d0}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\06292012_155455\C_Windows\Installer\{50904225-4dab-82b5-0359-4c2b153d91d0}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

 

[Jack]

Great!Looks like most of the damage was done by the Zerro Access Rootkit and not the Security Shield rogue
Ok,lets run the Windows Repair by Tweaking.com ,to see if we can fix your Internet Connection.... You have all the instructions above!

 

[ziggy783]

so without internet access on the infected computer, I am unable to download that directly to the infected desktop.
However, on my functional computer (the one I am using and have been using for my posts), the link for Windows Repair does not seem to be working (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
The connection times out whether I use Firefox or IE.

 

[Jack]

The links in OK...However the site is down right now! We will try later to download it.
http://www.downforeveryoneorjustme.com/http://www.tweaking.com

Lets try this. Please reset the Windows TCP/IP settings by following these steps:
1.Click on the Start button.
2.Go to All Programs.
3.Go to Accessories.
4.Right-click on Command Prompt and select Run as administrator.
5.Enter the below commands.Press the Enter Key after each command. Wait for each command to finish before proceeding to the next command.

netsh int ip reset reset.log
netsh winsock reset catalog
ipconfig /flushdns
exit

6.Restart your computer.

 

[ziggy783]

the tweaking.com website became functional (and so i ran the program) before i had the chance to see your most recent reply. one thing i noticed -- i have zone alarm installed on my infected computer. I had been manually shutting it down during previous steps (as per the previous instructions to shut down anti-virus programs and firewalls). when i had shut down zone alarm, prior to the tweaking.com windows repair, the internet started working again. after running windows repair and subsequently restarting the computer, the network access was local only. however, once i shut down zone alarm (which is a start-up program on the computer), the network access became local and internet. so should i simply uninstall zone alarm? reinstall it? i have yet not performed the command prompts from your previous post - should i go ahead and do those?
finally, would you be able to guide me on how to hide the "hidden objects" that are now showing up on my desktop.
at least the computer and internet are functional now (as long as i shut down zone alarm). almost done! thanks so much!!!

 

[Jack]

Just uninstall Zone Alarm ,as we can later recommend,in our Security Configuration Forum, a better product to replace this firewall.
Their is no need to run the commands that I've posted in the previous post , if you Internet Connection is working now.
Also if I understand what look for, you can use this steps...See if they work...
To make invisible , your hidden files use this steps:
1.Open Folder Options by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
2.Click the View tab.
3.Under Advanced settings, click Don't show hidden files, folders, and drives, and then click OK.



Now lets run a few scans and we're done

1.Run a scan with Dr.Web CureIt!
<ol><li>Download <>Dr.Web CureIt!</> to the desktop:
<a href="ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe" rel="nofollow" target="_blank"><>Dr.Web CureIt! Download Link</></a> <em>(This link will automatically download Dr.Web CureIt on your computer.)</em></li>
<li>Doubleclick the <>drweb-cureit.exe</> file and click <>Scan</> to run express scan. Click <>OK</> in pop-up window to allow scan.</li>
<li>This will scan the files currently running in memory and when something is found, click the <>Yes</> button when it asks you if you want to cure it. This is only a short scan.</li>
<li>Once the short scan has finished, select <>Complete scan</>.</li>
<li><>Complete scan</> sometimes takes up to 2 hours to finish so please be patient.</li>
<li>Click the green arrow <img src="http://i154.photobucket.com/albums/s258/evilfantasy69/drweb.jpg" alt="Posted Image" /> at the right, and the scan will start.</li>
<li>Click <>Yes to all</> if it asks if you want to cure/move the file.</li>
<li>When the scan has finished, in the menu, click <>File</> and choose <>Save report list</></li>
<li>Save the report to your <>desktop</>. The report will be called <>DrWeb.csv</></li>
<li>Close Dr.Web Cureit.</li>
<li><>Important!</> Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.</li>
<li><>Copy and paste that log in the next reply.</> You can use Notepad to open the <>DrWeb.cvs</> report.</li>
</ol>
<>NOTE</>. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on <>X</> in upper right corner.

STEP 2: Run a scan with ESET Online Scanner

<ol><li>Download ESET Online Scanner utility.
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow external">ESET Online Scanner Download Link</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li></ul>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESETScan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>

 

[ziggy783]

Just thought I'd give an update (so as to not give the impression that I forgot about finishing this).
So here is what happened:
- I ran an express scan with Dr. Web Cureit. This actually took quite a long time (perhaps even more than an hour or two -- not sure because I just left it running without supervising the whole process).
- I then attempted to run the complete scan. The first time I tried, when I clicked "yes to all" when prompted about the first finding, the computer actually crashed (blue screen of death, memory dump). After a restart, I did the express scan again (which took quite a while again), followed by a complete scan (this took nearly 20 hours!). At the end, I don't know if I goofed up because I clicked "select all" (I think there were 3-4 items detected) and then I had a choice between "cure" "move" or "delete" and an error frame popped up. Then I tried to save the report but an other error frame popped up, and the program shut down. When I clicked Dr. Web CureIt again I would have been forcred to at least run an express scan again. Just wanted to see what you'd advise doing. I have not yet run the ESET online scanner. I alsoe have not yet visited the security configuration forum to install a new firewall protection. I should note that upon restarting (after the Dr. Web CureIt scans) the internet is still working.

 

[Jack]

For now lets skip the ESET scan... please run the below software.....
1. Run a scan with ESET Sirefef Remover
Download, save and run the ESET 'Win32/Sirefef' stand-alone malware removal tool and follow the prompts as directed.
<a href="http://download.eset.com/special/ESETSirefefRemover.exe">ESET Sirefef Remover Download Link</a>


2.Run a scan with Kaspersky TDSSKiller
<>Read carefully and follow these steps.</>
<ol>
<li>Download <><a title="External link" href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe" rel="external">TDSSKiller</a></> and save it to your Desktop.
</li>
<li>Double-click on <>TDSSKiller.exe</> to run the application.
<img src="http://img4.imageshack.us/img4/1907/tdss1.png" alt="Posted Image" /></li>
<li>Click <>Change parameters</>
<img src="http://img593.imageshack.us/img593/288/tdss2.png" alt="Posted Image" /></li>
<li>Check the boxes next to <>Verify Driver Digital Signature</> and <>Detect TDLFS file system</>, then click <>OK</><img src="http://img521.imageshack.us/img521/1456/tdss3.png" alt="Posted Image" /></li>
<li>Click on the <>Start Scan</> button to begin the scan and wait for it to finish.
<>NOTE:</> Do not use the computer during the scan!</li>
<li>During the scan it will look similar to the image below:
<img src="http://img6.imageshack.us/img6/9136/tdss4.jpg" alt="Posted Image" /></li>
<li>When it finishes, you will either see a report that no threats were found like below:
<img src="http://img696.imageshack.us/img696/9898/tdss5.jpg" alt="Posted Image" />If no threats are found at this point, just click the <>Report</> selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.</li>
<li>If any infection or suspected items are found, you will see a window similar to below:
<img src="http://img854.imageshack.us/img854/905/tdss7.jpg" alt="Posted Image" />
<ul>
<li>If you have files that are shown to fail <em>signature check</em> do not take any action on these. Make sure you select <>Skip</>. I will tell you what to do with these later. They may not be issues at all.</li>
<li>If <em>Suspicious objects</em> are detected, the default action will be Skip. Leave the default set to Skip.</li>
<li>If <em>Malicious objects</em> are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
Make sure that <>Cure</> is selected. <>Important!</> - If <em>Cure</em> is not available, please choose <>Skip</> instead. Do not choose Delete unless instructed to do so.</li>
</ul>
</li>
<li>Click <>Continue</> to apply selected actions.</li>
<li>A reboot may be required to complete disinfection. A window like the below will appear:
<img src="http://img828.imageshack.us/img828/4812/tdss6.jpg" alt="Posted Image" />
Reboot immediately if TDSSKiller states that one is needed.</li>
<li>Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like <>TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt</> which is based on the program version # and date and time run.</li>
<li>Attach this log to your next reply.</li>
</ol>

3. Please try to run again an OTL scan.

1. Please download the OTL utility from here : http://oldtimer.geekstogo.com/OTL.exe
2. Right-click on OTL.exe and select Run as Administrator to start OTL.
3. Double click on OTL.exe to run it.
4. Under the Custom Scan box paste this in:
   
   

   %SYSTEMDRIVE%\*.exe
   %ALLUSERSPROFILE%\Application Data\*.exe
   %APPDATA%\*.
   /md5start
   atapi.sys
   explorer.exe
   winlogon.exe
   Userinit.exe
   svchost.exe
   csrss.exe
   PrintIsolationHost.exe
   consrv.dll
   /md5stop
   %systemroot%\*. /mp /s
   hklm\software\clients\startmenuinternet|command /rs
   %systemroot%\system32\*.dll /lockedfiles
   %systemroot%\Tasks\*.job /lockedfiles
   %systemroot%\system32\drivers\*.sys /lockedfiles
   CREATERESTOREPOINT

5. Click the Quick Scan button.The scan wont take long.
   
6. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
   Please post this 2 logs in your first reply.

<hr />



What's next?
Attach the following logs to your post (You can find here details on how to use the Attachment System):

1.ESET Sirefef Remover
2. TDSSKiller
3.OTL logs

 

[ziggy783]

Here is what happened.
1) When I ran ESET Sirefef Remover, there was a notification (essentially an error frame) that said that the file "sirefef" was not detected. Susbequently there was no log or txt file provided
2) The Kaspersky TDSSKiller scan detected 15 suspicious objects (all skipped), no malicious objects. Log attached
3) When i ran an OTL quick scan, there was an error frame that stated the following: "Win32 Error. Code 23. Data error (cyclic redundancy check)". No log or txt file provided.

---

Internet is working. Hidden files are now longer shown. Everything appears to be functional.
So that's good.

 

[malwarekiller]

Hi,jack is on holidays..so i am here

can u re-run combofix as jack said on first page and attach the log...as sirefef malware always needs a run of combofix..and also i would like to see what u have now.