Malware/Trojans

[oldman]

Hi JackSession,

The RK log looks good. The registry entry isn't any thing to worry about.

Not sure why aswMBR won't run. Are you running it with or with out the additional scan with avast? If you are trying to run tha avast scan try it without.

[JackSession]

ive had avast! disabled and all the realtime shields off also...

[oldman]

Hi JackSession,

Let's see if this will run.

Go HERE to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your desktop.

Before scanning with GMER, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click on the file you downloaded. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
    
  • Show All (don't miss this one)
    
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If GMER will not run in normal windows, please run it in Safe Mode

[JackSession]

hi oldman..seems to have gotten through gmer...here's the log...i appreciate your help

Jack

[oldman]

Hi JackSession,


Nothing in the GMER log. How is the computer? Any problems?


Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
   
  
• Click the Start Scan button.
   
  
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
   
  
   
  
• Note: If [color="#0000FF"]Cure is not available, please choose Skip instead, do not choose Delete unless instructed.[/b][/color]
  

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

[JackSession]

hi oldman..the computer has been running fine...here's the TDSS report..thanks

[oldman]

Hi JackSession,

Nothing amiis ther. Perhaps your computer just doesn't like aswMBR. Happens sometmes.

One more to see if we missed anything.


Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
  
• Click Start
  
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is  Checked.
  
• Click Scan.
  
• Wait for the scan to finish.
• When the scan completes, click List of found threats
  
• click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
  
• Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

• Push the back button.
  
• Push Finish
  
• Re-enable your Antivirus software.
  

[JackSession]

ESET found some stuff...i attached the report...thanks

[Pondus]

virtumonde info
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2fVirtumonde
http://en.wikipedia.org/wiki/Vundo

[JackSession]

what should i do? run the microsoft stuff at the bottom of that link?

[Pondus]

no that was just info....in case it was interesting

you wait for oldman to continue.....

[JackSession]

it is interesting..maybe that explains the blue screens with aswMBR..ive got a machine in the closet that wont go on the internet that i believe has an older version of vundo..id like to clean that one up too but i think that will be a lot more difficult..should i assume that all my personal info/passwords etc have been compromised at this point?

[Pondus]

.ive got a machine in the closet that wont go on the internet that i believe has an older version of vund

it can be done downloading the tools on a clean machine and move over with a usb stick
you may ask oldman when he is back

[oldman]

Hi ,

We can work on your other computer after we finish this one. We can continue in this topic if you wish.

Back to the computer we are currently working on. No worries about the ESEt detections. Those are files that we have quarantined or are in old System Restore points. These will all be removed when we remove the tools.

As for aswMBR not running. I don't think it's malware related. It might be interference from another security program such as MBAM. We can disable it for now and try aswMBR again.

Right-click on the MBAM icon in the systray, chose Exit and then click Yes at the prompt asking "Are you sure you want to disable the MBAM Protection Module?"

MBAM will restart on a reboot. Just a note, if this is the trial version it will stop real time scanning once the trial period is over. Even so it is a very good program and one which I recommend keeping as an on demand scanner.

We'll clean up the tools after you post back.

[JackSession]

as a rule of thumb ive been disabling mbam and avast! before running any of these applications..the only variation i might have is whether FF is open as some instructions specified to close browsers and some didnt

my right click button on my mouse is worn out and doesnt work (initially it was the left click worn out but i switched them up so i can click)

soo..to disable mbam ive been telling it not to start on restart and then restarting..ive tried aswMBR a few times like that and it doesnt look like mbam is running (red box indicating not enabled) - still got the blue screens

ill try aswMBR again a couple more times...it seems to be getting hung up around the same place so i can try to note where if it helps