80 replies to this topic

[Tomk]

seriouscode, If you have some time and an interest, you can always apply to the classroom. But not until we get you clean. Rules say that you can't have an open thread in Malware removal at the time of application. Back to the clean bit. Can you run DDS in normal mode?

[seriouscode]

no not yet. That was safe mode scan

[seriouscode]

Normal mode still continues to flash refresh. I can only log in with safe mode.

[Tomk]

[seriouscode]

So where do we go from here?

[Tomk]

I'm still working on it with some collegues.

Meanwhile, please try this:
Right Click on My Computer on the desktop
Click on Properties
Click on Advanced tab
Click on the Settings button in the Performance area.
Click on Advanced tab
Click on Change button in Virtual memory area
Click radio button in front of No paging File
Click OK
Reboot your computer

Go through the above steps to get to the same place, but this time click the radio button in front of System Managed size
Click OK
Reboot and tell me if there is any difference.

[Tomk]

seriouscode,

Theoretically, win32k.sys should not have needed replaced. It should have rebuilt itself and may now be corrupted.

Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.
  Copy and Paste everything from the Quote box into Notepad:
  
  

  @echo off
  ren c:\windows\system32\win32k.sys win32k.old
  del fix.bat

• Save the file to your DESKTOP as "fix.bat". Make sure to save it with the quotes. Once saved, the icon to click should look like this on your desktop:
• Double click fix.bat.

Then make find.bat:

• Click Start , then Run
• Type notepad.exe in the Run Box.
  Copy and Paste everything from the Quote box into Notepad:
  
  

  @Echo off
  IF EXIST c:\windows\system32\win32k.sys (
  echo file found
  pause
  ) ELSE (
  echo File not found
  pause
  )
  del find.bat

• Save the file to your DESKTOP as "find.bat". Make sure to save it with the quotes. Once saved, the icon to click should look like this on your desktop:
• Double click find.bat.

A window will open and say either file found or File not found
hit any key to continue and tell me which message you got.

Edited by Tomk, 25 June 2009 - 09:00 PM.

[seriouscode]

I got a dos window saying: File found Press any key to continue...... And so i pressed any key and the Dos window disappeared. Whats next? ("Whats next?" seems to be my new motto or something in this thread huh? I'm such a techno weenie lol)

[Tomk]

seriouscode,

Well now. Please reboot and see what happens. (I suspect that your problem will remain). That would indicate that your problem is not related to the file we restored but rather to whatever was scrambling those other files.

Download and transfer Gmer to the infected computer and run. Standard instructions are:

Please download gmer.zip from Gmer and save it to your desktop.

• Right click on gmer.zip and select Extract All....
• Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
• Click on the Browse button. Click on Desktop. Then click OK.
• Click Next. It will start extracting.
• Once done, check (tick) the Show extracted files box and click Finish.
• Double click on gmer.exe to run it.
• Select the Rootkit tab.
• On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click on the Scan button.
• When the scan is finished, click Copy to save the scan log to the Windows clipboard.
• Open Notepad or a similar text editor.
• Paste the clipboard contents into the text editor.
• Save the Gmer scan log and post it in your next reply.
• Close Gmer.

Note: Do not run any programs while Gmer is running.

[seriouscode]

[size="5"]Tomk this is the Gmer log file (from safe mode):[size='5']

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-26 09:54:29
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF867C514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF866B282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF866B474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF867CD00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF867CFB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF867B3FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF867D422]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF867C7D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF866AF32]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32@ C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL

---- EOF - GMER 1.0.15 ----

[Tomk]

seriouscode, The good news is no scary rootkit. You still have Malwarebytes on that computer. Please run a scan with it.

[seriouscode]

just to be clear, can i run it on safe mode?

[seriouscode]

Tomk,

Here is the Mbam log:


Malwarebytes' Anti-Malware 1.38
Database version: 2323
Windows 5.1.2600 Service Pack 3

6/26/2009 10:52:31 AM
mbam-log-2009-06-26 (10-52-31).txt

Scan type: Quick Scan
Objects scanned: 102283
Time elapsed: 11 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Tomk]

seriouscode, Now I'd like you to go ahead and run ComboFix again. No script. Just double click the icon and run it in safe mode.

[seriouscode]

and then?