?
Solved

How Can I remove this rootkit virus

Posted on 2012-08-22
29
Medium Priority
?
1,652 Views
Last Modified: 2013-11-22
My boss somehow managed to get a virus on the PC its a persistent one and even survived reloading Windows. I looked up the popup his AVG antivuris gives and there are some articles about rootkit viruses. I have tried AVG's scan, Malwarebytes some sort of Sophos task killer and still cannot get rid of it. its causing browser redirects etc.   I even reloaded the PC and it somehow remained. Is there anything else I can do.
virus.doc.docx
0
Comment
Question by:Axis52401
  • 10
  • 8
  • 4
  • +1
23 Comments
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38321761
Hi There!
Root kits are a pain.
Did you format the drives when you re-installed windows?

Here is how I attack a root kit-
Boot into TDSS KILLER and delete or quarantine any win32.rootkit or TDSS.filesystem.

Boot into windows in safe mode and run  TDSS KILLER again to delete/cure anything that pops up. The reason I run in MiniXP fist is to put it in quarantine so it can't run in the windows environment. I just removed a rootkit yesterday that stopped TDSSkiller from running...it was fun.

Once completed- Reboot back into safe mode and run Spybot+Malwarebytes at the same time (its how I roll). Remove anything selected and reboot again.

If its still there- post back here- if not continue below.

Depending on which root kit you removed (please post), it may corrupt or drop a browser hijack/redirect or even damage your winsock/lsp. Lets hope it didn't do the dirty on the way out.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 38321869
I'd tried the TDSSkieer app with no success
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 38321876
@Jason0923 ...as your post mentioned you reloaded Windows I infer it's safe to assume you would be willing to do it again?  If so, this time I would recommend that you actually write 0's to the entire drive prior to reloading the OS.  After that I would ensure that you're reloading Windows with a legitimate Microsoft disc or ISO image.  If you want to be really careful you could disconnect network access to the infected machine until you have time to create an clean image after the reinstall.  DBAN will help you nuke the entire drive.  While deeper hardware level root kits do exist, and reside within hardware firmware and/or special areas of your CPU, it's highly unlikely you have this type of infection as the general purpose of these types of root kits is being convert and not openly announcing itself by browser redirects, etc.

After you've created a clean image you can always revert back to it should infection occur again.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38321880
Ok- I'll try again

:)

Boot into Safe mode, once inside run rKill.exe . Hopefully that will run with results of stopping process. Then download and run TDSS Killer be sure to click on the more parameters select both boxes under additional options.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 38321884
If you want to attempt the disinfection route (having no real guarantee the system is actually clean) I've had good results with GMER as well.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 38321885
I have the Windows OS cd that came with the laptop so yes its a legit copy. I used the format drive option before the reload you don't think that is enough? Its not connected to the company network yet.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 38321916
At the end of the day it's more probable that it's not a root kit but malware, and your boss is inadvertently downloading and running after the system has been cleaned/restored... likely through a link obtained via email.  After you've restored I recommend you use OpenDNS for all your DNS resolution (and block outbound packets to all other DNS servers) and install Spybot S&D on his PC or similar program.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 38321938
Now it shows this Trojan Horse backdoor (screen shot)
virus.doc.docx
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 38321976
It depends if you only formatted one partition (and left another partition which may have contained malware and was executed later on) rather than using the install disc to delete all partitions first and then format the entire drive afterwards.  I would also look at each program your boss wants to install after the fact... any installed by email links, etc. and scan with VirusTotal .  It probably wouldn't hurt (technically) to only give him local Standard permissions rather than Administrator so you must be involved whenever he tries to install additional software, etc.
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38321988
Jason-
Have you ran Spybot and or Malware Bytes?

If not try running rKill first and then the above programs.

Can you post that whole rKill log?
0
 
LVL 2

Author Comment

by:Axis52401
ID: 38322017
The rkill log

Rkill 2.3.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/22/2012 01:51:40 PM in x64 mode.
Windows Version: Windows 7 Service Pack 1

Checking for Windows services to stop.

 * No malware services found to stop.

Checking for processes to terminate.

 * No malware processes found to kill.

Possibly Patched Files.

 * C:\Windows\system32\services.exe

Checking Registry for malware related settings.

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

 * Windows Firewall Disabled

   [HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
   "EnableFirewall" = dword:00000000

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
     * C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
     * C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

Checking Windows Service Integrity:

 * BFE (BFE) is not Running.
   Startup Type set to: Manual

 * Windows Firewall Authorization Driver (mpsdrv) is not Running.
   Startup Type set to: Manual

 * AppMgmt [Missing Service]
 * BITS [Missing Service]
 * CscService [Missing Service]
 * iphlpsvc [Missing Service]
 * MpsSvc [Missing Service]
 * PeerDistSvc [Missing Service]
 * UmRdpService [Missing Service]
 * WinDefend [Missing Service]
 * wscsvc [Missing Service]
 * wuauserv [Missing Service]

 * SharedAccess [Missing ImagePath]

 * BFE => . [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * C:\Windows\System32\services.exe [NoSig]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe : 328,704 : 07/13/2009 08:39 PM : 24acb7e5be595468e3b9aa488b9b4fcb [Pos Repl]
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38322067
I'm still new here at EE so i'm not sure if I can ask this- But can you post the log of Malwarebytes and Spybot when completed?

I think it might also be a good idea to run a HiJackthis report also.

But like x66 said- If you did a complete re-install and it came back, then someone probably re-downloaded on the computer. BUT- we can still get it off. :-)
0
 
LVL 2

Author Comment

by:Axis52401
ID: 38322070
Malwarebyets

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.07.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
kombat :: KOMBAT-PC [administrator]

Protection: Enabled

8/7/2012 1:33:44 PM
mbam-log-2012-08-07 (13-33-44).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 314737
Time elapsed: 29 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Users\kombat\Downloads\7zip_installer_1650.exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully.
C:\Windows\Installer\{97b20d08-4db2-569a-2381-22ac965db0cb}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{97b20d08-4db2-569a-2381-22ac965db0cb}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{97b20d08-4db2-569a-2381-22ac965db0cb}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)
0
 
LVL 2

Author Comment

by:Axis52401
ID: 38322086
hijack this
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:06:36 PM, on 8/22/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Users\kombat\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\LaunchOSDSrv.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.millhisersmith.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Chicony_OSD] "C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\LaunchOSDSrv.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = kombat\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://ssl.axisbu.com/+CSCOL+/relayp.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
O16 - DPF: {C861B75F-EE32-4AA4-B610-281AF26A8D1C} - https://ssl.axisbu.com/+CSCOL+/cscopf.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com//activex/ractrl.cab?lmi=928
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\12.1.5\ViProtocol.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: WebEx Service Host for Support Center (atashost) - Cisco WebEx LLC - C:\Windows\SysWOW64\atashost.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: BFE - Unknown owner - C:\Windows\.
O23 - Service: Intel® PROSet/Wireless WiMAX Red Bend Device Management Service (DMAgent) - Red Bend Ltd. - C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ChiconyOSDService (OSDSvc) - Chicony - C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\OSDSrv.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: vToolbarUpdater12.1.5 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.1.5\ToolbarUpdater.exe
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Intel® PROSet/Wireless WiMAX Service (WiMAXAppSrv) - Intel(R) Corporation - C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10939 bytes
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38322138
Inside HiJackThis-

O23 - Service: BFE - Unknown owner - C:\Windows\.

Check that one for sure

If you don't know these URL's- Check them. (If you don't use Cisco)

O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://ssl.axisbu.com/+CSCOL+/relayp.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
O16 - DPF: {C861B75F-EE32-4AA4-B610-281AF26A8D1C} - https://ssl.axisbu.com/+CSCOL+/cscopf.cab

Are you still getting the AVG pop up warning?
0
 
LVL 2

Author Comment

by:Axis52401
ID: 38322169
What should I do about
O23 - Service: BFE - Unknown owner - C:\Windows\

The SSL.axis....etc ones are from our office. I'm not famaliar with the middle one
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab

Is it something I shoudl remove, if so how?
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38322226
When you do a scan on HiJackThis is pops up that log report, but click back on the actual program.

You will see almost the same data as the report, but there will be little boxes infront of each line. Just check that box.
**ONLY CHECK THE BOXES THAT YOU WANT STUFF REMOVED. CLICKING THE WRONG BOXES CAN HURT YOUR COMPUTER.**

Once you have the items you want to removed checked click the button at the bottom of the screen that says "Fix Checked"

About O16-DPF...etc......If you don't know what it is, I would get rid of it. I'm not excited about the folder, file or what it is.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 38322261
I followed that and rebooted and as soon as I opened the browser got this (screenshot attached) Trojan Horse patched_c.txt   AVG error
virus.doc.docx
0
 
LVL 2

Accepted Solution

by:
Ben_b3n earned 2000 total points
ID: 38322296
At this stage I would recommend the following only if you are comfortable-

-Download ComboFix.

-Unplug from the internet and deactivate AVG (might have to uninstall to get it stop its on demand scanning). Also deactivate any other antivirus programs you have running.

-Then Run ComboFix
-Follow the on screen prompts and then let it run. Don't run any other programs or touch anything until it has finished. It may even reboot your computer and continue scanning.
-Eventually it will prepare a log report, please then post that here. (might be easier to attached file)

@younghv - Good Point =) Thank you
0
 
LVL 2

Author Comment

by:Axis52401
ID: 38326502
The combo fix doesnt install Like malwarebytes it seems to run and then go away there is no log I can find to attach
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38326604
When you double click combofix and start the process a windows pops up and extracts all files and then should keep running the background and eventually pop up with a blue screen and letters. I tell people once you start the process don't do anything to your computer for about 15-20 minutes, if it doesn't pop up the blue screen you have something stopping combofix from running.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 38332621
Jason0923,

Advice above from Vic would do the trick and you may be able to run Combofix.

However if that fails then try to rename the Combofix.exe to iexplore.exe or explorer.com and try running it.

Once you are able to run it post the logs, which you could find in C:\
0
 
LVL 2

Author Closing Comment

by:Axis52401
ID: 38384735
Combofix seemed to have worked. I reloaded windows, ran combofix, went through the prompts and its all working.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question