-
Go ahead and run combofix again once you have connectivity. This is so you can have it install the recovery console. We will write a new mbr to disk. May as well post its log also.
As a precaution you may want to pull of any content you created like documents, photos, video etc.
-
Thank you for the info... you mentioned pulling files. If I understand correctly, I would only need to pull files that are on the partition with the system on it and not the whole drive, is that correct? I tried to keep all my OS, apps and data on separate partitions (even though they are on the same drive).
Could you please verify before I try to peel off any files?
Thank you very much!
BTW, I recall the last time I ran Combofix, just before it asked to install the Recovery Console, my firewall caught some program that started with an "N" which I prevented from going out, something like "Nim-something". Is that expected from Combofix and/or should I be worried about that (ie. should I permit it to get by the firewall?)?
Thanks again.
-
That chatty file was part of combofix. It occasionally will check for and update itself after prompting you,
Both dds logs and aswMBR show a rootkit as well as Gmer. Also your AV didnt like the aswMBR .dat file
The point of pulling off data is just a precaution: if the new MBR fails for whatever reason your machine just wont boot up. This dosnt mean the files are gone, you could slave the hd to another machine or use a linux distro to get the files. Your files should be fine once you get a bootable machine assuming it didnt work for some reason. Especially since they are on a separate partition. Most machines are not set up this way.
I meant to ask you; are you getting redirects when you browse the internet?
We will use the recovery console to write a new mbr to disk.
You may want to print or write this down so you can follow along:
Upon a restart of your computer:
Before Windows boots you will be prompted to choose which Operating System to start. It may flash by quickly and default into Windows. If so restart and try again.
You want to use the arrow keys to select: Microsoft Windows Recovery Console
Enter which Windows installation to log onto. Type in the number that corresponds to your Windows installation, usually its 1: Type in 1 and click Enter.
You may be prompted for a admin password.
At the C:\Windows prompt, type whats in the code box below, and click Enter
You will be given a standard warning and have to type in the letter y first when asked if you really "want to write a new MBR?" Type in the letter y then click enter
It will be over very quickly.
Last, back at the C:\ prompt type in exit then click enter to have the machine reboot, it will default into Windows.
-
I'm hoping the fixMBR task fixed things... it's looking good so far. Here is what I did (in order):
-Ran Combofix - Log included
-Ran DDS before fixMBR - Log included (still shows rootkit)
-Ran Spybot - found Click.Giftload, got rid of it again.
-ran fixMBR from Recovery Console
-Ran DDS again - Log included (does not show rootkit anymore 
)
-Did not run Spybot, but checked registry for the entry Spybot was looking for it was no longer there
I was then able to connect to WindowsUpdate which I was not able to do the past week.
Currently running ESET's Online scanner (that will take awhile) and will also check with MBAM and Avira scanners for final virus checks. Will let you know how that goes.
So far so good... again, thanks for you time! Will keep you posted on my scans... Also have HijackThis and OTL I will scan with.
-
So far, so good... ran ESET's Online Scanner (found 1 potential entry which I was OK being quarantined), MBAM (no findings), Avira (no findings), and Sophos (found a few in a couple of old games I no longer play, so were deleted, also found a couple in the app folder for SUPER, a video conversion app, I let those go as I believe they are likely legit).
Spybot came up clean as well.
As far as I can tell, no indication of rootkit anymore from DDS or GMER, though you can look at the DDS log in my previous to see if you see something I missed.
Hopefully, my computer is clean again...
Thank you for all your time thus far!
-
Looks good. You can remove combofix like this;
start>run nad type in;
combofix /uninstall
click ok or enter
Note the space after the x and before the /
You can delete the tdsskiller, Gmer and aswMBR icons/logs.
You can make a new restore point also. The why and the how:
One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
And last some tips to help your remain malware free:
10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.
No software can think for you. Help yourself. In no special order:
1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes, browser plugins and add-ons. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here.
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.
4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.
5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?
7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.
8) Install and understand the *limitations* of a software firewall.
9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here and do it yourself. How to harden FireFox. for safer surfing.
10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?
More info/tips with pictures in links below.
Happy Safe Surfing.
-
Thank you for all your help!
Question : does it make sense to keep Combofix, aswMBR, etc, instead of deleting in case there is a need for them in the future?
Once again, thank you very much for your assistance! 
-
Your welcome. In answer to your questions. Its not recommended that one use combofix on there own. aswMBR is a tool just for rootkits and is updated occasionally. It would make more sense to get a copy as needed and I wouldnt use it as a fix without more conformation that you really do have a rootkit.
Best thing to do is be a informed user and avoid behavior that might get you a rootkit (social engineering) Also keep Windows and apps updated.(vulnerabilities)
Those are the two ways one gets malware.
happy safe surfing
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
