[FogLight]

Running XP SP3 32 bit on a Dell Precision 390.

Visited a mainstream news site today and got hit with a "Windows XP Restore" attack.

Made my desktop invisible, disabled Task Manager, cleared out my quickstart list, removed many of my installed programs from the start list, and no doubt did other things too which I am not aware of. Also seems that none of my daily restore 'checkpoints' will work either ...

Followed the steps in Malware Removal Tutorial.

Superantispyware got Task Manager back, while mbam got my desktop back.

Please see all three logs , attached.

Thanks in advance for any help.

Best, Foglight

[Albert Lionheart]

You may not have killed the threatware before the fix so if there is still a problem, run the following from a USB drive, in this order. You can download these from beepingcomputers.

1 - RKill
2 - ComboFix
3 - Malwarebytes'

Running the fix this way will minimise damage from the latest edition of this threatware which will damage the file association in the registry with .exe and .com files. Try something like Word of Notepad to check.

[FogLight]

Thank you for stopping by , Albert - your response is appreciated.

Based on the last 'issue' ( "Inspiron Windows 7 64-bit Infection from Website visit" ) the TST experts here helped me resolve, and I certainly couldn't have done it without that help, before leaving the house this morning I began an mbam full scan , which did find four infections somehow related to trojans and adware .

These were successfully quarantined and deleted.

Following that I then ran hijackthis again ...

Both of those new logs are posted here.

I will go ahead and run the 3 tools you have noted.

Best Regards , Foggy

[FogLight]

Just a quick update here after running rKill and ComboFix ...

After downloading both tools from bleepingcomputer, I decided to scan them both with McAfee. McAfee didn't have a problem with rKill , but quarantined ComboFix because McAfee detected the signature of 'NirCmd' , which it didn't seem to like at all ...

I looked up NirCmd and found it to be a command line tool of some sort , so I went ahead and ran both programs ...

rKill ran silently and then after a few minutes stopped using CPU time , but stayed in the task list. I manually killed it ...

Then I ran ComboFix and my system immediately locked up ... I had to pull the plug to get a reboot ...

After rebooting , I stopped all non Microsoft services ( McAfee , basically ) , rebooted , and started combofix again and it seemed to run a while, then erased itself from the desktop , but seems to have left a log file which is attached to this post ...

So, then I start up mbam , get the latest update , and run it , and McAfee immediately quaratines all these programs running from my root directory , all of which have 'NirCmd' somewhere in their name ... about six of these programs were quarantined ...

So, then I noticed I have over 50,000 encrypted filed in McAfee's quarantine directory, and I thought I'd erase them all before restarting mbam so it would complete faster ...

I've never tried to erase 50,000 files at once out of a single directory, and it's been running now for at least half an hour , but it's a lot of files , and I think I'll just let it run to see if it completes ...

I've got some issues with IE8 , where any link from a google search seems to redirect to some other kind of a search page ... so, I've got to copy and paste the link from the Google results up into the address bar to get to where the url actually is ...

Anyways , when mbam completes it's full scan, I'll post the log here -- probably tomorrow morning before I am out of the house ...

Best , Foglight

[FogLight]

mbam completed it's full scan sometime during the night and did find and quarantine a single trojan of some sort. mbam was able to sucessfully delete this item. It then asked me to reboot, which I did ...

the log is posted here for review.

before posting here I did check IE8 and found that I am still being 'redirected' to advertising sites when following links from a goggle search ... what's up with this ?

I will be out during the day today after making this post , and plan to check back in here this evening around 6pm EDT.

Hopefully I will get some feedback by then.

Have a good day - Foglight.

[Albert Lionheart]

If Mbam says it cleared everything, believe it!
I would also clear out all the temp files in c:\windows\temp and also in c:\documents and settings\[username]\local settings\temp as well.
Also I would stop using IE and use FireFox instead.

[FogLight]

I've looked around some on the internet and see there is lots of 'buzz' about the 'Google redirect virus' ... sounds like I still have an infection , methinks ...

Anyways, my feelings are somewhat 'ambivalent' at this point, Albert, since you made no comment about 'NirCmd' nor about the single entry in the 'catchme.log' left on my desktop after ComboFix finished which says, "File "D:\WINDOWS\system32\drivers\volsnap.sys" added successfully" ...

after looking up this driver I find it has something to do with the disk drive ...

If you feel up to it, perhaps a few words about these issues might be helpful.

In any case, thanks for your time and interest up to this point.

Best , Foglight

[Blackmirror]

You should not run combofix with your antivirus enabled and there should be a text log
usually in C:\ComboFix.txt.
it would be interesting to see what it found

[Albert Lionheart]

Hi
I would trust ComboFix over McAfee every time. It was not long ago that a McAfee update added a Windows file to the threat list and promptly removed it. Windows stopped in its tracks. I encouraged my clients who suffered from this appalling incompetence to claim my fee back from McAfee which I understand they were paid without a quibble.

Volsnap.sys is a windows system file and should be in the directory you mention. It can get infected but I think not in your case - but check that it is either 52,352 bytes or 49,152 bytes. It is the volume shadow copy driver.

[Albert Lionheart]

Moot point Donna - it works quite happily under Kaspersky!

[Blackmirror]

It might work quite happily Albert but its advised to disable all antivirus
A guide and tutorial on using ComboFix

Quote:

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix

[Albert Lionheart]

There is more than one of skinning a cat - I prefer to let the resident AV package allow the scan rather than turn off the AV altogether - does not always work though!

[FogLight]

Ok, guys -- I'll disable McAfee and try combofix again ...

Thanks for stopping by !

[FogLight]

So, I d/loaded Combofix from bleepincomputer again to the desktop , then using msconfig I disabled McAfee , rebooted and ran combofix again ...

It completed in well under a minute after unzipping lots of files including netscape.exe and explorer.exe ( I tried to watch , but my memory is poor and the lines zipped by ) ...

Anyways, Combofix seems to have left an updated 'catchme.log' on the desktop , which is posted here for your review.

[FogLight]

Where is everybody ? !!

I am being redirected six ways from Tuesday ...

[Blackmirror]

Can you post the combofix log please

usually in C:\ComboFix.txt.

[Albert Lionheart]

Your last catchme log failed - try running another one for us?

[FogLight]

Thanks for your comment , Blackmirror.

There is no Combofix log at c:\ or d:\ , which in my case is the %systemdrive% ...

[FogLight]

Here's the catchme.log and hjt log ...

I have to leave for the day now - have a good one.

I hope somebody comments.

[Albert Lionheart]

I have had a look at the hJT log and it does not show anything nasty BUT I think your McAfee installation is all bitter and twisted. I would uninstall it - use RevoUninstaller from MajorGeeks.com - Download Freeware and Shareware Computer Utilities. to make sure you clear all of it away and then reinstall. If you must. Personally I hate the thing and will not have McAfee on any system of mine.