[Resolved] WIN32.TDSS.rtk problem

[citnalta]

Done

[Hoov]

How is the computer running now?

From the combofix log there is one file I am concerned about. c:\docume~1\Ceri\LOCALS~1\Temp\ldiskl.sys


Please submit a sample of this file:
c:\docume~1\Ceri\LOCALS~1\Temp\ldiskl.sys
 to Virus Total –
 http://www.virustotal.com/

At the top of the page you will see:
Select file>Browse>Send
Just follow the prompts.
The submission will then be tested against many different AV vendors’ scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.

[citnalta]

I get the following pop-up from windows essentials:-

Security Essentials detected a potential threat and suspended it.

Click Clean PC to remove this threat.

If I look in the history tab of windows essentials in "All detected items" I see an entry as follows:-

Trojan:Win32/Ramnit

I have taken no action on the above. Please advise.

[citnalta]

Hoov,

Internet is running much quicker. I also note that there is much less Hard Drive noise.
However, I still have the problem of accessing any sites which seem to relate to virus protection. To perform the combofix action I had to log on to a different user account and run it from there as I keep getting user name / pw pop-up on my user account.

The same is also true with hxxp://www.virustotal.com/

I will hold off the virus total.com part until you review my previous post regarding the Microsoft Essentials message just in case I should react to the message in a particular way.

[Hoov]

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista, right-click on it and Run As Administrator.
  
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  
• If not, delete the file, then download and use the one provided in Link 2.
  
• A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.

Start up Malwarebytes' Anti-Malware and update it, then run a quick scan with it. If it finds anything, fix it and post the results. If it finds nothing, post those results instead.

Also can you post the log from Microsoft Security Essentials that shows what it blocked? [/list]

[citnalta]

rkill log

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 29/06/2012 at 18:09:19.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 29/06/2012 at 18:09:27.
The rest to follow shortly.

[citnalta]

malwarebytes

For the malwarebytes I can install it but when I try to execute it I get a blip of an hour glass and then nothing happens.

I have additional information regarding the microsoft essentials part but keep getting the following:-

HTTP Error 403 Forbidden
You don't have permission to access

/simplemachinesforum/index.php on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Request Entity Attack: Repeated!

If you get this message in error, please contact the ADM1N and provide the date and time of this message.

[citnalta]

I await your reply regarding the HTTP Error 403 Forbidden message. I tried again about 2 minutes ago

[citnalta]

It seems now I can also access microsoft and kaspersky sites via IE and FireFox. No idea how that happened.

[citnalta]

Microsoft Essentials

I have attached a jpeg file - Hopefully this is useful.

[Hoov]

When you get that error from the SpywareHammer server, just zip up the log and post it. There is something in your post triggering the sites security software.

On to your computer,

As you have Malwarebytes installed lets see if we can get it to run through its protected folder, do the following

Select > Start > All Programs > Malwarebytes` Anti-Malware > Tools folder > Malwarebytes Anti-Malware Chameleon:





A new window will open with Chameleon Tabs

through to


Select tabs in turn until you get a successful run by double click on the tab,
Vista and Windows 7 user will have to accept UAC prompt. If successful you will see the following:





As instructed press any key to continue, you will now see the following as Malwarebytes attempts to run:





Do nothing, let MB continue, it will try to update:





You may see the following:





Then.....





MB will prompt if successful, do nothing; let it continue.





MB will try to kill known malicious processes, do nothing; let it continue.





MB will try to start a quick scan, if successful the following will open; do nothing the scan will run automatically.





When complete MB will produce a log, save that and copy to next reply.

MB will continue and remove the protective driver, you will then be given the option to "Press any key to continue" do that.





Let me see the log from Malwarebytes in your reply,

[citnalta]

The log


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.30.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
 :: MESH [administrator]

30/06/2012 08:19:58
mbam-log-2012-06-30 (08-32-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 309418
Time elapsed: 11 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[citnalta]

Hoov,

I'm still waiting for something to happen in the next part (after the first log).

My screen looks like the attached. Cursor is flashing and after saving the previous log the Malware screen is giving me an exit option.

It's been like that for 15 minutes (as of this posting time).

Please advise.

[citnalta]

Ah, got it.
Selected Exit and it did as per your screen.

[Hoov]

Did you click "remove selected" first? If not, you will have to do it again so you can remove that entry.