Jump to content

sUBs

Staff
  • Posts

    10,151
  • Joined

  • Last visited

Everything posted by sUBs

  1. Download and run Win32kDiag: 1. Download Win32kDiag from any of the following locations and save it to your Desktop. Download Win32kDiag (Win32kDiag.exe) - #1 Download Win32kDiag (Win32kDiag.exe) - #2 Download Win32kDiag (Win32kDiag.exe) - #3 2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish. 3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program. 4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
  2. Hmm .. I assuming that you must already have downloaded Win32Diag.exe. Please show me the log it produces
  3. Let's try this first. Delete your existing copy of ComboFix & grab a new copy from here > http://download.bleepingcomputer.com/sUBs/ComboFix.exe If it runs, show me the log that it produces. If it doesn't, tell me about it.
  4. This infection is known to cause security programs to throw error messages about having "Access Denied". Let me know if you have any such issues.
  5. By this time, your machine should be pretty much back to it's normal state before you got infected. Let me know if that isn't so. Open NOTEPAD and copy/paste the text in the quotebox below into it: http://www.malwarebytes.org/forums/index.php?showtopic=22333&st=40entry116220 COLLECT:: c:\windows\mso.exe c:\windows\msm.exe c:\windows\msl.exe c:\windows\msk.exe c:\windows\msj.exe c:\windows\msh.exe c:\windows\msf.exe c:\windows\mse.exe c:\windows\msd.exe c:\windows\msc.exe c:\windows\msb.exe FILE:: c:\windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job REGISTRY:: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a, 00,00 DRIVER:: krdpdre Save this as "CFScript" Referring to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. --------------- Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator. **Note** To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. --------------- In your next post, please include fresh logs from: Online scan ComboFix's log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
  6. Once again, that's very well done. We need to run a script similar to one just now Open NOTEPAD.exe and copy/paste the text in the quotebox below into it: @Win32kDiag -F -R del %0 Save this as fix.bat Choose to "Save type as - All Files" It should look like this: ## IMPORTANT ## Place fix.bat next to Win32kDiag.exe Double click on fix.bat & allow it to run Post back to tell me what it says
  7. This infection blockaded a lot of tools .We'll try another route then. Open NOTEPAD.exe and copy/paste the text in the quotebox below into it: @Win32kDiag -F -R del %0 Save this as fix.bat Choose to "Save type as - All Files" It should look like this: ## IMPORTANT ## Place fix.bat next to Win32kDiag.exe Double click on fix.bat & allow it to run Post back to tell me what it says
  8. That's very well done again. The machine should be feeling less sluggish now. Please delete your existing copy of ComboFix & download a fresh copy from here > http://download.bleepingcomputer.com/sUBs/ComboFix.exe Run it and then post the log it produces.
  9. That's very good. Well done. Now we shall proceed to Step#2 ------------ STEP #2 Download The Avenger2 by SwanDog46. Unzip avenger.exe to your desktop. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy" Files to move: c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll Now start The Avenger2 by double clicking avenger.exe on your desktop. Read the prompt that appears, and press OK. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste". Press the "Execute" button. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot. Note: It is possible that Avenger will reboot your system TWICE. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
  10. Let's try using a batch script to replace Step#1. It shall do the copying for us.. Open NOTEPAD.exe and copy/paste the text in the quotebox below into it: @COPY /Y C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll C:\Eventlog.dll @DIR /A/B C:\Eventlog.dll @PAUSE @DEL %0 Save this as MakeCopy.bat Choose to "Save type as - All Files" It should look like this: Double click on MakeCopy.bat & allow it to run Post back to tell me what it says
  11. Don't copy it to the C:\I386 folder. We need it to be at the root of drive C:\ C:\eventlog.dll and NOT C:\i386\eventlog.dll
  12. You are supposed to copy eventlog.dll ... FROM: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll TO: C:\eventlog.dll You need to repeat the whole exercise.
  13. Using Windows Explorer, go to this folder - C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e The file - eventlog.dll is there
  14. Let's use manual methods then. A bit tedious but it should get the job done. STEP #1 Locate this file - C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll Make a copy of the file & place the copied at C:\Eventlog.dll ------------ STEP #2 Download The Avenger2 by SwanDog46. Unzip avenger.exe to your desktop. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy" Files to move: c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll Now start The Avenger2 by double clicking avenger.exe on your desktop. Read the prompt that appears, and press OK. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste". Press the "Execute" button. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot. Note: It is possible that Avenger will reboot your system TWICE. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
  15. There's quite a few ways of skinning this cat but I like for you to try this first. Download & run this file. Tell me what it says.
  16. Download and run Win32kDiag: 1. Download Win32kDiag from any of the following locations and save it to your Desktop. Download Win32kDiag (Win32kDiag.exe) - #1 Download Win32kDiag (Win32kDiag.exe) - #2 Download Win32kDiag (Win32kDiag.exe) - #3 2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish. 3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program. 4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
  17. www.bsalsa.com is a legitmate website dealing with freeware software solutions under Borland Delphi. It's also a victim where it's fine products are being abused by malware. http://en.wikipedia.org/wiki/User_agent User agents are text strings embedded in http headers; used specifically for identifying a machine to websites. Here are some links describing how banker trojans are adding them to machines http://www.threatexpert.com/report.aspx?md...eace536cbcd39ae http://www.threatexpert.com/report.aspx?md...dbad36afc48544b http://www.threatexpert.com/report.aspx?md...8c7f132c9485c2f http://www.threatexpert.com/report.aspx?md...3e8b1e50742e7d8 http://www.threatexpert.com/report.aspx?md...4dd25d71ce175d5 http://www.threatexpert.com/report.aspx?md...58a9265c240cb88 http://www.threatexpert.com/report.aspx?md...b877a43783a0d7e http://www.threatexpert.com/report.aspx?md...79fdcbae972c795 The entry got flagged because this user agent (not bsalsa.com) is being used for malicious intent; namely as a marker to identify infected machines. It may also be used to faciliate the outward transmission of stolen banking details. In a nutshell, the entry is legitimate but being abused by malware. If you aren't using any of bsalsa's products, I suggest you allow MBAM to delete it. Otherwise, you can add it to MBAM's Ignore list.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.