Jump to content

tlopes

Members
  • Posts

    8
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Thanks again. I didn't know that I could uninstall combofix, so I deleted the combofix file and removed the recovery console entry in the boot.ini. Is there anything else to clean up?
  2. hey man, i grabbed the files from another pc and it worked! it's all good you can close this and thanks for your time.
  3. ComboFix 10-11-25.06 - User 26-11-2010 21:55:04.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.351.2070.18.1015.596 [GMT 0:00] Executando de: c:\documents and settings\User\Ambiente de trabalho\ComboFix.exe AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . (((((((((((((((( Arquivos/Ficheiros criados de 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))) . 2010-11-24 20:12 . 2004-08-03 23:14 91776 -c--a-w- c:\windows\system32\dllcache\ipnat.sys 2010-11-24 20:12 . 2004-08-03 23:14 91776 ----a-w- c:\windows\system32\drivers\ipnat.sys 2010-11-24 20:09 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll 2010-11-24 20:09 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smierrsy.dll 2010-11-24 20:09 . 2004-08-04 12:00 5632 ----a-w- c:\windows\system32\wbem\snmp\smimsgif.dll 2010-11-24 20:09 . 2004-08-04 12:00 5632 ----a-w- c:\windows\system32\wbem\snmp\smierrsy.dll 2010-11-24 20:09 . 2004-08-04 12:00 15872 -c--a-w- c:\windows\system32\dllcache\smierrsm.dll 2010-11-24 20:09 . 2004-08-04 12:00 15872 ----a-w- c:\windows\system32\wbem\snmp\smierrsm.dll 2010-11-24 20:09 . 2004-08-04 12:00 10240 -c--a-w- c:\windows\system32\dllcache\snmpstup.dll 2010-11-24 20:09 . 2004-08-04 12:00 10240 ----a-w- c:\windows\system32\wbem\snmpstup.dll 2010-11-24 19:56 . 2010-11-24 19:56 -------- d-----w- c:\windows\system32\wbem\Repository 2010-11-24 18:44 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys 2010-11-24 18:44 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2010-11-24 18:44 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2010-11-24 18:44 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2010-11-24 18:44 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2010-11-24 18:44 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys 2010-11-24 18:44 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2010-11-24 18:44 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr 2010-11-24 18:44 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe 2010-11-24 18:23 . 2001-11-20 16:41 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll 2010-11-24 18:22 . 2001-08-17 20:28 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys 2010-11-24 18:21 . 2001-08-17 20:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys 2010-11-24 18:20 . 2001-08-17 19:13 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys 2010-11-24 18:19 . 2001-11-20 15:59 17024 -c--a-w- c:\windows\system32\dllcache\stcusb.sys 2010-11-24 18:18 . 2001-08-17 20:57 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys 2010-11-24 18:17 . 2001-08-17 19:51 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys 2010-11-24 18:16 . 2001-08-17 19:50 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys 2010-11-24 18:15 . 2001-08-17 20:52 40448 -c--a-w- c:\windows\system32\dllcache\ql1240.sys 2010-11-24 18:14 . 2008-04-14 16:08 211584 -c--a-w- c:\windows\system32\dllcache\perm2dll.dll 2010-11-24 18:13 . 2001-11-20 16:13 44041 -c--a-w- c:\windows\system32\dllcache\otceth5.sys 2010-11-24 18:12 . 2001-11-20 16:40 59104 -c--a-w- c:\windows\system32\dllcache\n9i128v2.dll 2010-11-24 18:11 . 2001-08-17 20:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys 2010-11-24 18:10 . 2001-11-20 16:01 16128 -c--a-w- c:\windows\system32\dllcache\lit220p.sys 2010-11-24 18:09 . 2001-11-20 16:40 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll 2010-11-24 18:08 . 2001-08-17 20:28 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys 2010-11-24 18:07 . 2001-11-20 16:40 83968 -c--a-w- c:\windows\system32\dllcache\hpgt21.dll 2010-11-24 18:06 . 2001-08-17 19:11 12362 -c--a-w- c:\windows\system32\dllcache\f3ab18xi.sys 2010-11-24 18:05 . 2001-11-20 16:12 44103 -c--a-w- c:\windows\system32\dllcache\el515.sys 2010-11-24 18:04 . 2001-11-20 16:08 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys 2010-11-24 18:03 . 2001-11-20 16:03 14080 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys 2010-11-24 18:02 . 2001-08-17 21:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys 2010-11-24 16:21 . 2010-11-24 16:21 -------- d-----w- C:\ubuntu 2010-11-24 13:41 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-24 13:41 . 2010-11-24 13:41 -------- d-----w- c:\programas\Malwarebytes' Anti-Malware 2010-11-24 13:41 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-24 11:15 . 2010-11-24 11:10 296448 ----a-w- C:\l7dvg7sq.exe 2010-11-23 18:28 . 2010-11-24 12:49 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys 2010-11-23 18:09 . 2010-11-23 18:09 -------- d-----w- c:\documents and settings\User\Defini
  4. Hello again, sorry for being away. It seems that the computer is working ok, but i can't start the firewall, first it was related to the deletion of ipnat.sys and ndiswan.sys but I fetched them from a SP2 CD ( i do have sp3 installed) but when i try to start the windows xp firewall service manually, i get an error 1058. This solution provied by microsoft does not apply to me, the only hardware profile I have is activated: http://support.microsoft.com/kb/241584 Any ideas?
  5. THANKS MAN, IT WORKED At least tdsskiller says it's clean and i'm now able to run OTL I'll run a few more tools and then i'll post a log so you can see if everything is ok, which log do you prefer?
  6. As expected, both won't run. They close when I hit scan. Apart from running them from the fat32 usb disk, i also ran them from desktop and root and now both are read only, hidden and system protected. How can we find what is creating the C:\WINDOWS\system32\drivers\vbma6b97.sys file?
  7. Thanks kahdah for jumping in. I'm not at the infected computer right now, i'll get back to it in 6 hours. I'll try to run OTL and gmer from the usb pen, but i think they will close as soon as I hit scan. The user on the thread I mentioned in the first post was having the same problem. Can you give an head start in case otl and gmer don't work?
  8. Hello guys, i've been reading alot of threads form multiple forums related to my problem and after several tips from several users, i eventually managed to clean part of the infection but now I'm in a dead end. The first time I read a thread that did not end in a operating system install was this one: http://forums.malwarebytes.org/index.php?showtopic=65318 I just want to add some info. Part of the problem of this virus is that if i run something from a NTFS partition, it will mark that file as a read only, hidden and system protected. So I'm running and installing all tools on a external fat32 usb drive rkill gives me this log everytime i run it: +++++++++++++++++++++++++++++ This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Ran as User on 23-11-2010 at 20:20:15. Services Stopped: Processes terminated by Rkill or while it was running: \\.\globalroot\Device\svchost.exe\svchost.exe Rkill completed on 23-11-2010 at 20:20:18. +++++++++++++++++++++++++++++++++++++ I can run super anti spyware and it detects Trojan.Dropper/SVCHost-Fake.Process. I have to stop the scan or it will close by itself but it crashes when i try to remove the infection. When i try to run tdsskiller it detects infected files, asks for reboot to delete them but they will stay there. Here's logs from several tries ( i choose to post only the relevant part): 1st run: 2010/11/23 18:19:33.0654 Detected object count: 1 2010/11/23 18:19:52.0623 HKLM\SYSTEM\ControlSet001\services\vbma6b97 - will be deleted after reboot 2010/11/23 18:19:52.0654 HKLM\SYSTEM\ControlSet003\services\vbma6b97 - will be deleted after reboot 2010/11/23 18:19:52.0670 C:\WINDOWS\system32\drivers\vbma6b97.sys - will be deleted after reboot 2010/11/23 18:19:52.0670 Locked service(vbma6b97) - User select action: Delete 2010/11/23 18:19:58.0842 Deinitialize success reboot and 2nd run: 2010/11/23 18:24:30.0890 Detected object count: 1 2010/11/23 18:24:44.0812 Locked file(vbma6b97) - User select action: Skip 2010/11/23 18:24:49.0515 Deinitialize success reboot with a live cd, delete it manually and then a third run: 010/11/23 18:53:45.0421 Detected object count: 2 2010/11/23 18:53:58.0796 Forged file(NdisWan) - User select action: Skip 2010/11/23 18:53:58.0796 Locked file(vbma6b97) - User select action: Skip 2010/11/23 18:54:02.0515 Deinitialize success again, live cd to delete them manually, 4th run: 2010/11/23 19:00:16.0218 Detected object count: 2 2010/11/23 19:00:39.0031 Forged file(IpNat) - User select action: Skip 2010/11/23 19:00:39.0031 Locked file(vbma6b97) - User select action: Skip 2010/11/23 19:00:43.0296 Deinitialize success i gave up and now i'm here asking for some help. want to join me in this war? take the lead and i'll follow
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.