Jump to content

Recommended Posts

Hello, Malware wizards,

We have a computer that has been infected with a virus that first manifested itself by displaying the “XP Internet Security 2012” scare-screen(s) which I assume you are familiar with. It locks up the computer and leaves you with the basic message amounting to: “We’ve got your computer under our control, and you will not get it back unless you give in to our blackmail and buy our software!”

I could not get ctrl-alt-del to bring up Task Manager, could not run anything from “Start-Run”, or direct click/enter on the EXE in any folder, … nothing.

However, I was able to log-off the current user, and log back on under my exclusive ADMIN user account, and from there, I ran Rogue Killer, MBAM (free), and Symantec Anti-Virus, all of which found and supposedly deleted a number of bad files, Registry Entries, etc., etc., and it appeared to have been eradicated the virus. When I logged back onto the problem User’s account, everything seemed to be working – seemed like “problem solved” … end of story for that day.

Wrong! The next day, the same user who had the original problem logged on, and immediately had both the redirect virus effects and couldn’t load any programs other than her Browsers.

Today, I was again unable to load any EXE’s while logged in under the ‘problem user’s’ account, but since I was able to run anything I wanted from my ADMIN account, but not hers (haven’t figured that part out yet) I figured that I had to find a way to run all of the above programs from her account, or else it would not get rid of the virus(es).

So, I used a ‘secret’ utility/method to get RogueKiller to run while logged into her acct, and then ran MBAM and Symantec again, then DDS and HiJackThis.

I’ve put all of the consecutive reports from RK, MBAM, DDS, and HiJackThis, from both before and after running each program, into a ZIP file, which I will send as soon as requested by you. As a last task, I also ran “Tasklist / SVC” and output it to a text file and attached it as well.

Meantime, I am attaching the results from DDS.txt and Attach.txt to this new post, as instructed.

Thanks in advance for you time and consideration... hope you guys can help.

Enuf2Bdangerous

I forgot to mention that since removing the VQI.exe and associated entries, the "XP Internet Security 2012" stuff has gone away, however, the virus is evidently using the filename "Ping.exe" to execute it's tasks, and this fake Ping.exe expands in size the longer it remains loaded ... growing to as much as 300k I've noticed. While running the anti-malware-virus programs mentioned in my previous post, I kept Taskman opened and continuously deleted/killed the Ping.exe process every time it loaded, for whatever that's worth. It seems to reload after a "svchost.exe" process momentarily loads and unloads 5 times (it just flashes in and out of Taskman screen so fast that I had to do a well-timed Screencap to even be able to read what was flashing).

Hope that helps somehow.

Enuf2Bdangerous

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by Lease at 13:12:17 on 2011-12-01

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.645 [GMT -8:00]

.

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\ping.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Sharp\Sharpdesk\SharpTray.exe

C:\Program Files\Sharp\Sharpdesk\FtpServer.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Ask.com\Updater\Updater.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Sharp\Sharpdesk\nsapp.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://webmail.rcmi.com/exchweb/bin/auth/owalogon.asp?url=https://webmail.rcmi.com/exchange/&reason=0

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080626

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Google Update] "c:\documents and settings\lease\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Speed Launch] "c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [Acrobat Synchronizer] "c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe"

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [indexTray] "c:\program files\sharp\sharpdesk\IndexTray.exe" /n

mRun: [sharpTray] "c:\program files\sharp\sharpdesk\SharpTray.exe"

mRun: [TypeRegChecker] "c:\program files\sharp\sharpdesk\TypeRegChecker.exe"

mRun: [FtpServer.exe] "c:\program files\sharp\sharpdesk\FtpServer.exe" -usedefault

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} - hxxps://www.yardiaspnc7.com/80035rcmi/activexviewer9.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{05676779-9346-4116-8038-5F7985A287EF} : DhcpNameServer = 192.168.1.1

Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - c:\program files\sharp\sharpdesk\ExplorerExtensions.dll

Notify: LMIinit - LMIinit.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

Notify: sqlesw32 - sqlesw32.dll

Notify: Sqlseses - sqlesw32.dll

Notify: VB - sqlesw32.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\lease\application data\mozilla\firefox\profiles\8cab25ji.default\

FF - prefs.js: browser.startup.homepage - hxxps://webmail.rcmi.com/exchweb/bin/auth/owalogon.asp?url=https://webmail.rcmi.com/exchange/&reason=0

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\lease\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-10-26 47640]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-28 366152]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-11 106104]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-28 22216]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111125.002\naveng.sys [2011-11-25 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111125.002\navex15.sys [2011-11-25 1576312]

R3 TrueSight;TrueSight;c:\windows\system32\drivers\TrueSight.sys [2011-11-30 111872]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-11 135664]

S2 SqlCSS;SQL Server EXPRESS;c:\windows\system32\svchost.exe -k Sqlses [2004-8-11 14336]

S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-11 135664]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-12-01 17:29:36 -------- d-----w- c:\documents and settings\lease\application data\Malwarebytes

2011-12-01 01:01:09 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2011-11-30 17:46:26 37888 ----a-w- c:\windows\system32\sqlesw32.dll

2011-11-28 20:43:43 -------- d-----w- c:\documents and settings\lease\local settings\application data\AskToolbar

2011-11-28 20:06:20 -------- d-----w- c:\program files\Ask.com

2011-11-28 19:56:16 -------- d-----w- c:\documents and settings\all users\application data\Ask

2011-11-28 19:56:08 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-11-28 19:56:08 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-28 19:02:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-11-28 19:02:20 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-11-28 19:02:20 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-11-28 19:02:20 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-11-28 19:02:20 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-11-28 19:02:20 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-11-28 19:02:19 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-11-28 19:02:19 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-11-28 18:05:18 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-28 18:05:15 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-28 18:05:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-26 23:31:41 436480 ----a-w- c:\windows\system32\0.9089973362036803.exe

2011-11-26 23:01:44 638816 ----a-w- c:\documents and settings\lease\local settings\application data\vqi.exe

2011-11-26 23:01:44 389120 ----a-w- c:\documents and settings\lease\local settings\application data\cmd.vqi.exe

.

==================== Find3M ====================

.

2011-11-28 19:55:58 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-06 17:29:23 87424 ----a-w- c:\windows\system32\LMIinit.dll

2011-10-06 17:29:23 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2011-10-06 17:29:23 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll

2011-10-06 17:29:23 30592 ----a-w- c:\windows\system32\LMIport.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 13:12:51.30 ===============

Attach.txt

dds.txt

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

To LDTate

Hi Larry,

Thanks for the reply. I am having the user turn on the computer for limited amounts of time, disconnected from the internet, and going through the inventory of files in their "My Documents" and "Desktop" folders to identify for me the files they hope to keep. I will then copy those files to a spare "Safe" computer I keep, and convert all text information in those files to plain text, and recover only the absolutely necessary images, if any, using screen caps and pasting into new JPG's or BMP's.

My plan is to eradicate the virus/malware to the greatest degree possible, and then copy only those documents and absolutely necessary other files onto a flash drive and recover them for the user.

I will then reformat the Hard Drive and reinstall Windows, etc.

So, I would appreciate your continued assistance in removing the malware for that reason. I will be picking up the computer tomorrow to bring it back to my office. What should I do once I have it available?

Thanks!

Enuf2Bdangerous

Link to post
Share on other sites

Yes, I agree... just FYI: The main reason I wanted to go through with the cleaning, however, was so that I can learn what needs to be done, and be prepared for the next infection, since this is the 2nd time the "XP Internet Security 2012" has infected one of our computers in the last 90 days, and the last time, there was nothing that had to be saved, so I just reformatted and reinstalled Windows. But I'm happy to wait until we have a more urgent need for your time and assistance before going through the excercises.

We are trying to identify the source, and we've narrowed it down quite a bit, but I would greatly appreciate any insight you guys have into which sites might be most likely, or known, to be a source of this nasty piece of work ... any clues?

I don't have access to all of the company computers, and only work on them as requested, but the ones I do work on, I am installing MBAM on each.

Two more questions for you, if you don't mind:

1. Do you know if this virus does the bogus "you've been infected" thing as soon as gets in, or does it have an "incubation period"? ...

2. From what I described, does it sound like all of the symptoms/problems are caused from this one virus, or is it more than one, even if from the same initial source?

Just in case I forgot to mention it before, your help is greatly appreciated.

Thanks,

Enuf2Bdangerous

Link to post
Share on other sites

The infection the pc has is referred to as ZA (zero access.

It usually comes bundled with other infections so it's seldom the same on each pc.

Does your company using MBAM Pro?

We'll run Combofix and see what it finds.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.