Jump to content

Antivirus System Pro and Combofix

Mr clueless
 Share

Recommended Posts

Mr clueless

Mr clueless

Posted
Posted

The Antivirus System Pro malware landed on my laptop on Saturday night, and I had to use a friend's machine to save Combofix onto a CD. I loaded it onto my laptop, and everything was solved without a problem in just a few minutes.

On my office PC, I seem to have a different version of the malware, that virtually disabled everything, or slowed it to worse than a crawl. I therefore renamed Combofix as one site suggested, and then ran it on my PC while in Safe Mode, and although nothing happened for more than an hour, it eventually completed 50 stages, and then began deleting files and folders. It deleted the following three folders (C:\data, C:\WINDOWS\system32\Cache and C:\WINDOWS\system32\images), but has then done nothing for more than three hours. Should I leave the PC running, in the hope that something will eventually happen, or should I unplug the computer and risk leaving the cleanup in an incomplete state that could cause more problems?

Link to post
Share on other sites
Mr clueless

Mr clueless

Posted
  • Author
Posted

I pulled the plug last night, but was able to log back in using Safe Mode this morning. I followed the advice in the following link http://www.bleepingcomputer.com/forums/topic271019.html, which has caused an alert to appear entitled CFScript Name Error. Were you trying to run CFScript? The name CFScript appears to be incorrectly spelt.

Link to post
Share on other sites
Mr clueless

Mr clueless

Posted
  • Author
Posted

I have now found a file entitled avast!CacheAgent.exe in my Windows System32 folder, which appeared last Friday (the day when my computer crashed). I assume that this is the cause of my problem. Will the usual malware removal tools be able to solve the problem? So far I have had various problems with ComboFix and Mbam, so I am hoping that RootRepeal will yield better results.

Link to post
Share on other sites
Mr clueless

Mr clueless

Posted
  • Author
Posted
I have now found a file entitled avast!CacheAgent.exe in my Windows System32 folder, which appeared last Friday (the day when my computer crashed). I assume that this is the cause of my problem. Will the usual malware removal tools be able to solve the problem? So far I have had various problems with ComboFix and Mbam, so I am hoping that RootRepeal will yield better results.

If anybody should encounter avast!CacheAgent.exe, which was created on November 19th, here is what I did to fix it. I manually deleted it from my Windows System 32 folder and the Recycle Bin while in Safe Mode. I then ran RootRepeal.exe, after renaming it to RRR.bat, which listed a few problems that I removed by right-clicking on them and selecting the Wipe option. I then rebooted my machine and returned to Safe Mode with Networking, where I could now access the internet again for the first time in four days. I manually deleted MalwareBytes from my machine, as the trojan had corrupted it (including disabling the uninstall option), and then downloaded it again from the internet and reinstalled it. I then performed a quick scan in Safe Mode, which found a few more errors that I removed. After rebooting, I started my machine normally and performed a full scan, and nothing was found. I ran another full scan of my machine using Symantec Endpoint (this had been disabled by the trojan), which also confirmed that everything was clean.

Link to post
Share on other sites
chamber

chamber

Posted
Posted

Did you try to run ComboFix using someone elses CFScript?

Lets be sure it's gone.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Link to post
Share on other sites
  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept