Jump to content

Recommended Posts

I have paid for the ful version of Malware and today I got this worm.win.32.netsky

Malware ran an auto scan last night - so I figure I'm up to date

Malware won't launch

Safemode does not seem to work anymore

I have tried to load malware from a UBS drive, changed the name, downloaded it with a random.exe name - but when I do that I get "Error Code 730 (0,0)"

- I have went into lan settings of IE and checked off "auto detect" still get the same error. Please HELP!

this does not look right:

O4 - HKLM\..\Run: [Pzehufeworitul] rundll32.exe "C:\WINDOWS\eracakihevatepin.dll",Startup

I want to delete it but figured I'd check here

here is my log file from Hicack This.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:47:12 PM, on 2/15/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\MediaMall\MediaMallServer.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\svchost.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\PeerBlock\peerblock.exe

C:\DOCUME~1\PC\LOCALS~1\Temp\msdtctr.exe

C:\Program Files\InternetSecurity2010\IS2010.exe

C:\Documents and Settings\PC\Desktop\Virus Removal Tool\setup_9.0.0.722_16.02.2010_02-12\setup_9.0.0.722_16.02.2010_02-12.exe

C:\DOCUME~1\PC\LOCALS~1\Temp\drwatson64ex.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6071126

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optimum.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6071126

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Pzehufeworitul] rundll32.exe "C:\WINDOWS\eracakihevatepin.dll",Startup

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [msdtctr.exe] C:\DOCUME~1\PC\LOCALS~1\Temp\msdtctr.exe

O4 - HKCU\..\Run: [internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe

O4 - Startup: setup_9.0.0.722_16.02.2010_02-12.lnk = C:\Documents and Settings\PC\Desktop\Virus Removal Tool\setup_9.0.0.722_16.02.2010_02-12\startup.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} (ICWMInstallObj Class) - https://gcom2.on.intercall.com/confmgr/inst...ICWMInstall.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229994623953

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--

End of file - 10929 bytes

Link to post
Share on other sites

You can fix all these items in HJT and then reboot afterward:

O4 - HKCU\..\Run: [msdtctr.exe] C:\DOCUME~1\PC\LOCALS~1\Temp\msdtctr.exe

O4 - HKCU\..\Run: [internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe

O4 - Startup: setup_9.0.0.722_16.02.2010_02-12.lnk = C:\Documents and Settings\PC\Desktop\Virus Removal Tool\setup_9.0.0.722_16.02.2010_02-12\startup.exe

Please follow the directions located in this removal guide:

http://www.bleepingcomputer.com/virus-remo...t-security-2010

If you encounter problems completing the instructions, post back and I'll try to resolve them.

Link to post
Share on other sites

I was able to get into safe mode: and I deleted the files you told me to

I restarted in regular mode this time:

so I tried to do a system restore from a couple of days ago.. however I pick a date, go to the next page, and when I click "next" to procede with the restore nothing happens :) I can go back or cancel

so I ran iexplore.exe and it halted some items.

I was able to downoad mbam-setup - -- but I click run - nothing happens

Should I uninstall the copy of malwarebytes I have installed? then try again... Why can't I run this from a thumb drive without getting the 730 (0,0) error?

is there a way I can just restore from a point without going through system tools menu

at least I'm making progress - thanks

Link to post
Share on other sites

To start System Restore using the Command prompt, follow these steps:

1. Restart your computer, and then press and hold F8 during the initial startup to start your computer in safe mode with a Command prompt.

2. Use the arrow keys to select the Safe mode with a Command prompt option.

3. If you are prompted to select an operating system, use the arrow keys to select the appropriate operating system for your computer, and then press ENTER.

4. Log on as an administrator or with an account that has administrator credentials.

5. At the command prompt, type %systemroot%\system32\restore\rstrui.exe, and then press ENTER.

6. Follow the instructions that appear on the screen to restore your computer to a functional state.

Link to post
Share on other sites

The infection is blocking MBAM.

Try this set of instructions and afterward I need to see the Combofix log please

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here
  • Only if the ARK program alerts you to rootkit activity and invites you to complete a complete scan - click the Rootkit/Malware tab,and then select the Scan button.
  • Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

====

Please download Combofix from one of these locations:HERE or HERE

I want you to rename Combofix.exe as you download it to rayman.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

    Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

    http://www.bleepingcomputer.com/forums/topic114351.html

    Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

    Running Combofix

    In the event you already have Combofix, please delete it as this is a new version.

    • Close any open browsers.
    • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

    1.Navigate to Start --> Run, and copy/paste the command shown in RED, exactly as shown (it assumes you renamed Combofix to rayman.exe), then hit Enter:

    "%userprofile%\desktop\rayman.exe" /killall

    2. When finished, it will produce a logfile located at C:\ComboFix.txt

    3. Post the contents of that log in your next reply with a new hijackthis log.

    Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

    Please post ARKQ.txt and C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Fix all of these in HJT:

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O4 - HKLM\..\Run: [Pzehufeworitul] rundll32.exe "C:\WINDOWS\eracakihevatepin.dll",Startup

O4 - HKCU\..\Run: [msdtctr.exe] C:\DOCUME~1\PC\LOCALS~1\Temp\msdtctr.exe

O4 - HKCU\..\Run: [internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe

O4 - Startup: setup_9.0.0.722_16.02.2010_02-12.lnk = C:\Documents and Settings\PC\Desktop\Virus Removal Tool\setup_9.0.0.722_16.02.2010_02-12\startup.exe

This loads a malicious DLL into memory where it's code can then be executed!

O4 - HKLM\..\Run: [Pzehufeworitul] rundll32.exe "C:\WINDOWS\eracakihevatepin.dll",Startup

p.s. I'm in the Westchester area too

Cool! :)

Link to post
Share on other sites

hi negster22 sorry it has taken me a day to reply back (but I had to re-run anti-rootkit this morning in safe mode - the computer froze this morning when I went to save my log file)

here are my files.

However - I started to run "rayman" install in safe mode - and it detected some root problems and it rebooted my computer - however upon reboot my anti-virus software kicked on as ComboFix finished the process.

So should I re-run comboFix?

What ever it did once it rebooted - allowed me to run my McAfee (which deleted 3 trojans)... and my computer is no longer freezing after 5 minutes

However - I still get the 730 (0,0) error on malware bytes.

ARK.txt

ARKQ.txt

ComboFix.txt

Link to post
Share on other sites

Do not rerun Combofix yet. I am going to give you a script to run that targets three remaining drivers but it looks like Combofix got rid of your rootkit (that is the root problem that Combofix detected and removed).

Just do a rescan with the Antirootkit program in the mean time but ONLY do the QUICK scan and save the log as ARKQ2.txt. Post that in your next reply and I'll give you the script for rerunning Combofix tomorrow (Friday) because it's late. Thanks!

Link to post
Share on other sites

Ok - I ran anti virus last night and superantispyware (they detected and deleted a couple more items) However - I'm not happy until Malware is able to run.. I still get the 730 (0,0) error.

here is the file you requested - will this get malwareytes to run again?

thanks again for your help and checking back :lol:

ARKQ2.txt

Link to post
Share on other sites

Your rootkit infection is gone now and that was your major issue believe me. The MBAM error is most likely "fall out" from this infection.

What I want to try the steps in this procedure because your infection was active until just recently! Pay special attention to steps 5 - 20, which describe renaming the MBAM EXE files before installing and scanning.

http://www.bleepingcomputer.com/virus-remo...essentials-2010

In the meantime, I'll try to research what a 730 (0,0) error means and if there is a solution for that particular error.

Link to post
Share on other sites

I was able to get Malwarebytes to run - I had to uninstall it. however during the uninsatall I would get ton's of popup code"0" error and some "423" (I think) however I just hit "ok" about a dozen times and it uninstalled.

I then re-downloaded the program - and ran it.. funny thing was I didn't have to enter my registration key again (somehow it was there) hmmm.

Well it found a ton of things..deleted them and I restarted. should I delete these from "quarantine"

I think I didn't have "start with windows" checked --- do you think that is how this dammn thing got on my pc ? I was browsing Pirate Bay (I didn't download anything, but clicked on an item to read the user posts ... and this trojan was able to execute)

What are your suggestions for the future: use firefox, login with an ID that does not have admin privileges, have malware start with windows?

Thanks for guiding me through this :lol:

Link to post
Share on other sites

I want you upload the following files to the Virus Total Scanner one at a time, by browsing to each files folder location:

Virus Total Scanner will employ several scanners to test each file for its threat potential. Please post the links to the scan results back here:

c:\windows\system32\drivers\74273372.sys

c:\windows\system32\drivers\7427337.sys

c:\windows\system32\drivers\74273371.sys

Link to post
Share on other sites

Download Sigcheck and unzip it to your C:\Windows\system32 directory:

http://www.microsoft.com/technet/sysintern...k/Sigcheck.mspx

1. Open Notepad (make sure wordwrap is UNchecked under format)

2. Paste the following text in the code box below into the Notepad window:

sc config CryptSvc start= auto
sc start CryptSvc
If exist "%userprofile%\Documents\UnsignedFiles.txt" del "%userprofile%\Documents\UnsignedFiles.txt"
sigcheck %WINDIR%\system32\74273372.sys > "%userprofile%\Documents\UnsignedFiles.txt"
sigcheck %WINDIR%\system32\7427337.sys >> "%userprofile%\Documents\UnsignedFiles.txt"
sigcheck %WINDIR%\system32\74273371.sys >> "%userprofile%\Documents\UnsignedFiles.txt"
notepad.exe "%userprofile%\Documents\UnsignedFiles.txt"
Exit

Save the file to your desktop as UnsignedFiles.bat, by setting the "Save as Type" to "All Files".

Double-click the UnsignedFiles.bat gear icon on your desktop to execute the batch file (allow the script to run, but be sure to disable any script blocking programs that are active, first).

Note: You must grant sigcheck.exe permission to access the internet via your firewall.

A Notepad file called C:\UnsignedFiles.txt should open when the batch file has completed processing. Please copy and paste the contents of that file in a reply back here.

Did you use TDSKiller by Kaspersky ever?

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.