Utopian Posted July 18, 2010 ID:286205 Share Posted July 18, 2010 Hello MBAM Forum,Had just downloaded MBAM updated and ran. It found 80+ malware or so and I chose to let MBAM quarantine. After restart though the Wndows log on was not the same any more and the log off dialogue was also corrupted(buttons and letters not showing). Also win explorer windows became black so I had MBAM restore what it quarantined. Luckily it all came back. However I had downloaded MBAM to free my laptop of a malware infestation which my paid AV can't seem to finish off , also I downloaded this cz I can't start the laptop in Safe Mode, but then this.Here is the HijackThis log prior to scanning with MBAM:hijackthis_log.txtHere is the MBAM log:mbam_log_2010_07_18__18_08_38_.txtPlease help cz this laptop is needed by the owner and it's Monday tomorrow here so its gonna be busy and hes gonna need it.The laptop specs are: Compaq Presario V2000, Win XP SP3, AMD Turion 1.6 Ghz, 1.87 Gig RAMSecurity Software Ad-Aware Pro with Windows FW, just downloaded MBAM. Thanks in advance Link to post Share on other sites More sharing options...
Maniac Posted July 19, 2010 ID:286696 Share Posted July 19, 2010 Hello Utopian! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.Please help cz this laptop is needed by the owner and it's Monday tomorrow here so its gonna be busy and hes gonna need it.It's a bad idea, because this laptop is seriously infected.Follow these instructions and post all logs if you can:http://forums.malwarebytes.org/index.php?showtopic=9573 Link to post Share on other sites More sharing options...
Utopian Posted July 20, 2010 Author ID:287007 Share Posted July 20, 2010 Hello Maniac,Thank you very much for responding, I just want to update you that because the owner was kind of in a hurry what I did was I got rid of all the detections bit by bit so in case something goes wrong I can restore it from quarantine. Every time I finished removing some I again scanned with MBAM(full scan)until it had removed the last and after this I did a final full scan and MBAM detected nothing. I also did an updated full scan with Ad-Aware Pro(since its the regular paid AV) and it too found nothing. Before all this I had run SysRestorePoint and ERUNT then GMER which did not seem to find anything. Afterwards, just to be sure I then turned off System Restore, cleaned with ATF cleaner and CCleaner. Then thats when I did the bit by bit removal with MBAM taking care to fully scan before again removing until I had eliminated the last and did the last full scans with MBAM and A-A Pro which showed nothing. Afterwards I removed all malware from quarantine, totally deleted them. All the logs are on that laptop, which is now being used by the owner, so I cant give them to you now. I had installed Panda usb vaccine and adviced him to scan and clean all his usb drives. When the owner brought the laptop to me it wont run msconfig,task mgr,defrag,services and safe mode. With some bit of research I had fixed all except booting in safe mode. What his av(A-A Pro) had mostly detected first was W32.Sality.ek (v) but it kept returning so thats why I installed MBAM. Now I'm still trying to figure out how to get that laptop to boot in safe mode(it boots up in normal mode), this could have been damage made by W32.Sality since I read somewhere that is one of its bad effects. I'm an aspiring malware fighter so I have learned a lot from this, it's great. I just want to ask you now, has MBAM finished it all off? and how do I find out if it has(last scans w/ MBAM and A-A Pro turned up nothing)? and last maybe you could help me fix the safe boot problem. Link to post Share on other sites More sharing options...
Maniac Posted July 20, 2010 ID:287200 Share Posted July 20, 2010 I'm an aspiring malware fighterReally??You talk about Sality, it's a virus, so Malwarebytes' Anti-Malware can't help you. The problem is very serious. The fastest and easier solution is format:http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html Link to post Share on other sites More sharing options...
Utopian Posted July 20, 2010 Author ID:287242 Share Posted July 20, 2010 Really??You talk about Sality, it's a virus, so Malwarebytes' Anti-Malware can't help you. The problem is very serious. The fastest and easier solution is format:http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.htmlUnfortunately reformat/repair could not be an option coz the owner does not have a XP SP3 installer although his Windows is authentic. Are you sure that reformat is the only option? A-A Pro can detect and remove Sality however I guess it cant remove the trojans that have Sality as payload thats why it kept returning. Thats where MBAM came in and took care of the Trojans. Last scans with MBAM showed clean, Last scans with A-A Pro also clean. The only prob now is fixing Safeboot(which is removed by Sality). I think the malware has already been taken care of. I have to admit I'm just piecing it all up together but I just want your advice as to what additional procedure must I do to make sure the malware are really gone since you are more knowledgeable. So sorry I had to go on fixing the laptop without your guidance but the owner just cant wait. Please what do I do now to check and make sure there are no malware anymore and how to fix booting in safe mode. Please Borislav I'd really appreciate it. Link to post Share on other sites More sharing options...
Maniac Posted July 20, 2010 ID:287267 Share Posted July 20, 2010 I'm talking about this topic with MBAM Assistant Director of Research - Mieke Verburgh. I talked with the man in the maintenance of Malwarebytes. Their comment was that the possible treatment of Sality, but none was willing to ensure that future problems will not return or whether there will be an improvement after the so-called. treatment. Our solution to the problems of this type is that if you decide you can try.As you wish. Link to post Share on other sites More sharing options...
Utopian Posted July 20, 2010 Author ID:287326 Share Posted July 20, 2010 Hello Borislav,I have just found out about AVZ tool and its a possible solution to fixing the safe boot prob. Right now the laptop is with the owner so I cant continue with the fix it, I just told him to refrain as of this time from connecting it to the internet and using usb drives with it. Could you confirm to me if AVZ will fix booting in safe mode? Also I plan to just do the regular update and scan with both A-A Pro and MBAM after updating them. I jst remembered I still have not turned system restore back on in that laptop but I will do later. Another thing I remembered to do is maybe check with ShieldsUp and maybe install a firewall, although I worry about installing this type of software coz the owner might not like or understand having those pop-ups. I have read the blog you posted but I won't give up on this coz I'm already into deep and I can't tell him he has to buy an OS installer(cz he does not have any OS CD) which is very expensive here and right now hes kind of down financially. I'm not recieving any money from the owner, I'm just trying to help him he's the father a friend of mine. So please what I need is your assurance that what I'm doing is on the right track and your superior knowledge to guide as to what best I can do. I think MBAM,A-A Pro and myself have turned the tide here, please help us continue the fight...c'mon Link to post Share on other sites More sharing options...
Maniac Posted July 20, 2010 ID:287584 Share Posted July 20, 2010 Try with a Rescue CD.Please try downloading and burning the following from another computer.Avira AntiVir Rescue SystemRequires access to a working computer with a CD/DVD burner to create a bootable CD.Download the Avira AntiVir Rescue System from herePlace a blank CD in your burner and double-click on the downloaded file named rescue_system-common-en.exeThe program will automatically burn the CD for you.Place the burned CD into the affected computer and start the computer from this CD.On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.Click on the Configuration button.Select Scan all filesSelect Try to repair infected files and Rename files, if they cannot be removedSelect Scan for dialersSelect Scan for joke programs (Jokes)Select Scan for gamesSelect Scan for spyware (SPR)[*]Click on Virus scanner[*]Click on Start scanner at the bottom of the screen[*]Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and WarningsThe Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.Possible solutions to Screen Resolution and other issuesPlease see the post here if you're unable to view the entire screen of Avira.You can also review this one Fixed Rescue CD Resolution Probs with Dell VideoCurrently only the German keyboard is supported. Command Line not working English keyboards require work arounds.Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning. Link to post Share on other sites More sharing options...
Utopian Posted July 21, 2010 Author ID:288255 Share Posted July 21, 2010 Hi Borislav,Since you recommended using a Rescue CD, I just remembered I had a Kaspersky 2010 Rescue CD so I decided to use that instead of Avira cz I did not want to go thru downloading the iso and CD burning. Running the rescue disk did find 2 instances of W32.Sality.aa 3 instances. I did 3 scans of the rescue CD and the final scan did not find anything. I also did updated scans of MBAM and A-A Pro and they also found nothing. Heres the latest HJT log and attached is the latest avz log - I used avz to fix the safe boot prob and this tool I think is one of the best! Logfile of Trend Micro HijackThis v2.0.4Scan saved at 6:49:02 AM, on 7/22/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\Program Files\Panda USB Vaccine\USBVaccine.exeC:\PROGRA~1\MI3AA1~1\rapimgr.exeC:\Program Files\Trend Micro\HiJackThis\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)O2 - BHO: DownloadGuardBHO - {20C1A7F0-528E-444F-BAC5-5804A61CCA7F} - C:\Program Files\Lavasoft\Download Guard for Internet Explorer\DownloadGuardBHO.dllO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dllO2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dllO2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - (no file)O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dllO2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (file missing)O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\binaries\MSCONF~1.EXE /autoO4 - Startup: PandaUSBVaccine.lnk = C:\Program Files\Panda USB Vaccine\USBVaccine.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dllO9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptopO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174928158234O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199407082312O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...991/mcfscan.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{97941A97-712B-4D5D-9E02-DCE833B2266D}: NameServer = 8.8.8.8O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO21 - SSODL: ThunderAdvise - *DISABLED*{97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: chitosan - {ceca6f2b-247b-4ece-9b7a-d0135c8036fc} - (no file)O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exeO23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: MBackMonitor - Unknown owner - C:\Program Files\McAfee\MBK\MBackMonitor.exe (file missing)O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 11066 bytesavz_log072210.txt Link to post Share on other sites More sharing options...
Maniac Posted July 22, 2010 ID:288479 Share Posted July 22, 2010 Running the rescue disk did find 2 instances of W32.Sality.aa 3 instances.I'm so so sorry. The fastest, eaiser and safe way is to make a full format of your hard disc. More information about these file infectors:http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html Link to post Share on other sites More sharing options...
Utopian Posted July 23, 2010 Author ID:288976 Share Posted July 23, 2010 I'm so so sorry. The fastest, eaiser and safe way is to make a full format of your hard disc. More information about these file infectors:http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.htmlBorislav if I can just reformat and reinstall I would have but as I said I dont have and the owner does not have a Win XP CD and he does not seem to plan on buying a new OS CD which is kind of expensive here. I guess we here will have to see what happens, so if we dont reformat how long do you think would the laptop stay trouble free? and since it seems your telling me its hopeless(even though the laptop seems ok now)how does the owner back up his data and how do we check to see if the backup is also infected? Please if possible give a not so expensive solution(i mean other than buying a new OS). Link to post Share on other sites More sharing options...
Maniac Posted July 23, 2010 ID:288979 Share Posted July 23, 2010 I completely understand you. I'll try a few things to arrange the problems to a minimum. In the future, you can check files you want as upload them in www.virustotal.com . With a good AV software, you can live with it, but step by step, let's start with:Please download to your Desktop: Dr.Web CureItAfter the file has downloaded, disable your current Anti-Virus and disconnect from the InternetDoubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.Once the short scan has finished, Click on the Complete scan radio button.Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the LanguageChoose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)On the File types tab ensure you select All filesClick on the Actions tab and set the following:Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = ReportInfected packages Archive = Move, E-mails = Report, Containers = MoveMalware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = MoveDo not change the Rename extension - default is: #??Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\Leave prompt on Action checked[*]On the Log file tab leave the Log to file checked.[*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log[*]Log mode = Append[*]Encoding = ANSI[*]Details Leave Names of file packers and Statistics checked.[*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.[*]On the General tab leave the Scan Priority on High[*]Click the Apply button at the bottom, and then the OK button.[*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.[*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives[*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.[*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.[*]Click 'Yes to all' if it asks if you want to cure/move the files.[*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)[*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list[*]Save the report to your Desktop. The report will be called DrWeb.csv[*]Close Dr.Web Cureit.[*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.[*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log. Link to post Share on other sites More sharing options...
Utopian Posted July 26, 2010 Author ID:290648 Share Posted July 26, 2010 Hello Borislav,I downloaded Dr.Web CureIt twice but it would not run. The owner was kind of in a hurry so I just ran MBAM, A-A Pro and AVZ and they dont find anything. The laptop had been used by the owner online for several days now and it seems to operate well and feels fast now. I see an entry in the HJT log about a Thunderadvise BHO but its also marked (file missing)-is this something to worry about?. I would have wanted to run the Kaspersky Rescue CD again and know why Dr.Web wont run but its kind of hard to get hold of the laptop, the owner and I seldom meet and if we do he's mostly in a hurry. I don't think I will get hold of that laptop any time soon, I'm just waiting for any complaints from the owner. Why do you think Dr. Web would not run? Is that a sign that malware is still in the laptop? Link to post Share on other sites More sharing options...
Maniac Posted July 26, 2010 ID:290665 Share Posted July 26, 2010 I can't help you. You do whatever you want and I have no control over things. I'll ask someone else to help you. Link to post Share on other sites More sharing options...
Kenny94 Posted July 26, 2010 ID:290708 Share Posted July 26, 2010 Hi UtopianYou are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html.Because there are a number of bugs in its code, it may createexecutable files that are corrupted beyond repair resulting in aninoperative machine.Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.Backup all your documents and important items only. DO NOT backup any executable files (,exe .scr .html or .htm)Do Not back up compressed files (zip/cab/rar) files that may contain .exe or .scr filesReformat and Reinstall as outlined HERE Link to post Share on other sites More sharing options...
Utopian Posted July 27, 2010 Author ID:291043 Share Posted July 27, 2010 Hi Kenny94,As I told Maniac, I dont have a rescue cd or an OS installer although its still the original authentic MS XP SP3 OS that came with the laptop, so reformat/reinstall is not an option for the owner, at least unless he buys a new OS installer. I tried to follow Maniacs recommendation to download and run Dr.Web CureIt but it wont run, I tried it twice. I press the Dr.Web.exe icon and nothing happens no activity in task mgr or sign in pointer that Dr.Web is loading, I wait for 10+ mins and nothing, it just sits there. Just downloading it takes a long time and at the time the owner was in a hurry so instead I just updated and ran scans of A-A Pro, MBAM, and AVZ, came up clean. The laptop seems to feel fine and fast and has been connected to the web. I have posted the last HJT log in post #9 above. If Dr. Web won't run is that a sign that there is still malware? Are you absolutely sure that the laptop is still infected? Link to post Share on other sites More sharing options...
Kenny94 Posted July 27, 2010 ID:291131 Share Posted July 27, 2010 You need to let the owners/customer know that this it takes a lot of time to properly to clean their PC next time. Now that we don't have the PC it's all guess work at this point. If the laptop comes back just let him know they need a new OP. XP is cheap these days. Link to post Share on other sites More sharing options...
Recommended Posts