Jump to content

Multiple malware


Recommended Posts

Hello MBAM Forum,

Had just downloaded MBAM updated and ran. It found 80+ malware or so and I chose to let MBAM quarantine. After restart though the Wndows log on was not the same any more and the log off dialogue was also corrupted(buttons and letters not showing). Also win explorer windows became black so I had MBAM restore what it quarantined. Luckily it all came back. However I had downloaded MBAM to free my laptop of a malware infestation which my paid AV can't seem to finish off , also I downloaded this cz I can't start the laptop in Safe Mode, but then this.

Here is the HijackThis log prior to scanning with MBAM:hijackthis_log.txt

Here is the MBAM log:mbam_log_2010_07_18__18_08_38_.txt

Please help cz this laptop is needed by the owner and it's Monday tomorrow here so its gonna be busy and hes gonna need it.

The laptop specs are: Compaq Presario V2000, Win XP SP3, AMD Turion 1.6 Ghz, 1.87 Gig RAM

Security Software Ad-Aware Pro with Windows FW, just downloaded MBAM. Thanks in advance

Link to post
Share on other sites

Hello Utopian! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please help cz this laptop is needed by the owner and it's Monday tomorrow here so its gonna be busy and hes gonna need it.

It's a bad idea, because this laptop is seriously infected.

Follow these instructions and post all logs if you can:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Hello Maniac,

Thank you very much for responding, I just want to update you that because the owner was kind of in a hurry what I did was I got rid of all the detections bit by bit so in case something goes wrong I can restore it from quarantine. Every time I finished removing some I again scanned with MBAM(full scan)until it had removed the last and after this I did a final full scan and MBAM detected nothing. I also did an updated full scan with Ad-Aware Pro(since its the regular paid AV) and it too found nothing. Before all this I had run SysRestorePoint and ERUNT then GMER which did not seem to find anything. Afterwards, just to be sure I then turned off System Restore, cleaned with ATF cleaner and CCleaner. Then thats when I did the bit by bit removal with MBAM taking care to fully scan before again removing until I had eliminated the last and did the last full scans with MBAM and A-A Pro which showed nothing. Afterwards I removed all malware from quarantine, totally deleted them. All the logs are on that laptop, which is now being used by the owner, so I cant give them to you now. I had installed Panda usb vaccine and adviced him to scan and clean all his usb drives.

When the owner brought the laptop to me it wont run msconfig,task mgr,defrag,services and safe mode. With some bit of research I had fixed all except booting in safe mode. What his av(A-A Pro) had mostly detected first was W32.Sality.ek (v) but it kept returning so thats why I installed MBAM. Now I'm still trying to figure out how to get that laptop to boot in safe mode(it boots up in normal mode), this could have been damage made by W32.Sality since I read somewhere that is one of its bad effects.

I'm an aspiring malware fighter so I have learned a lot from this, it's great. I just want to ask you now, has MBAM finished it all off? and how do I find out if it has(last scans w/ MBAM and A-A Pro turned up nothing)? and last maybe you could help me fix the safe boot problem.

Link to post
Share on other sites

Really??

You talk about Sality, it's a virus, so Malwarebytes' Anti-Malware can't help you. The problem is very serious. The fastest and easier solution is format:

http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

Unfortunately reformat/repair could not be an option coz the owner does not have a XP SP3 installer although his Windows is authentic. Are you sure that reformat is the only option? A-A Pro can detect and remove Sality however I guess it cant remove the trojans that have Sality as payload thats why it kept returning. Thats where MBAM came in and took care of the Trojans. Last scans with MBAM showed clean, Last scans with A-A Pro also clean. The only prob now is fixing Safeboot(which is removed by Sality). I think the malware has already been taken care of. I have to admit I'm just piecing it all up together but I just want your advice as to what additional procedure must I do to make sure the malware are really gone since you are more knowledgeable. So sorry I had to go on fixing the laptop without your guidance but the owner just cant wait. Please what do I do now to check and make sure there are no malware anymore and how to fix booting in safe mode. Please Borislav I'd really appreciate it.

Link to post
Share on other sites

I'm talking about this topic with MBAM Assistant Director of Research - Mieke Verburgh. I talked with the man in the maintenance of Malwarebytes. Their comment was that the possible treatment of Sality, but none was willing to ensure that future problems will not return or whether there will be an improvement after the so-called. treatment. Our solution to the problems of this type is that if you decide you can try.

As you wish.

Link to post
Share on other sites

Hello Borislav,

I have just found out about AVZ tool and its a possible solution to fixing the safe boot prob. Right now the laptop is with the owner so I cant continue with the fix it, I just told him to refrain as of this time from connecting it to the internet and using usb drives with it. Could you confirm to me if AVZ will fix booting in safe mode? Also I plan to just do the regular update and scan with both A-A Pro and MBAM after updating them. I jst remembered I still have not turned system restore back on in that laptop but I will do later. Another thing I remembered to do is maybe check with ShieldsUp and maybe install a firewall, although I worry about installing this type of software coz the owner might not like or understand having those pop-ups. I have read the blog you posted but I won't give up on this coz I'm already into deep and I can't tell him he has to buy an OS installer(cz he does not have any OS CD) which is very expensive here and right now hes kind of down financially. I'm not recieving any money from the owner, I'm just trying to help him he's the father a friend of mine. So please what I need is your assurance that what I'm doing is on the right track and your superior knowledge to guide as to what best I can do. I think MBAM,A-A Pro and myself have turned the tide here, please help us continue the fight...c'mon

Link to post
Share on other sites

Try with a Rescue CD.

Please try downloading and burning the following from another computer.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from

  • Place a blank CD in your burner and double-click on the downloaded file named
    rescue_system-common-en.exe

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files

    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

  1. Please see the post
    if you're unable to view the entire screen of Avira.

  2. You can also review this one

  3. Currently only the German keyboard is supported.
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Link to post
Share on other sites

Hi Borislav,

Since you recommended using a Rescue CD, I just remembered I had a Kaspersky 2010 Rescue CD so I decided to use that instead of Avira cz I did not want to go thru downloading the iso and CD burning. Running the rescue disk did find 2 instances of W32.Sality.aa 3 instances. I did 3 scans of the rescue CD and the final scan did not find anything. I also did updated scans of MBAM and A-A Pro and they also found nothing. Heres the latest HJT log and attached is the latest avz log - I used avz to fix the safe boot prob and this tool I think is one of the best!

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:49:02 AM, on 7/22/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Panda USB Vaccine\USBVaccine.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)

O2 - BHO: DownloadGuardBHO - {20C1A7F0-528E-444F-BAC5-5804A61CCA7F} - C:\Program Files\Lavasoft\Download Guard for Internet Explorer\DownloadGuardBHO.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll

O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\binaries\MSCONF~1.EXE /auto

O4 - Startup: PandaUSBVaccine.lnk = C:\Program Files\Panda USB Vaccine\USBVaccine.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174928158234

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199407082312

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...991/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{97941A97-712B-4D5D-9E02-DCE833B2266D}: NameServer = 8.8.8.8

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O21 - SSODL: ThunderAdvise - *DISABLED*{97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: chitosan - {ceca6f2b-247b-4ece-9b7a-d0135c8036fc} - (no file)

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MBackMonitor - Unknown owner - C:\Program Files\McAfee\MBK\MBackMonitor.exe (file missing)

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 11066 bytes

avz_log072210.txt

Link to post
Share on other sites

I'm so so sorry. The fastest, eaiser and safe way is to make a full format of your hard disc. More information about these file infectors:

http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

Borislav if I can just reformat and reinstall I would have but as I said I dont have and the owner does not have a Win XP CD and he does not seem to plan on buying a new OS CD which is kind of expensive here. I guess we here will have to see what happens, so if we dont reformat how long do you think would the laptop stay trouble free? and since it seems your telling me its hopeless(even though the laptop seems ok now)how does the owner back up his data and how do we check to see if the backup is also infected? Please if possible give a not so expensive solution(i mean other than buying a new OS).

Link to post
Share on other sites

I completely understand you. I'll try a few things to arrange the problems to a minimum. In the future, you can check files you want as upload them in www.virustotal.com . With a good AV software, you can live with it, but step by step, let's start with:

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

Hello Borislav,

I downloaded Dr.Web CureIt twice but it would not run. The owner was kind of in a hurry so I just ran MBAM, A-A Pro and AVZ and they dont find anything. The laptop had been used by the owner online for several days now and it seems to operate well and feels fast now. I see an entry in the HJT log about a Thunderadvise BHO but its also marked (file missing)-is this something to worry about?. I would have wanted to run the Kaspersky Rescue CD again and know why Dr.Web wont run but its kind of hard to get hold of the laptop, the owner and I seldom meet and if we do he's mostly in a hurry. I don't think I will get hold of that laptop any time soon, I'm just waiting for any complaints from the owner. Why do you think Dr. Web would not run? Is that a sign that malware is still in the laptop?

Link to post
Share on other sites

Hi Utopian

You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html.

Because there are a number of bugs in its code, it may create

executable files that are corrupted beyond repair resulting in an

inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.

  • Backup all your documents and important items only.
  • DO NOT backup any executable files (,exe .scr .html or .htm)
  • Do Not back up compressed files (zip/cab/rar) files that may contain .exe or .scr files
  • Reformat and Reinstall as outlined HERE

Link to post
Share on other sites

Hi Kenny94,

As I told Maniac, I dont have a rescue cd or an OS installer although its still the original authentic MS XP SP3 OS that came with the laptop, so reformat/reinstall is not an option for the owner, at least unless he buys a new OS installer. I tried to follow Maniacs recommendation to download and run Dr.Web CureIt but it wont run, I tried it twice. I press the Dr.Web.exe icon and nothing happens no activity in task mgr or sign in pointer that Dr.Web is loading, I wait for 10+ mins and nothing, it just sits there. Just downloading it takes a long time and at the time the owner was in a hurry so instead I just updated and ran scans of A-A Pro, MBAM, and AVZ, came up clean. The laptop seems to feel fine and fast and has been connected to the web. I have posted the last HJT log in post #9 above. If Dr. Web won't run is that a sign that there is still malware? Are you absolutely sure that the laptop is still infected?

Link to post
Share on other sites

You need to let the owners/customer know that this it takes a lot of time to properly to clean their PC next time. Now that we don't have the PC it's all guess work at this point.

If the laptop comes back just let him know they need a new OP. XP is cheap these days.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.