Jump to content

system security virus


Recommended Posts

Hello,

A nice virus was downloaded on my laptop and I need help removing it. 1. Malwarebytes would run a scan and find 8 infected files, but would crash before quarantine. (so, no log file is available) 2. All downloads are canceled as soon as they start. Any downloads are from a different computer and transferred using usb. 3. I defogged my system successfully. (I think. It didn't request a reboot when finished.) 4. I ran DDS and it would not make a log file report, it just closed when done scanning. (if it was in fact scanning). 5. I ran GMER twice, and it would freeze at a specific file. (...software\microsoft\windows nt\current version\perflib\009) I saved the file as ark.txt and is attached as ark.zip (without attach.txt) 6. I know one of the files that had the virus was Bdh.exe from apex 4. 7. Help please! And thank you.

ark.zip

Link to post
Share on other sites

Hello socceramatuer! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

Please check for updates and then go to the Settings tab then on the Scanner Settings and disable the Heuristics.Shuriken feature.

Step 2

Go into C:\Program Files\Malwarebytes' Anti-Malware and you will see a file called mbam.exe Right click on it and drop down to Rename change the name to firefox.com From mbam.exe to firefox.com . Please, restart your computer.

Step 3

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 4

Download DDS and save it to your desktop from here or here or here.

Double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

In your next reply, please include these log(s):

  1. Malwarebytes' Anti-Malware log
  2. DDS log with Attach.txt

Link to post
Share on other sites

Thank you for your quick response.

I renamed the mbam.exe file to firefox.com, rebooted and tried to launch, but it would no longer launch. The shortcut was no longer valid. I was able to get the other two files and they are attached or posted here as requested. Also, I was able to get a malwarebytes log last night and saved it before trying to delete any viruses. (When deleting the viruses, malwarebytes would freeze up and not delete anything.) If this is not sufficient, let me know.

Tim

My DDS:

DDS (Ver_10-03-17.01) - NTFSx86

Run by ScoopMasters - Tim at 13:35:18.57 on Tue 08/24/2010

Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_11

Microsoft

Attach.zip

Link to post
Share on other sites

Okay, let's try this:

Step 1

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 2

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s):

  1. JavaRa log
  2. ComboFix log

Link to post
Share on other sites

Here is the combo-fix log and the Javara.log

Thanks.

JavaRa 1.16 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Tue Aug 24 19:15:13 2010

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}Found and removed: SOFTWARE\Classes\JavaPlugin.160_03Found and removed: SOFTWARE\Classes\JavaPlugin.160_05Found and removed: SOFTWARE\Classes\JavaPlugin.160_07Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_03Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_05Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_07Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_03Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_05Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_07Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_03Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_05Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_07Found and removed: Software\JavaSoft\Java2D\1.6.0_03Found and removed: Software\JavaSoft\Java2D\1.6.0_05Found and removed: Software\JavaSoft\Java2D\1.6.0_07Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_03Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_05Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_07Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\------------------------------------Finished reporting.

ComboFix 10-08-24.07 - ScoopMasters - Tim 08/25/2010 0:18.1.2 - x86

Microsoft

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

My MB log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4478

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18943

8/25/2010 1:40:04 PM

mbam-log-2010-08-25 (13-40-04).txt

Scan type: Quick scan

Objects scanned: 146117

Time elapsed: 9 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\209K1I9HN8 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XBV6RD5SZF (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Users\ScoopMasters - Tim\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=61106

Collect::[8]
c:\users\ScoopMasters - Tim\AppData\Local\equkacegalaju.dll
c:\users\ScoopMasters - Tim\AppData\Local\ehahozewujonaf.dll
c:\users\ScoopMasters - Tim\AppData\Local\udoqibuz.dll
c:\users\ScoopMasters - Tim\AppData\Local\BDBDUIng.dll
c:\users\ScoopMasters - Tim\AppData\Local\Temp\Bdh.exe
c:\users\ScoopMasters - Tim\AppData\Local\eresucam.dll

File::
c:\users\ScoopMasters - Tim\AppData\Local\Akimikere.bin
c:\users\ScoopMasters - Tim\AppData\Local\Sgacite.dat

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Ckoqi"=-
"XBV6RD5SZF"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Xtabica"=-

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Next,

Please upload this file in www.virustotal.com and post the resaults in your next reply:

c:\windows\system32\wininit.exe

Link to post
Share on other sites

Done and done.

Antivirus Version Last Update Result

AhnLab-V3 2010.08.27.00 2010.08.26 -

AntiVir 8.2.4.46 2010.08.27 -

Antiy-AVL 2.0.3.7 2010.08.26 -

Authentium 5.2.0.5 2010.08.27 -

Avast 4.8.1351.0 2010.08.27 -

Avast5 5.0.594.0 2010.08.27 -

AVG 9.0.0.851 2010.08.27 -

BitDefender 7.2 2010.08.27 -

CAT-QuickHeal 11.00 2010.08.27 -

ClamAV 0.96.2.0-git 2010.08.27 -

Comodo 5877 2010.08.27 -

DrWeb 5.0.2.03300 2010.08.27 -

Emsisoft 5.0.0.37 2010.08.27 -

eSafe 7.0.17.0 2010.08.26 -

eTrust-Vet 36.1.7821 2010.08.27 -

F-Prot 4.6.1.107 2010.08.26 -

F-Secure 9.0.15370.0 2010.08.27 -

Fortinet 4.1.143.0 2010.08.26 -

GData 21 2010.08.27 -

Ikarus T3.1.1.88.0 2010.08.27 -

Jiangmin 13.0.900 2010.08.27 -

Kaspersky 7.0.0.125 2010.08.27 -

McAfee 5.400.0.1158 2010.08.27 -

McAfee-GW-Edition 2010.1B 2010.08.27 -

Microsoft 1.6103 2010.08.27 -

NOD32 5402 2010.08.27 -

Norman 6.05.11 2010.08.27 -

nProtect 2010-08-27.01 2010.08.27 -

Panda 10.0.2.7 2010.08.27 -

PCTools 7.0.3.5 2010.08.27 -

Prevx 3.0 2010.08.27 -

Rising 22.62.04.04 2010.08.27 -

Sophos 4.56.0 2010.08.27 -

Sunbelt 6802 2010.08.27 -

SUPERAntiSpyware 4.40.0.1006 2010.08.27 -

Symantec 20101.1.1.7 2010.08.27 -

TheHacker 6.5.2.1.356 2010.08.26 -

TrendMicro 9.120.0.1004 2010.08.27 -

TrendMicro-HouseCall 9.120.0.1004 2010.08.27 -

VBA32 3.12.14.0 2010.08.27 -

ViRobot 2010.8.25.4006 2010.08.27 -

VirusBuster 5.0.27.0 2010.08.27 -

Additional information

Show all

MD5 : 101ba3ea053480bb5d957ef37c06b5ed

SHA1 : 738ef691944f08cf0c405a52f3f55e99ef6e8e6e

SHA256: 9a02771da9c226552a1766c2dd0295eca8b5b80aae13076ffce6a806fa5c21b8

ssdeep: 1536:BWH2/rG8s2gq3yQlEQiFXKREc7Mom5dFmEO+OKXqKYMk:BWYy8zfEQiFXKREbdFmEO+OBK

R

File size : 96768 bytes

First seen: 2008-03-30 23:29:00

Last seen : 2010-08-27 16:34:47

TrID:

Win32 Executable MS Visual C++ (generic) (65.2%)

Win32 Executable Generic (14.7%)

Win32 Dynamic Link Library (generic) (13.1%)

Generic Win/DOS Executable (3.4%)

DOS Executable Generic (3.4%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: Windows Start-Up Application

original name: WinInit.exe

internal name: WinInit

file version.: 6.0.6001.18000 (longhorn_rtm.080118-1840)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x634B

timedatestamp....: 0x47918DB8 (Sat Jan 19 05:42:16 2008)

machinetype......: 0x14c (I386)

[[ 4 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x13FDC, 0x14000, 6.32, cb3e5f4d9c5edc220dfb42d94dc3353a

.data, 0x15000, 0x940, 0x800, 1.70, 4a0b595f10f7b17b94ed648111413be2

.rsrc, 0x16000, 0x1750, 0x1800, 3.95, a1082da9a24924d9e0032925125eadb3

.reloc, 0x18000, 0x1520, 0x1600, 6.70, d343b5056081c437db336f5d73c56a66

[[ 7 import(s) ]]

ADVAPI32.dll: TraceMessage, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, RegCloseKey, RegDeleteValueW, RegOpenKeyExW, RegSetValueExW, RegQueryValueExW, EventRegister, EventUnregister, EventWrite, EventEnabled, RegOpenKeyW, LsaGetUserName, EventWriteEndScenario, EventWriteStartScenario, EventActivityIdControl, CheckTokenMembership, RevertToSelf, ImpersonateLoggedOnUser, EqualSid, GetTokenInformation, SetNamedSecurityInfoW, GetSecurityDescriptorSacl, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorOwner, GetSecurityDescriptorControl, ConvertStringSecurityDescriptorToSecurityDescriptorW, DeregisterEventSource, RegisterEventSourceW, RegEnumValueW, RegQueryInfoKeyW, RegQueryInfoKeyA, RegQueryValueExA, QueryTraceW, EnableTrace, ControlTraceW, StartTraceW, OpenSCManagerW, OpenServiceW, QueryServiceStatus, NotifyServiceStatusChangeW, CloseServiceHandle, NotifyBootConfigStatus, OpenProcessToken, CreateWellKnownSid, LookupAccountSidW, RegDeleteTreeW, CreateProcessAsUserW, DuplicateTokenEx, I_ScSendTSMessage, ReportEventW

KERNEL32.dll: HeapAlloc, HeapFree, WaitForSingleObjectEx, ResetEvent, CreateEventW, Sleep, SetThreadExecutionState, MoveFileExW, DeleteFileW, GetSystemDirectoryW, GetCurrentProcessId, SleepEx, CreateThread, InterlockedExchange, CreateProcessW, HeapDestroy, FindClose, FindFirstFileW, GetWindowsDirectoryW, GetTickCount, SetErrorMode, CreateTimerQueueTimer, SetEvent, HeapSetInformation, QueueUserWorkItem, DeleteTimerQueueTimer, GetVersionExW, GetDateFormatW, GetTimeFormatW, FileTimeToSystemTime, SystemTimeToFileTime, GetLocalTime, LockResource, LoadResource, FindResourceExW, ExpandEnvironmentStringsW, lstrlenW, SetLastError, LocalFree, CreateDirectoryW, ReadFile, LocalAlloc, CreateFileW, GetShortPathNameW, lstrcmpiW, FindVolumeClose, FindNextVolumeW, GetDriveTypeW, FindFirstVolumeW, LocalReAlloc, LocalSize, InterlockedCompareExchange, LoadLibraryA, SetUnhandledExceptionFilter, GetStartupInfoA, DelayLoadFailureHook, HeapCreate, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, GetProcessHeap, ResumeThread, CreateRemoteThread, GetModuleHandleW, OpenProcess, SetTimerQueueTimer, GetFileAttributesW, LoadLibraryW, GetProcAddress, FreeLibrary, GetComputerNameW, SetEnvironmentVariableW, GetLastError, GetCurrentProcess, SetPriorityClass, GetCurrentThread, SetThreadPriority, GetExitCodeProcess, CloseHandle, WaitForMultipleObjectsEx, WaitForSingleObject, GetModuleHandleA

USER32.dll: GetAsyncKeyState, RecordShutdownReason, UnhookWindowsHookEx, SwitchDesktopWithFade, SetThreadDesktop, UpdatePerUserSystemParameters, LoadLocalFonts, SetWindowStationUser, SwitchDesktop, SetUserObjectSecurity, SetWindowsHookExW, CloseWindowStation, CloseDesktop, CreateDesktopW, SetProcessWindowStation, CreateWindowStationW, RegisterLogonProcess, ExitWindowsEx

msvcrt.dll: _vsnwprintf, _wcsicmp, memcpy, memmove, wcschr, __getmainargs, _cexit, _exit, _XcptFilter, _ismbblead, exit, _acmdln, _initterm, _amsg_exit, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler4_common, _terminate@@YAXXZ, _controlfp, memset, wcsstr

ntdll.dll: NtCreatePagingFile, NtShutdownSystem, RtlDeregisterWaitEx, NtOpenProcessToken, RtlRemovePrivileges, NtClose, RtlDosPathNameToNtPathName_U, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, NtAllocateLocallyUniqueId, RtlFreeSid, RtlSetSaclSecurityDescriptor, RtlAddMandatoryAce, RtlCreateAcl, RtlInitUnicodeString, NtQueryInformationProcess, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, RtlSetDaclSecurityDescriptor, RtlAddAce, TpSimpleTryPost, RtlUnhandledExceptionFilter, NtQuerySystemInformation, RtlNtStatusToDosError, RtlRegisterWait, RtlDestroyEnvironment, NtSetValueKey, NtCreateKey, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlLeaveCriticalSection, RtlEnterCriticalSection, RtlCompareUnicodeString, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, RtlAllocateAndInitializeSid, RtlInitializeCriticalSection, NtQueryInformationToken, RtlSetEnvironmentVariable, RtlQueryEnvironmentVariable_U, RtlInitUnicodeStringEx, RtlCreateEnvironment, NtCreateEvent, RtlAdjustPrivilege, NtSystemDebugControl, DbgBreakPoint, RtlCreateSecurityDescriptor, RtlFreeHeap

RPCRT4.dll: RpcServerRegisterIfEx, RpcServerListen, RpcServerInqCallAttributesW, RpcImpersonateClient, RpcRevertToSelf, RpcBindingServerFromClient, RpcBindingToStringBindingW, RpcStringBindingParseW, RpcBindingFree, RpcServerUseProtseqW, RpcServerInqDefaultPrincNameW, NdrServerCall2, RpcBindingSetAuthInfoExW, RpcBindingFromStringBindingW, RpcStringBindingComposeW, RpcMgmtIsServerListening, NdrClientCall2, RpcBindingUnbind, RpcAsyncCompleteCall, RpcAsyncCancelCall, RpcAsyncInitializeHandle, RpcBindingBind, RpcBindingCreateW, RpcBindingCopy, NdrAsyncClientCall, I_RpcBindingIsClientLocal, RpcAsyncAbortCall, RpcServerTestCancel, NdrAsyncServerCall, RpcServerUseProtseqEpW, RpcServerRegisterAuthInfoW, RpcStringFreeW, RpcServerInqBindings, UuidFromStringW, RpcEpRegisterW, RpcServerUnregisterIf, RpcEpUnregister, RpcBindingVectorFree

USERENV.dll: GetAllUsersProfileDirectoryW, -, -, GetUserProfileDirectoryW

VT Community

0

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

Link to post
Share on other sites

Please use it for the weekend if you have free time and come back to let me know how are things running after our work.

What's the average "donation" sent to you?

I really don't know. If you have the opportunity, desire and decide, no problem. Don't worry about that!

Link to post
Share on other sites

Nice job! :)

Last steps:

Step 1

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 2

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 3

Please manually delete Defogger, JavaRa, DDS and GMER.

Step 4

Please download and install the latest version of Java from:

www.java.com/en

Your ESET NOD32 Antivirus is generation 3, but the current is 4, so I suggest you to uninstall your current NOD32 and to uninstall the latest.

How to uninstall:

http://kb.eset.com/esetkb/index?page=content&id=SOLN93

Download and install the latest version:

http://kb.eset.com/esetkb/index?page=conte...tp=LIST_POPULAR

Step 5

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.