Jump to content

Nasty Anti Virus 2010

dogwood

By dogwood
in Resolved Malware Removal Logs

 Share

Recommended Posts

LDTate

LDTate

Posted
Posted

:D

Please don't attach the scan results, use Copy/Paste

Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

If the tool won't run from the desktop, try running it from the USB device.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Next:

Please read carefully and follow these steps.

  • Please download
TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
  • Only if Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root directory, root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Link to post
Share on other sites
dogwood

dogwood

Posted
  • Author
Posted

thanks!

2010/11/02 21:14:59.0763 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49

2010/11/02 21:14:59.0763 ================================================================================

2010/11/02 21:14:59.0763 SystemInfo:

2010/11/02 21:14:59.0763

2010/11/02 21:14:59.0763 OS Version: 6.0.6002 ServicePack: 2.0

2010/11/02 21:14:59.0763 Product type: Workstation

2010/11/02 21:14:59.0763 ComputerName: CRISTINA-PC

2010/11/02 21:14:59.0763 UserName: Cristina

2010/11/02 21:14:59.0763 Windows directory: C:\Windows

2010/11/02 21:14:59.0763 System windows directory: C:\Windows

2010/11/02 21:14:59.0763 Processor architecture: Intel x86

2010/11/02 21:14:59.0763 Number of processors: 2

2010/11/02 21:14:59.0763 Page size: 0x1000

2010/11/02 21:14:59.0763 Boot type: Normal boot

2010/11/02 21:14:59.0763 ================================================================================

2010/11/02 21:14:59.0919 Initialize success

2010/11/02 21:15:01.0993 ================================================================================

2010/11/02 21:15:01.0993 Scan started

2010/11/02 21:15:01.0993 Mode: Manual;

2010/11/02 21:15:01.0993 ================================================================================

2010/11/02 21:15:06.0533 Suspicious service (NoAccess): vbma92a1

2010/11/02 21:15:06.0549 vbma92a1 - detected Locked service (1)

2010/11/02 21:15:07.0017 Suspicious service (NoAccess): zfyqe

2010/11/02 21:15:07.0032 zfyqe - detected Locked service (1)

2010/11/02 21:15:07.0063 ================================================================================

2010/11/02 21:15:07.0063 Scan finished

2010/11/02 21:15:07.0063 ================================================================================

2010/11/02 21:15:07.0079 Detected object count: 2

2010/11/02 21:15:09.0731 Locked service(vbma92a1) - User select action: Skip

2010/11/02 21:15:09.0731 Locked service(zfyqe) - User select action: Skip

2010/11/02 21:15:18.0198 ================================================================================

2010/11/02 21:15:18.0198 Scan started

2010/11/02 21:15:18.0198 Mode: Manual;

2010/11/02 21:15:18.0198 ================================================================================

2010/11/02 21:15:22.0722 Suspicious service (NoAccess): vbma92a1

2010/11/02 21:15:22.0722 vbma92a1 - detected Locked service (1)

2010/11/02 21:15:23.0190 Suspicious service (NoAccess): zfyqe

2010/11/02 21:15:23.0206 zfyqe - detected Locked service (1)

2010/11/02 21:15:23.0221 ================================================================================

2010/11/02 21:15:23.0221 Scan finished

2010/11/02 21:15:23.0221 ================================================================================

2010/11/02 21:15:23.0237 Detected object count: 2

2010/11/02 21:15:27.0308 Locked service(vbma92a1) - User select action: Skip

2010/11/02 21:15:27.0308 Locked service(zfyqe) - User select action: Skip

Link to post
Share on other sites
dogwood

dogwood

Posted
  • Author
Posted

2010/11/03 16:49:49.0134 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49

2010/11/03 16:49:49.0134 ================================================================================

2010/11/03 16:49:49.0134 SystemInfo:

2010/11/03 16:49:49.0134

2010/11/03 16:49:49.0134 OS Version: 6.0.6002 ServicePack: 2.0

2010/11/03 16:49:49.0134 Product type: Workstation

2010/11/03 16:49:49.0134 ComputerName: CRISTINA-PC

2010/11/03 16:49:49.0134 UserName: Cristina

2010/11/03 16:49:49.0134 Windows directory: C:\Windows

2010/11/03 16:49:49.0134 System windows directory: C:\Windows

2010/11/03 16:49:49.0134 Processor architecture: Intel x86

2010/11/03 16:49:49.0134 Number of processors: 2

2010/11/03 16:49:49.0134 Page size: 0x1000

2010/11/03 16:49:49.0134 Boot type: Normal boot

2010/11/03 16:49:49.0134 ================================================================================

2010/11/03 16:49:49.0305 Initialize success

2010/11/03 16:49:51.0037 ================================================================================

2010/11/03 16:49:51.0037 Scan started

2010/11/03 16:49:51.0037 Mode: Manual;

2010/11/03 16:49:51.0037 ================================================================================

2010/11/03 16:49:56.0481 Suspicious service (NoAccess): vbma92a1

2010/11/03 16:49:56.0497 vbma92a1 - detected Locked service (1)

2010/11/03 16:49:57.0105 Suspicious service (NoAccess): zfyqe

2010/11/03 16:49:57.0121 zfyqe - detected Locked service (1)

2010/11/03 16:49:57.0137 ================================================================================

2010/11/03 16:49:57.0137 Scan finished

2010/11/03 16:49:57.0137 ================================================================================

2010/11/03 16:49:57.0152 Detected object count: 2

2010/11/03 16:50:15.0576 Locked service(vbma92a1) - User select action: Quarantine

2010/11/03 16:50:15.0591 Locked service(zfyqe) - User select action: Quarantine

2010/11/03 16:50:19.0039 ================================================================================

2010/11/03 16:50:19.0039 Scan started

2010/11/03 16:50:19.0039 Mode: Manual;

2010/11/03 16:50:19.0039 ================================================================================

2010/11/03 16:50:23.0313 Suspicious service (NoAccess): vbma92a1

2010/11/03 16:50:23.0329 vbma92a1 - detected Locked service (1)

2010/11/03 16:50:23.0844 Suspicious service (NoAccess): zfyqe

2010/11/03 16:50:23.0859 zfyqe - detected Locked service (1)

2010/11/03 16:50:23.0875 ================================================================================

2010/11/03 16:50:23.0875 Scan finished

2010/11/03 16:50:23.0875 ================================================================================

2010/11/03 16:50:23.0891 Detected object count: 2

2010/11/03 16:50:31.0207 Locked service(vbma92a1) - User select action: Quarantine

2010/11/03 16:50:31.0207 Locked service(zfyqe) - User select action: Quarantine

I did a delete...same thing too...keeps auto generating..

when I do a quarantine it says no files found...

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Download Combofix from any of the links below but rename it to iexplore.exe before saving it to your desktop.

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Note:

If combofix (iexplore.exe) won't run from the desktop, try running it from the USB device.

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save iexplore.exe to your Desktop

Double click on the iexplore.exe ComboFix.exe & follow the prompts.

Be sure to download any updates.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.