Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

antivirus 2010 - this is a though one, 3 day battle


tlopes
 Share

Recommended Posts

Hello guys, i've been reading alot of threads form multiple forums related to my problem and after several tips from several users, i eventually managed to clean part of the infection but now I'm in a dead end.

The first time I read a thread that did not end in a operating system install was this one:

http://forums.malwarebytes.org/index.php?showtopic=65318

I just want to add some info. Part of the problem of this virus is that if i run something from a NTFS partition, it will mark that file as a read only, hidden and system protected. So I'm running and installing all tools on a external fat32 usb drive

rkill gives me this log everytime i run it:

+++++++++++++++++++++++++++++

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as User on 23-11-2010 at 20:20:15.

Services Stopped:

Processes terminated by Rkill or while it was running:

\\.\globalroot\Device\svchost.exe\svchost.exe

Rkill completed on 23-11-2010 at 20:20:18.

+++++++++++++++++++++++++++++++++++++

I can run super anti spyware and it detects Trojan.Dropper/SVCHost-Fake.Process. I have to stop the scan or it will close by itself but it crashes when i try to remove the infection.

When i try to run tdsskiller it detects infected files, asks for reboot to delete them but they will stay there.

Here's logs from several tries ( i choose to post only the relevant part):

1st run:

2010/11/23 18:19:33.0654 Detected object count: 1

2010/11/23 18:19:52.0623 HKLM\SYSTEM\ControlSet001\services\vbma6b97 - will be deleted after reboot

2010/11/23 18:19:52.0654 HKLM\SYSTEM\ControlSet003\services\vbma6b97 - will be deleted after reboot

2010/11/23 18:19:52.0670 C:\WINDOWS\system32\drivers\vbma6b97.sys - will be deleted after reboot

2010/11/23 18:19:52.0670 Locked service(vbma6b97) - User select action: Delete

2010/11/23 18:19:58.0842 Deinitialize success

reboot and 2nd run:

2010/11/23 18:24:30.0890 Detected object count: 1

2010/11/23 18:24:44.0812 Locked file(vbma6b97) - User select action: Skip

2010/11/23 18:24:49.0515 Deinitialize success

reboot with a live cd, delete it manually and then a third run:

010/11/23 18:53:45.0421 Detected object count: 2

2010/11/23 18:53:58.0796 Forged file(NdisWan) - User select action: Skip

2010/11/23 18:53:58.0796 Locked file(vbma6b97) - User select action: Skip

2010/11/23 18:54:02.0515 Deinitialize success

again, live cd to delete them manually, 4th run:

2010/11/23 19:00:16.0218 Detected object count: 2

2010/11/23 19:00:39.0031 Forged file(IpNat) - User select action: Skip

2010/11/23 19:00:39.0031 Locked file(vbma6b97) - User select action: Skip

2010/11/23 19:00:43.0296 Deinitialize success

i gave up and now i'm here asking for some help.

want to join me in this war? take the lead and i'll follow :D

Link to post
Share on other sites

Hello tlopes

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Link to post
Share on other sites

Thanks kahdah for jumping in. I'm not at the infected computer right now, i'll get back to it in 6 hours.

I'll try to run OTL and gmer from the usb pen, but i think they will close as soon as I hit scan. The user on the thread I mentioned in the first post was having the same problem. Can you give an head start in case otl and gmer don't work?

Link to post
Share on other sites

As expected, both won't run. They close when I hit scan.

Apart from running them from the fat32 usb disk, i also ran them from desktop and root and now both are read only, hidden and system protected.

How can we find what is creating the C:\WINDOWS\system32\drivers\vbma6b97.sys file?

Link to post
Share on other sites

Great please run Combofix don't worry with the others.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hello again, sorry for being away. It seems that the computer is working ok, but i can't start the firewall, first it was related to the deletion of ipnat.sys and ndiswan.sys but I fetched them from a SP2 CD ( i do have sp3 installed) but when i try to start the windows xp firewall service manually, i get an error 1058.

This solution provied by microsoft does not apply to me, the only hardware profile I have is activated:

http://support.microsoft.com/kb/241584

Any ideas?

Link to post
Share on other sites

ComboFix 10-11-25.06 - User 26-11-2010 21:55:04.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.351.2070.18.1015.596 [GMT 0:00]

Executando de: c:\documents and settings\User\Ambiente de trabalho\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-10-26 to 2010-11-26 ))))))))))))))))))))))))))))

.

2010-11-24 20:12 . 2004-08-03 23:14 91776 -c--a-w- c:\windows\system32\dllcache\ipnat.sys

2010-11-24 20:12 . 2004-08-03 23:14 91776 ----a-w- c:\windows\system32\drivers\ipnat.sys

2010-11-24 20:09 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll

2010-11-24 20:09 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smierrsy.dll

2010-11-24 20:09 . 2004-08-04 12:00 5632 ----a-w- c:\windows\system32\wbem\snmp\smimsgif.dll

2010-11-24 20:09 . 2004-08-04 12:00 5632 ----a-w- c:\windows\system32\wbem\snmp\smierrsy.dll

2010-11-24 20:09 . 2004-08-04 12:00 15872 -c--a-w- c:\windows\system32\dllcache\smierrsm.dll

2010-11-24 20:09 . 2004-08-04 12:00 15872 ----a-w- c:\windows\system32\wbem\snmp\smierrsm.dll

2010-11-24 20:09 . 2004-08-04 12:00 10240 -c--a-w- c:\windows\system32\dllcache\snmpstup.dll

2010-11-24 20:09 . 2004-08-04 12:00 10240 ----a-w- c:\windows\system32\wbem\snmpstup.dll

2010-11-24 19:56 . 2010-11-24 19:56 -------- d-----w- c:\windows\system32\wbem\Repository

2010-11-24 18:44 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-11-24 18:44 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-11-24 18:44 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-11-24 18:44 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-11-24 18:44 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-11-24 18:44 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-11-24 18:44 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-11-24 18:44 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr

2010-11-24 18:44 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-11-24 18:23 . 2001-11-20 16:41 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll

2010-11-24 18:22 . 2001-08-17 20:28 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys

2010-11-24 18:21 . 2001-08-17 20:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys

2010-11-24 18:20 . 2001-08-17 19:13 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys

2010-11-24 18:19 . 2001-11-20 15:59 17024 -c--a-w- c:\windows\system32\dllcache\stcusb.sys

2010-11-24 18:18 . 2001-08-17 20:57 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys

2010-11-24 18:17 . 2001-08-17 19:51 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys

2010-11-24 18:16 . 2001-08-17 19:50 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys

2010-11-24 18:15 . 2001-08-17 20:52 40448 -c--a-w- c:\windows\system32\dllcache\ql1240.sys

2010-11-24 18:14 . 2008-04-14 16:08 211584 -c--a-w- c:\windows\system32\dllcache\perm2dll.dll

2010-11-24 18:13 . 2001-11-20 16:13 44041 -c--a-w- c:\windows\system32\dllcache\otceth5.sys

2010-11-24 18:12 . 2001-11-20 16:40 59104 -c--a-w- c:\windows\system32\dllcache\n9i128v2.dll

2010-11-24 18:11 . 2001-08-17 20:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys

2010-11-24 18:10 . 2001-11-20 16:01 16128 -c--a-w- c:\windows\system32\dllcache\lit220p.sys

2010-11-24 18:09 . 2001-11-20 16:40 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2010-11-24 18:08 . 2001-08-17 20:28 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys

2010-11-24 18:07 . 2001-11-20 16:40 83968 -c--a-w- c:\windows\system32\dllcache\hpgt21.dll

2010-11-24 18:06 . 2001-08-17 19:11 12362 -c--a-w- c:\windows\system32\dllcache\f3ab18xi.sys

2010-11-24 18:05 . 2001-11-20 16:12 44103 -c--a-w- c:\windows\system32\dllcache\el515.sys

2010-11-24 18:04 . 2001-11-20 16:08 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys

2010-11-24 18:03 . 2001-11-20 16:03 14080 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys

2010-11-24 18:02 . 2001-08-17 21:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys

2010-11-24 16:21 . 2010-11-24 16:21 -------- d-----w- C:\ubuntu

2010-11-24 13:41 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-24 13:41 . 2010-11-24 13:41 -------- d-----w- c:\programas\Malwarebytes' Anti-Malware

2010-11-24 13:41 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-24 11:15 . 2010-11-24 11:10 296448 ----a-w- C:\l7dvg7sq.exe

2010-11-23 18:28 . 2010-11-24 12:49 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys

2010-11-23 18:09 . 2010-11-23 18:09 -------- d-----w- c:\documents and settings\User\Defini

Link to post
Share on other sites

These need to be replaced with copies from a sp3 machine.

ipnat.sys and ndiswan.sys

If you do not have access to another machine you can maybe get them from a service pack 3 install.

Please download the standalone windows XP SP3 package from here:

http://www.microsoft.com/downloads/en/deta...;displaylang=en

and save it to your desktop.

Then extract the files from the package by going to Start -> Run and entering:

"%userprofile%\Desktop\WindowsXP-KB936929-SP3-x86-ENU.exe" -x:C:\xpsp3

This will place the service pack 3 updates to the i386 folder into your C drive under the folder "xpsp3"

If that folder is created then do the following.

Please go to Start>Run type in Notepad.

Copy what is in the code box below into the open Notepad window.

Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop.

@Echo off
sc delete vbma6b97
expand C:\xpsp3\i386\ipnat.sy_ c:\ipnat.sys
expand C:\xpsp3\i386\ndiswan.sy_ c:\ndiswan.sys
del %0

Then please double click on fixthis.bat a window will open and close quickly.This is normal.

Then let me know if these 2 files are present

c:\ipnat.sys

and

c:\ndiswan.sys

Link to post
Share on other sites

OK great.

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

Delete\uninstall anything else that we have used that is leftover.

After that your all set.

===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

How did I get infected in the first place? Also this one by Tony Klein.

If your computer is slow Things you can do if your computer is slow.

PC Safety and Security - What Do I Need? Security suggestions and general hints and tips for PC security.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware

superantispyware

===Free antivirus links===

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.