Jump to content

Recommended Posts

Had a client get hit with the Fake Antivirus (Internet Security 2010)

When trying to run Malware Bytes or any other popular program it runs for a few seconds then shuts down the program running

Hijack This gives the same result

Followed instructions here

http://forums.malwarebytes.org/index.php?showtopic=9573

Attached are results ...

Defogger ran fine ...

DDS ran fine ...

GMER Rootkit Scanner ran for a few seconds and shut down just like first programs ..

Any help is appreciated. Fix numerous computers .. this is the first one that has done this ...

Attach.txt

DDS.txt

Link to post
Share on other sites

Hello smkdvr42

Welcome to Malwarebytes.

=====================

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Link to post
Share on other sites

Hello smkdvr42

Welcome to Malwarebytes.

=====================

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Here ya go ...

TDSSKiller.2.4.12.0_23.12.2010_08.39.19_log.txt

Link to post
Share on other sites

Ok do you have an xp cd?

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :Filefind
    parport.*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Ok do you have an xp cd?

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :Filefind
    parport.*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

When attempting to run it I get an error ..

'This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix the problem.'

Link to post
Share on other sites

Ok we will do it another way.

Please go to Start>Run type in Notepad.

Copy what is in the code box below into the open Notepad window.

Change the "Save As Type" to "All Files". Save it as look.bat on your Desktop.

@ECHO OFF
cmd /c dir C:\*.* /L /A /B /S|Find "parport.sys" >> "%userprofile%\desktop\look.txt"
del %0

Then please double click on look.bat a window will open and close quickly.This is normal.

Post the contents of look.txt that will be on your desktop in your next reply.

Also do you have an xp cd?

Link to post
Share on other sites

Ok we will do it another way.

Please go to Start>Run type in Notepad.

Copy what is in the code box below into the open Notepad window.

Change the "Save As Type" to "All Files". Save it as look.bat on your Desktop.

@ECHO OFF
cmd /c dir C:\*.* /L /A /B /S|Find "parport.sys" >> "%userprofile%\desktop\look.txt"
del %0

Then please double click on look.bat a window will open and close quickly.This is normal.

Post the contents of look.txt that will be on your desktop in your next reply.

Also do you have an xp cd?

Ok, it might be a day or two before I can try this so please be patient with me

Yes, I do have an XP disk

Link to post
Share on other sites

Ok great please do the following.

Open notepad and copy the following text inside of the code box below into the empty notepad document.

disable vbmab1ea
ren C:\Windows\system32\drivers\vbmab1ea.sys vbmab1ea.old
ren C:\WINDOWS\system32\DRIVERS\parport.sys parport.old
copy c:\windows\servicepackfiles\i386\parport.sys C:\WINDOWS\system32\DRIVERS\
exit

then go to File save then save it like this exactly.

C:\fix.txt

===========

Once that is done place the xp cd in the cd drive then restart the system.

Make press any key at the "Press any key to boot from cd" message.

Once the setup window appears press R to "Repair an installation using the Recovery Console" if this is not an option let me know.

Once the Recovery Console loads up, you will have to type in a number that corresponds to your Windows installation. This is normally just 1. Press Enter and then type in the Administrator password.

If no password then leave it blank then hit enter.

It should look like this recoveryconsole-thumb.png

At the next prompt type in batch C:\fix.txt C:\results.txt and hit Enter.

It should go to the next line from where it started then type in exit and hit enter and the system will restart.

=======================

Once it reboots do the following.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also post this log C:\Results.txt

Link to post
Share on other sites

Ok great please do the following.

Open notepad and copy the following text inside of the code box below into the empty notepad document.

disable vbmab1ea
ren C:\Windows\system32\drivers\vbmab1ea.sys vbmab1ea.old
ren C:\WINDOWS\system32\DRIVERS\parport.sys parport.old
copy c:\windows\servicepackfiles\i386\parport.sys C:\WINDOWS\system32\DRIVERS\
exit

then go to File save then save it like this exactly.

C:\fix.txt

===========

Once that is done place the xp cd in the cd drive then restart the system.

Make press any key at the "Press any key to boot from cd" message.

Once the setup window appears press R to "Repair an installation using the Recovery Console" if this is not an option let me know.

Once the Recovery Console loads up, you will have to type in a number that corresponds to your Windows installation. This is normally just 1. Press Enter and then type in the Administrator password.

If no password then leave it blank then hit enter.

It should look like this recoveryconsole-thumb.png

At the next prompt type in batch C:\fix.txt C:\results.txt and hit Enter.

It should go to the next line from where it started then type in exit and hit enter and the system will restart.

=======================

Once it reboots do the following.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also post this log C:\Results.txt

Ok, see attached results ...

results.txt

combofix.txt

Link to post
Share on other sites

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan inside archives.
  • Click Scan
  • Wait for the scan to finish
  • Click on the option that says Export to text file.
  • Save it to your desktop and post the contents here in your next reply.
  • Once the log is saved click the option to delete quarantined threats and Uninstall application on close.

Link to post
Share on other sites

Post the malwarebytes log that you say found more infections please.

Ok do the following only for the programs that say access denied when you delete them:

Click Here and download this program.

Save it to the desktop.

Drag only the files that cannot be deleted on to the program you just downloaded.

A box will popup and say ok.

Then you can move onto the next file and then on down the list.

Link to post
Share on other sites

Malware and AVG coming back clean

If I read the instructions on inherit file that would be good .. it won't run from a thumb drive .. runs great when I moved it to the desktop

Everything seems to be running smoothly ....

Any more suggestions or things to run from you??

You have been great .. this would have been a nightmare without your help.

Working on another .. seems it will be a breeze so far ....

Link to post
Share on other sites

If I read the instructions on inherit file that would be good
The only instructions are to take the file that cannot be deleted and drag and drop it onto inherit then a box will come up up saying done.

No more needs to be done with it.

What files cannot be deleted?

Did the box say ok after you dragged the files onto inherit?

The infections found by mbam are already deleted/quarantined.

If you continue to run scanner before we are done they will detect the same stuff in the same locations.

The ones AVG found were some leftover temp files.

Link to post
Share on other sites

The only instructions are to take the file that cannot be deleted and drag and drop it onto inherit then a box will come up up saying done.

No more needs to be done with it.

What files cannot be deleted?

Did the box say ok after you dragged the files onto inherit?

The infections found by mbam are already deleted/quarantined.

If you continue to run scanner before we are done they will detect the same stuff in the same locations.

The ones AVG found were some leftover temp files.

I tried to drag the inherit file from my thumb drive to the file on the desktop .. it gave an error

I then moved it to the desktop and dragged it on top of the file again and it worked great

I think you said in your instructions to put it on the desktop .. that is what I meant by if 'i would have read the instructions'

Thanks again for your help

Do you suggest I do any more on this machine?

Link to post
Share on other sites

Ok no problem.

Nothing else to do but remove what we used.

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

Delete\uninstall anything else that we have used that is leftover.

After that your all set.

===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

How did I get infected in the first place? Also this one by Tony Klein.

If your computer is slow Things you can do if your computer is slow.

PC Safety and Security - What Do I Need? Security suggestions and general hints and tips for PC security.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware

superantispyware

===Free antivirus links===

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.