Welcome Guest ( Log In | Register )

Bump Topic Topic Closed RSS Feed

Outline · [ Standard ] · Linear+

Virus/Malware [SOLVED]SysProtect and many more.., Spyware Attack

views
     
TSJimbitz
post Dec 18 2006, 01:47 AM, updated 18y ago

Getting Started
**
Junior Member
240 posts

Joined: Jan 2003
From: 47810


Hello.. I would like some help regarding this problem I have here. The spyware/virus have infected my sister notebook. I guess it start to spread at an alarming rate now. I managed to clean some of them until I come to a complete halt for now.. Each time I scan it with any available tools it will shutdown automatically. This even happened during Safe Mode.

Here is the HijackThis log..

» Click to show Spoiler - click again to hide... «


Any help would be much appreciated..

I had tried VundoFix, NOD32, AVG Anti-Spyware, Spybot S&D, SpySweeper.. most of them would result an immediate shutdown during the scanning process..

Thanks in advance.. smile.gif

This post has been edited by Jimbitz: Dec 24 2006, 08:47 PM
sUBs
post Dec 18 2006, 02:09 AM

RIP
Group Icon
VIP
3,941 posts

Joined: Jan 2005
First off. I don't like having too many applications on the machine.
If SpySweeper & AVG- AntiSpyware are trial copies, uninstall them now.


----------------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

» Click to show Spoiler - click again to hide... «



----------------


Download this file - ComboFix

* IMPORTANT !!! Place combofix.exe on your Desktop


user posted image




Go to user posted image → Run → copy/paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /v ucfqftan rghahshr awvtr fcyyx

When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

This post has been edited by sUBs: Dec 18 2006, 02:10 AM
TSJimbitz
post Dec 18 2006, 03:01 AM

Getting Started
**
Junior Member
240 posts

Joined: Jan 2003
From: 47810


HijackThis Log
» Click to show Spoiler - click again to hide... «


O23 - Service: Microsoft Windows Man Service (Windows Man Service) - Unknown owner - C:\WINDOWS\winmgr.exe (file missing) - keeps on showing up in HijackThis even after I fix it.

This post has been edited by Jimbitz: Dec 18 2006, 03:17 AM
sUBs
post Dec 18 2006, 03:06 AM

RIP
Group Icon
VIP
3,941 posts

Joined: Jan 2005
Combofix log is incomplete
sUBs
post Dec 18 2006, 03:17 AM

RIP
Group Icon
VIP
3,941 posts

Joined: Jan 2005
Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\system32\paqjgflr.exe
C:\WINDOWS\system32\xxyvt.dll
C:\WINDOWS\system32\pmkkl.dll


Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/submit-malware.php?channel=4
Please include a link to this topic in the message.


----------------------


2006-12-17 13:53 <DIR> d-------- C:\DOCUME~1\Amalina\APPLIC~1\WholeSecurity

Tell me what you know about this folder. It was created yester afternoon. Do not delete it. Just tell me if you know which program created it.


----------------------


I shall require the rest of the combofix log & logs from these other programs...


Please download this tool > http://www.kztechs.com/sreng/sreng2.zip

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it


------------------


Please download Sysinternal's Autoruns from here > http://download.sysinternals.com/Files/Autoruns.zip
  • Extract the contents of the zipped file into it's own folder.
  • Then, download this file > http://download.bleepingcomputer.com/sUBs/AutoCmd.zip
  • Extract the contents to the same folder as before
  • Doubleclick on AutoCmd.cmd & select option '1'
  • It shall produce a log for you. Place it as an attachment in your next reply. Do not post it


TSJimbitz
post Dec 18 2006, 03:18 AM

Getting Started
**
Junior Member
240 posts

Joined: Jan 2003
From: 47810


ComboFix Log.

» Click to show Spoiler - click again to hide... «
TSJimbitz
post Dec 18 2006, 03:20 AM

Getting Started
**
Junior Member
240 posts

Joined: Jan 2003
From: 47810


ComboFix Log continued..

» Click to show Spoiler - click again to hide... «

sUBs
post Dec 18 2006, 03:30 AM

RIP
Group Icon
VIP
3,941 posts

Joined: Jan 2005
Perform these tasks after you have completed the stuff from post #5


--------------------


Open notepad and copy/paste the text in the quotebox below into it:

» Click to show Spoiler - click again to hide... «



Save this as fix.bat Choose to "Save type as - All Files"
It should look like this: user posted image
Double click on fix.bat & allow it to run


--------------------


Run combofix once more by doubleclicking on C:\Documents and Settings\Amalina\desktop\combofix.exe
Then, post the resultant log


--------------------


After posting the combofix log, * Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: user posted image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    user posted image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


This post has been edited by sUBs: Dec 18 2006, 03:32 AM
TSJimbitz
post Dec 18 2006, 04:00 AM

Getting Started
**
Junior Member
240 posts

Joined: Jan 2003
From: 47810


QUOTE(sUBs @ Dec 18 2006, 03:17 AM)
----------------------
2006-12-17 13:53 <DIR> d-------- C:\DOCUME~1\Amalina\APPLIC~1\WholeSecurity

Tell me what you know about this folder. It was created yester afternoon. Do not delete it. Just tell me if you know which program created it.
----------------------
*
I'm sorry.. I don't know what program created that.. because I've been trying lots of anti-spyware tools besides online scan..


[attachmentid=167947] SREngLOG
[attachmentid=167948] autoruns Log
[attachmentid=167949] ComboFix Log

I'm on to Dr.Web CureIt now..
sUBs
post Dec 18 2006, 04:06 AM

RIP
Group Icon
VIP
3,941 posts

Joined: Jan 2005
DrWeb should take roughly an hour. Tell me if you're post it immediately OR will you be retiring to bed?
TSJimbitz
post Dec 18 2006, 04:22 AM

Getting Started
**
Junior Member
240 posts

Joined: Jan 2003
From: 47810


QUOTE(sUBs @ Dec 18 2006, 04:06 AM)
DrWeb should take roughly an hour. Tell me if you're post it immediately OR will you be retiring to bed?
*
Actually I need to go back to my University today.. If DrWeb is done scanning I'll post it here ASAP. I might need to continue this later next friday.. I hope that is okay with you..

I'll PM you when I'm back at home again. Thanks for all the help up until this moment, so far the notebook didn't shutdown when I'm doing any scanning... smile.gif

sUBs
post Dec 18 2006, 04:24 AM

RIP
Group Icon
VIP
3,941 posts

Joined: Jan 2005
After posting it, give me 5-10 minutes. We might be able to finish it off by today
TSJimbitz
post Dec 18 2006, 05:41 AM

Getting Started
**
Junior Member
240 posts

Joined: Jan 2003
From: 47810


The notebook shutdown itself after more an hour of scanning. :sigh:

The same symptoms that I had encountered when using other scanner be it online or offline.
sUBs
post Dec 18 2006, 05:49 AM

RIP
Group Icon
VIP
3,941 posts

Joined: Jan 2005
Before shutting down, did DrWeb indicate finding anything?

I'm inclined to believe that the shutdowns arent malware related. More likely that the machine is overheating & that caused a protection mechanism to shutdown.
TSJimbitz
post Dec 18 2006, 06:00 AM

Getting Started
**
Junior Member
240 posts

Joined: Jan 2003
From: 47810


I was away at the moment it went shutdown automatically. But all the while I'm watching the progress, nothing have been found yet.. Maybe I need to continue this later, the DrWeb sure did take a lot of time. I'm afraid I can't make it on time..
sUBs
post Dec 18 2006, 06:09 AM

RIP
Group Icon
VIP
3,941 posts

Joined: Jan 2005
By my estimate, the machine should be quite clean.

The next time you run DrWeb, disconnect from the net & shut down all unnecessary processes. Keep a fan on the lappy so that it remains cool
TSJimbitz
post Dec 24 2006, 08:46 PM

Getting Started
**
Junior Member
240 posts

Joined: Jan 2003
From: 47810


I think the machine is clean now. Thanks for all your help sUBs..

Topic ClosedOptions
 

Change to:
| Lo-Fi Version
0.0563sec    0.05    5 queries    GZIP Disabled
Time is now: 29th March 2024 - 07:00 AM