I foolishly opened a virus and now I have pop-ups and can't access the C Drive. I ran AVG (free version) and this is all that turned up. [img=http://img41.imageshack.us/img41/9514/53748761.jpg]
Also, in my Windows temporary folder are 4 files called PartialTrustWpfCallingWcf_TemporaryKey. Don't know if that's important.
Thanks for any help.
Hi,
Can you please post your AVZ log:1) To create the logfile, download AVZ by clicking HERE(http://www.z-oleg.com/avz4.zip). Please save this file to your desktop or "My Documents" folder.
2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.
3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as AdministratorYou should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.
begin ExecuteStdScr(3); RebootWindows(true); end.Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.
Uh, how do I use that link?
This is the message when I try to access the C Drive: Windows cannot find 'RECYCLER/S-3-5-27-100032528-100020612-100013709-3551.com'. Make sure you typed the name correctly, and then try again. To serach for a file, click the Start button, and then click Search.
copy and paste the link?
My computer times out before it's able to open the file.
http://rapidshare.com/files/2335060... I realized that I can actually access the C Drive when I first log on until a process called "tempo-137515.tmp" starts running. Also, all the bookmarks I just made before I restarted are gone.
Run this script in AVZ same way you did before: begin SetAVZGuardStatus(True); SearchRootkit(true, true); QuarantineFile('C:\autorun.inf',''); QuarantineFile('spnm.sys',''); QuarantineFile('\\?\globalroot\systemroot\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll',''); DeleteFile('\\?\globalroot\systemroot\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll'); DeleteFile('spnm.sys'); DeleteFile('C:\autorun.inf'); BC_ImportDeletedList; ExecuteSysClean; BC_Activate; RebootWindows(true); end.Your computer will reboot after which check and see if you can access C drive if you can run full scan with AVG.
Also once you reboot can you send me copy of this file C:\WINDOWS\system32\drivers\udffsrec.sys to check, upload it to rapidshare and private message me the link. Thanks
http://rapidshare.com/files/2335141... Thanks, I can get onto the C drive now and I'm not having pop-ups. I'm going to bed right now so I won't do a scan, but I'll do it in the morning.
So this is basically fixed now?
There are few more steps i will tell you after you post your scan results.
Ugh, it took a real long time to load up Windows. I tried 4 times and ended up stuck on the loading screen. I gave up hope and left the room but when I came back 15 minutes later it was working. Starting scan with AVG free now.
And I can still access the C drive but the pop-ups have started again. Also, yesterday my Recycle Bin emptied without me telling it to. (But that was before I ran that AVZ code.)
All right, here's the result of the scan: [File;
Infection;
Result]"\\?\globalroot\systemroot\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll";
"Trojan horse Agent2.GUF";
"Infected""C:\Documents and Settings\Jake\Desktop\Firefox\firefox.exe (1984)";
"Trojan horse Agent2.GUF";
"Infected""C:\Documents and Settings\Jake\Desktop\Quarantine\2009-05-16\avz00001.dta";
"Virus found Worm/AutoRun";
"Moved to Virus Vault""C:\Documents and Settings\Jake\Desktop\Quarantine\2009-05-16\avz00002.dta";
"Trojan horse Agent2.GUF";
"Moved to Virus Vault""C:\WINDOWS\Temp\tempo-137515.tmp";
"Trojan horse FakeAlert.KH";
"Moved to Virus Vault""C:\WINDOWS\Temp\tempo-1432296.tmp";
"Trojan horse FakeAlert.KH";
"Moved to Virus Vault"
Attach a Combofix log, please review and follow these instructions carefully. Download it here -> http://download.bleepingcomputer.co...
Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.
Now, please make sure no other programs are running, close all other windows and pause ANTIVIRUS/SPYWARE PROGRAMS until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.
Thanks for responding so quickly. First a couple of questions: 1. To make sure no other programs are running, can I just close all my windows and disable Steam and IPodService?
2. To shut down my antivirus, can I just right-click it and select "Exit" from the bottom toolbar?
1) Yes
2) Just disable on-access/file scanning in AVG.
Do you have any ideas on how to disable the scanner? Windows Task Manager just ignores the command.
I can't find any options in the application itself.
AVG help doesn't have anything.
I even disabled AVG8_TRAY at start-up with Startup Inspector but there's still AVG tasks running. (Restarted the computer.)I'll keep looking.
That's fine combo fix will disable the rest. If you are on vista run it as admin or run it from administrative account.
Never mind, I got it disabled. But,
First ComboFix asked me whether I wanted to update it. I said "yes". Afterwards, it restarted and a program called pevFind.exe failed. After that, a message came up and told me that my copy of ComboFix may be tainted and for peace of mind I should get a fresh one. I stopped there.Help?
Make AVZ log again. Response Number 1 paste me the link.
Also try to re-download Combo fix don't use firefox to download.
Sorry for being slow, system stalled restarting. Assuming the new log rewrote the old one, this is the one you need:
I'm trying to download Internet Explorer 8 from the Microsoft Download Center but only 0 kb files get downloaded.
All right, I've got ComboFix downloaded with Google Chrome.
Try to run it.
Got the same message. pev.cfexe failed and then I was cautioned to cancel:
Send me these files to inspect:
c:\windows\system32\dll.dll
C:\WINDOWS\system32\MsSip1.dll
C:\WINDOWS\system32\MsSip2.dll
C:\WINDOWS\system32\MsSip3.dll
C:\WINDOWS\system32\stisvc.exeCopy those files to desktop and private message me the download link.
Also if you have another computer near by download combox on it and transfer it via USB drive.
I don't have any of those files. (nor a windows folder in lower case
letters)I do have a "mssip32.dll" though.
I have another computer so I'll download combox onto a zip drive.
I also have a "sti.dll" and a "sti_ci.dll". BTW, thank you so much for the help you've given me so far.
Case insensitive for directories. Look again properly go to folder option --> show hidden files. All those files should be under C:\WINDOWS\system32\
I "ctrl+F" searched system32 with "Search hidden files and
folders enabled" and none of those files turned up. Plus, I already have
hidden files visible. (There aren't any I that I can see in
system32.)Where should I download combox from?
Same thing happened. Think I should just go ahead with it?
Go ahead?
I still have the option to continue but I've been ending it. Should I
say yes, continue?
First try to run combo fix in safe mode and see if it gives you any problems. Post of screen shot of that continue window.
I ran it in safe mode and I got the same error+caution+continue window. The continue window looks just like the one in the tutorial you linked.
The continue window is the "Combofix Disclaimer".
OK continue.
I'm in safe mode right now. Should I keep going or switch back to normal mode?
Safe mode is ok.
It says I don't have the "Microsoft Windows recovery console" installed and without it the program won't attempt to fix serious problems. ComboFix also gives me the option to download it. For nox I'm going to switch out of safe mode so I have internet and then download it.
Yes. Make sure you install recovery console.
Ack. I clicked no thinking it would exit but it kept going. Now it's saying it's detecting rootkit activity and needs to reboot the machine. It also gave me two files to copy onto paper. The only option it gave me is OK. I assume that I should keep going and not turn off the machine.
Whatever happens do not hard reboot let it finish what its doing. What were the file names?
C:\WINDOWS\system32\drivers\gxvxcoesowykmxobhcttypdrgrrshkdbqlrvi.sys C:\WINDOWS\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll
Still have the pop-up problem. Think I should install the recovery console and try again?
Is combo fix still running? What stage is it at?
There's nothing related to ComboFix visible on my computer so I
assume it's over.I'm trying to install the recovery console right now but using the
CD doesn't work since my copy of Windows is "newer" than the
one on the CD. I'll keep looking.
Did it reboot? Re-read Response Number 15. "... Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post."
I posted the log in Response Number 49.
Right now I'm trying to download the recovery console, but every
image file I find seems to be missing the "winnt32.exe" I'm
getting told to use.
Leave recovery console for now. Seems i overlooked your post about the log. Follow these steps: Run this script in AVZ:
begin CreateQurantineArchive('c:\quarantine.zip'); end.A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.
Lastly, uninstall Combofix by: pause AV > Start > run > type Metroid.exe /u > ok. Or Start > run > type Metroid /u > ok.
Also, scan with Malwarebytes' Anti-Malware and attach its log, but Please Don't fix anything yet, until the log is reviewed.
http://rapidshare.com/files/2338199...
http://rapidshare.com/files/2338200...I can't seem to uninstall Combofix. The Run program says it
can't find Metroid.exe or Metroid, and if I add "C:\Documents
and Settings\ yaddayaddayadda" to the beginning it says it's
can't find "C:\Documents".Scanning with Anti-Malware now.
You named Combofix Metroid.exe correct? Try it from safe mode since you ran combofix from safe mode. Continue with Malwarebytes scan and post the log once it finishes.
Log file from malwarebytes:
http://rapidshare.com/files/2338283...As for ComboFix, you're saying I should type "Metroid.exe /u"
from the Run program in Safe mode?
Yes for 59 safe mode. Fix what malware byte detected. 1) If you use Windows System restore, turn it off > reboot
2) Do a full scan with Kaspersky AVP tool. http://devbuilds.kaspersky-labs.com...
Once you download and start the tool select all the objects to be scanned and hit ScanPost me log/Screen shot of what it detects(detected window) once it finished and fix what it recommends.
3) Then turn system restore back on, if you wish; this to remove malware from system volume information files. How to turn it off/on: http://support.kaspersky.com/faq/?q...
4) Uninstall AVP tool.
Edit- Never mind. On it.
I can't post the entire log since it was 100+ MB, but here's the
important stuff. I deleted all the infected files. (It says 84%
complete because I had to turn off the computer, but when I
restarted and rescanned the entire hard drive it didn't pick up
any viruses.)84% - Scan
----------
Scanned: 1129384
Detected: 3
Untreated: 3
Start time: 5/16/2009 7:34:07 PM
Duration: 03:09:46
Finish time: 5/16/2009 11:15:44 PM
Detected
--------
Status Object
------ ------
detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\Qoobox\Quarantine.zip/Quarantine/C/WINDOWS/system3
2/gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll.vir
detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcrpycnru
eynpkmlgijnlvtnicanlaijbm.dll.vir
detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\WINDOWS\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaij
bm.bak
Right now my recycle bin is emptying without me telling it to, but
other than that I'm not noticing any weird behavior.
ok it seems virus is removed. Those are just combofix quarantined files.
All right, thanks a lot!!!
The bolded file below does not appear to be in the Combofix quarantine folder, C:\Qoobox and should be deleted manually. detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\Qoobox\Quarantine.zip/Quarantine/C/WINDOWS/system3
2/gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll.vir
detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcrpycnru
eynpkmlgijnlvtnicanlaijbm.dll.vir
detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\WINDOWS\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaij
bm.bak
C:\WINDOWS\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaij
bm.bak <-- that file is bak/residual it wasn't running on your system AVP tool took care of it. You fixed all the stuff that AVP tool detected correct? Also try to uninstall combofix.
