Jump to content


Photo
- - - - -

Infected PC


  • This topic is locked This topic is locked
11 replies to this topic

#1 Deathlocke

Deathlocke

    Member

  • Members
  • PipPip
  • 11 posts
  • OS:Windows 7 x64
  • AV:I have the Newest Emsisoft Anti-Malware, Malwarebyte's Anti-Malware, and Advanced System Care 4
  • HIPS:All I have is the Malware Guard from Emsisoft Anti-Malware program
  • Other:Advanced System Care 4

Posted 05 July 2011 - 12:42 AM

I ran the Anti-malware Virus scan on my PC this morning and I ran into a bit of a problem it found 4 Serious High risk viruses but when I click on Quarantine this is what I get. H:\Documents\Downloads\ba.exe/BIOSAG.EXE - File not found
H:\Downloads\ba.exe/BIOSAG.EXE - File not found
N:\DROTHAR-PC\Backup Set 2011-04-24 070003\Backup Files 2011-06-12 070003\Backup files 1.zip/BIOSAG.EXE - File not found
N:\DROTHAR-PC\Backup Set 2011-04-24 070003\Backup Files 2011-06-12 070003\Backup files 1.zip/TVICHW32.VXD - File not found
My Question is how did the Anti-Malware find 4 High Risk Viruses in files that cannot be found??

I ran the Deep Scan and found these problems. I included the OTL.txt file and the Asquared Report file...[attachment=5977:a2scan_110704-040003.txt][attachment=5978:OTL.Txt]

#2 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12617 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 05 July 2011 - 01:02 AM

These are appear to be Intel Chipset drivers for your motherboard.
H:\Documents\Downloads\ba.exe/BIOSAG.EXE 	detected: Trojan.Agent2!IK
H:\Downloads\ba.exe/BIOSAG.EXE 	detected: Trojan.Agent2!IK
N:\DROTHAR-PC\Backup Set 2011-04-24 070003\Backup Files 2011-06-12 070003\Backup files 1.zip/BIOSAG.EXE 	detected: Trojan.Agent2!IK
N:\DROTHAR-PC\Backup Set 2011-04-24 070003\Backup Files 2011-06-12 070003\Backup files 1.zip/TVICHW32.VXD 	detected: Trojan.Agent2!IK
 
Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O4 - HKLM..\RunOnce: [lplayu_0]  File not found
    O4 - HKLM..\RunOnce: [lplayu_1]  File not found
    O4 - HKLM..\RunOnce: [lplayu_2]  File not found
    O4 - HKLM..\RunOnce: [lplayu2] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
    O4 - HKLM..\RunOnce: [lplayu3] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
    O4 - HKCU..\RunOnce: [LP Cookie Remover] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
    O4 - HKCU..\RunOnce: [LP Firefox removal1] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
    O4 - HKCU..\RunOnce: [lpunonce] C:\Users\Drothar\AppData\Local\Temp\lplayun.exe ()
    O4 - Startup: C:\Users\Drothar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RAT 9 Charge Indicator.lnk = C:\Users\Drothar\AppData\Roaming\Microsoft\Installer\{72A099DE-9782-4679-85AD-0731EF87EA53}\_5B5E5C8CB886861B14F432.exe ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O32 - AutoRun File - [2010/11/26 17:24:17 | 000,000,000 | -H-D | M] - C:\Autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2008/08/08 23:27:09 | 000,000,000 | ---D | M] - D:\Autorun -- [ NTFS ]
    O32 - AutoRun File - [2010/11/26 17:24:18 | 000,000,000 | -H-D | M] - D:\Autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2010/11/26 17:24:18 | 000,000,000 | -H-D | M] - E:\Autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2006/04/17 10:21:47 | 000,000,000 | ---D | M] - G:\Autorun -- [ CDFS ]
    O32 - AutoRun File - [2006/03/03 12:02:09 | 000,000,086 | R--- | M] () - G:\Autorun.inf -- [ CDFS ]
    O32 - AutoRun File - [2005/10/14 17:07:27 | 000,106,496 | R--- | M] () - G:\autorun.exe -- [ CDFS ]
    O32 - AutoRun File - [2011/03/21 11:40:07 | 000,001,333 | ---- | M] () - H:\AutoHarvest-3.00 - Shortcut.lnk -- [ NTFS ]
    O32 - AutoRun File - [2011/03/21 11:40:08 | 000,001,305 | ---- | M] () - H:\AutoLoot-1.4 - Shortcut.lnk -- [ NTFS ]
    O32 - AutoRun File - [2011/03/21 11:40:08 | 000,000,841 | ---- | M] () - H:\autorun - Shortcut.lnk -- [ NTFS ]
    O32 - AutoRun File - [2006/10/19 18:59:08 | 000,000,045 | ---- | M] () - H:\autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2009/02/03 18:29:07 | 000,004,287 | ---- | M] () - N:\AutoHarvest-3.00.zip -- [ NTFS ]
    O32 - AutoRun File - [2009/02/03 18:39:59 | 000,000,908 | ---- | M] () - N:\AutoLoot-1.4.zip -- [ NTFS ]
    O32 - AutoRun File - [2006/10/19 18:59:08 | 000,000,045 | ---- | M] () - N:\autorun.inf -- [ NTFS ]
    O33 - MountPoints2\{8087ab72-53c0-11e0-a835-806e6f6e6963}\Shell - "" = AutoRun
    O33 - MountPoints2\{8087ab72-53c0-11e0-a835-806e6f6e6963}\Shell\AutoRun\command - "" = F:\Setup\rsrc\Autorun.exe
    O33 - MountPoints2\{8087ab72-53c0-11e0-a835-806e6f6e6963}\Shell\dinstall\command - "" = F:\Directx\dxsetup.exe
    O33 - MountPoints2\{8087ab73-53c0-11e0-a835-806e6f6e6963}\Shell - "" = AutoRun
    O33 - MountPoints2\{8087ab73-53c0-11e0-a835-806e6f6e6963}\Shell\AutoRun\command - "" = G:\Autorun\UbiAutorun.exe -- [2005/11/02 18:38:59 | 000,204,800 | R--- | M] (UBISOFT)
    [2008/08/14 08:21:12 | 000,086,920 | ---- | C] (Adobe Systems Incorporated) -- C:\ProgramData\adobetmp000114775
    
    :Commands
    [Purity]
    [EmptyFlash]
    [ResetHosts]
    [Start Explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Edited by ShadowPuterDude, 07 July 2011 - 12:00 AM.
corrected error is OTL fix

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#3 Deathlocke

Deathlocke

    Member

  • Members
  • PipPip
  • 11 posts
  • OS:Windows 7 x64
  • AV:I have the Newest Emsisoft Anti-Malware, Malwarebyte's Anti-Malware, and Advanced System Care 4
  • HIPS:All I have is the Malware Guard from Emsisoft Anti-Malware program
  • Other:Advanced System Care 4

Posted 06 July 2011 - 11:47 PM

Well I ran the fix through OTL. I copied every single thing in the Code Box like you requested and the I pasted it into OTL and then I clicked on Run Fix. This Error Message Popped up. Does this mean that the fix did not work or that it was unable to complete. [attachment=6012:07062011_184251.log]

#4 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12617 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 07 July 2011 - 12:01 AM

I corrected an error in the OTL fix. Run the corrected fix in my previous post.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#5 Deathlocke

Deathlocke

    Member

  • Members
  • PipPip
  • 11 posts
  • OS:Windows 7 x64
  • AV:I have the Newest Emsisoft Anti-Malware, Malwarebyte's Anti-Malware, and Advanced System Care 4
  • HIPS:All I have is the Malware Guard from Emsisoft Anti-Malware program
  • Other:Advanced System Care 4

Posted 07 July 2011 - 04:22 AM

Well I copied and Pasted from the Box just like before and now this is the error message that I got....[attachment=6015:07062011_231739.log]

#6 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12617 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 08 July 2011 - 01:00 AM

Copy & paste the fix into notepad first and make sure it looks exactly like the one I posted. Then Copy & Paste it to OTL.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#7 Deathlocke

Deathlocke

    Member

  • Members
  • PipPip
  • 11 posts
  • OS:Windows 7 x64
  • AV:I have the Newest Emsisoft Anti-Malware, Malwarebyte's Anti-Malware, and Advanced System Care 4
  • HIPS:All I have is the Malware Guard from Emsisoft Anti-Malware program
  • Other:Advanced System Care 4

Posted 08 July 2011 - 03:15 AM

ok I copied and Pasted the fix into my Notepad. I read through the fix in notepad 3 times and it is identical to what you posted. I then copied and pasted it into OTL and ran the Fix. I am still getting this error popup message. the Error is as follows.[attachment=6023:07072011_212008.log]

#8 Deathlocke

Deathlocke

    Member

  • Members
  • PipPip
  • 11 posts
  • OS:Windows 7 x64
  • AV:I have the Newest Emsisoft Anti-Malware, Malwarebyte's Anti-Malware, and Advanced System Care 4
  • HIPS:All I have is the Malware Guard from Emsisoft Anti-Malware program
  • Other:Advanced System Care 4

Posted 08 July 2011 - 05:23 AM

Here is the OTL.txt file that was generated When I ran OTL again after the Error Message. Im not sure if it will help you out or not, but I am sending it to you just in case.[attachment=6024:OTL1.Txt]

#9 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12617 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 09 July 2011 - 12:36 AM

  • Copy/paste the attached fix into the Custom Scans/Fixes box located at the bottom of OTL.
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#10 Deathlocke

Deathlocke

    Member

  • Members
  • PipPip
  • 11 posts
  • OS:Windows 7 x64
  • AV:I have the Newest Emsisoft Anti-Malware, Malwarebyte's Anti-Malware, and Advanced System Care 4
  • HIPS:All I have is the Malware Guard from Emsisoft Anti-Malware program
  • Other:Advanced System Care 4

Posted 09 July 2011 - 03:58 AM

ok well the fix made it completely through and rebooted the Computer then I reran OTL and here is the OTL.txt file that was generated after the fix had been applied[attachment=6031:OTL.Txt] I haven't run Emsisoft Anti-Malware scan yet but I will post the file when Iam done running it to see if everything has been fixed.

#11 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12617 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 09 July 2011 - 09:41 PM

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

 
Attach logs for:
  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#12 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12617 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 17 July 2011 - 10:57 PM

Thread Closed

Reason:
Lack of Response

PM either ShadowPuterDude, SpySentinel, or JeanInMontana to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users