Jump to content

Advised to Post Here by Emsisoft on Line Submission


Recommended Posts

Hello I was advised by Email from Emsisoft to post here, "ie":

Hello,

many thanks for the delivered file.

***** Virus / Malware ! *****

This is a malicious file (virus/trojan/malware) according to our

analysis. Please use the quarantine feature to remove the infection.

If the removal task fails please contact the malware experts in our

forum: http://forum.emsisoft.com

Have a nice (malware-free) day!

Your Emsisoft Analysis Team

I have followed your "START HERE" Instructions, Here are the Log's you have asked for. Thank You Very Much.

Link to post
Share on other sites

Your logs show no malware. What was the name of the file you submitted for analysis?

I have other logs that I could Post for you.My problem is that I think this computer is part of a server system and it should not be. From boot some how hijacked into NT and into MS/Servers. I have Comcast and Windows XP Sp3. What is happining here. If you could help me at all as I am at a loss for what do next.

Thank You "I have found this in the reply from Emsisoft"

Emsi Software GmbH - www.emsisoft.com

Mamoosweg 14, 5303 Thalgau, Austria

Commercial register: FN238178m, VAT-ID: ATU57263749

ADMINISTRATOR *** e-mail address was removed *** {Lynx}

> product: a2start.exe 5.0.0.84

> infotxt:

> ** password: virus!

> ** vdbbuild: 77285

> ** engine: T3.dll 1.1.90.0

>

> date/time: 04.12.2010 00:13

> ** filename: SMITREM.EXE

> original path: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP

> ** filename: SMITREM.EXE

> filesize: 383836 byte

> ** virusname: APPL!IK

> ** signatureId: 2

> ** md5sum: fe173247d68dcabaff30056e5d99adc8

>

> Host: 76.127.70.94

>

> User: ADMINISTRATOR *** e-mail address was removed *** {Lynx}

> Message:

> wish someone would help me I have big problems and I am just passing them around

>

Link to post
Share on other sites

SmitRem is a specialty malware removal tool. It was created to remove the SmitFraud family of malware.

Download -->> OTL <<-- to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Attach both logs with your next reply.

Link to post
Share on other sites

SmitRem is a specialty malware removal tool. It was created to remove the SmitFraud family of malware.

Download -->> OTL <<-- to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Attach both logs with your next reply.

Thank You: Here is the Log, Scan was ran exactly as requisted. I also recived an email asking for me to remove my Email Add. from above and I am not quite sure how to do that. Thanks Again

Link to post
Share on other sites
I also recived an email asking for me to remove my Email Add
Hi MalwareCheapShot,

I'm not sure who sent you a message re: posting e-mail address, but that was absolutely correct.

Please never post any private info into any open forum(s)

e-mail address was removed

My regards

Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTLO3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    
    :Files
    C:\WINDOWS\*.tmp
    C:\WINDOWS\System32\*.tmp
    C:\Documents and Settings\Administrator\Application Data\inst.exe
    
    :Commands
    [purity]
    [emptytemp]
    [resethosts]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTLO3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    
    :Files
    C:\WINDOWS\*.tmp
    C:\WINDOWS\System32\*.tmp
    C:\Documents and Settings\Administrator\Application Data\inst.exe
    
    :Commands
    [purity]
    [emptytemp]
    [resethosts]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

I have done as you asked. No problems running the fix. went just as you said.I noticed that the computer's resources are not being Taxed as they were. Here is the requested Log File..Thank You

Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    
    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL

Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    
    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL

Here is the OTL Log after fix was applied.

Link to post
Share on other sites

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: AVZupdate.jpg
  • Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Link to post
Share on other sites

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: AVZupdate.jpg
  • Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

REPLY:I tried to download the from "HERE" to download AVZ as you specified and got a "404 ERROR" and did not want to do anything until told to do so by you. So what is next move. I have noticed that computer is slower than molasses! THANK YOU AGAIN.

Link to post
Share on other sites

Stop using the reply with quotes button. It is adding needless text to your replies.

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Attach logs for:

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

Hope this is right button to reply with? Well after I posted last I tried AVZ again and it downloaded. Here is the AVZ Log you requisted. So befor I use next thread I will WAIT for your Expert Advice! Thanks..(1) More thing I am not spell checking as all my writing disappears and never returns.

Link to post
Share on other sites

Close all windows then double click on AVZ.exe

  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program
    begin
    SetAVZGuardStatus(True);
    SearchRootkit(true, true);
    DeleteFile('C:\WINDOWS\system32\MsSip1.dll');
    DeleteFile('C:\WINDOWS\system32\MsSip2.dll');
    DeleteFile('C:\WINDOWS\system32\MsSip3.dll');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1','$DLL');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2','$DLL');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3','$DLL');
    ClearHostsFile;
    ExecuteSysClean;
    RebootWindows(true);
    end.


  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.

Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...