MalwareCheapShot 0 Posted December 4, 2010 Report Share Posted December 4, 2010 Hello I was advised by Email from Emsisoft to post here, "ie": Hello, many thanks for the delivered file. ***** Virus / Malware ! ***** This is a malicious file (virus/trojan/malware) according to our analysis. Please use the quarantine feature to remove the infection. If the removal task fails please contact the malware experts in our forum: http://forum.emsisoft.com Have a nice (malware-free) day! Your Emsisoft Analysis Team I have followed your "START HERE" Instructions, Here are the Log's you have asked for. Thank You Very Much. Link to post Share on other sites
Kevin Zoll 309 Posted December 4, 2010 Report Share Posted December 4, 2010 Your logs show no malware. What was the name of the file you submitted for analysis? Link to post Share on other sites
MalwareCheapShot 0 Posted December 5, 2010 Author Report Share Posted December 5, 2010 Your logs show no malware. What was the name of the file you submitted for analysis? I have other logs that I could Post for you.My problem is that I think this computer is part of a server system and it should not be. From boot some how hijacked into NT and into MS/Servers. I have Comcast and Windows XP Sp3. What is happining here. If you could help me at all as I am at a loss for what do next. Thank You "I have found this in the reply from Emsisoft" Emsi Software GmbH - www.emsisoft.com Mamoosweg 14, 5303 Thalgau, Austria Commercial register: FN238178m, VAT-ID: ATU57263749 ADMINISTRATOR *** e-mail address was removed *** {Lynx} > product: a2start.exe 5.0.0.84 > infotxt: > ** password: virus! > ** vdbbuild: 77285 > ** engine: T3.dll 1.1.90.0 > > date/time: 04.12.2010 00:13 > ** filename: SMITREM.EXE > original path: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP > ** filename: SMITREM.EXE > filesize: 383836 byte > ** virusname: APPL!IK > ** signatureId: 2 > ** md5sum: fe173247d68dcabaff30056e5d99adc8 > > Host: 76.127.70.94 > > User: ADMINISTRATOR *** e-mail address was removed *** {Lynx} > Message: > wish someone would help me I have big problems and I am just passing them around > Link to post Share on other sites
Kevin Zoll 309 Posted December 5, 2010 Report Share Posted December 5, 2010 SmitRem is a specialty malware removal tool. It was created to remove the SmitFraud family of malware. Download -->> OTL <<-- to your desktop. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically. Attach both logs with your next reply. Link to post Share on other sites
MalwareCheapShot 0 Posted December 5, 2010 Author Report Share Posted December 5, 2010 SmitRem is a specialty malware removal tool. It was created to remove the SmitFraud family of malware. Download -->> OTL <<-- to your desktop. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically. Attach both logs with your next reply. Thank You: Here is the Log, Scan was ran exactly as requisted. I also recived an email asking for me to remove my Email Add. from above and I am not quite sure how to do that. Thanks Again Link to post Share on other sites
Lynx 34 Posted December 5, 2010 Report Share Posted December 5, 2010 I also recived an email asking for me to remove my Email AddHi MalwareCheapShot,I'm not sure who sent you a message re: posting e-mail address, but that was absolutely correct. Please never post any private info into any open forum(s) e-mail address was removed My regards Link to post Share on other sites
MalwareCheapShot 0 Posted December 5, 2010 Author Report Share Posted December 5, 2010 Hi MalwareCheapShot, I'm not sure who sent you a message re: posting e-mail address, but that was absolutely correct. Please never post any private info into any open forum(s) e-mail address was removed My regards Thank You and I am Sorry it happened. It will not happen again. Link to post Share on other sites
Kevin Zoll 309 Posted December 5, 2010 Report Share Posted December 5, 2010 Run OTL.exe Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL:OTLO3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found. O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present :Files C:\WINDOWS\*.tmp C:\WINDOWS\System32\*.tmp C:\Documents and Settings\Administrator\Application Data\inst.exe :Commands [purity] [emptytemp] [resethosts] [start explorer] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done Attach the new log produced by OTL Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to post Share on other sites
MalwareCheapShot 0 Posted December 5, 2010 Author Report Share Posted December 5, 2010 Run OTL.exe Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL:OTLO3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found. O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present :Files C:\WINDOWS\*.tmp C:\WINDOWS\System32\*.tmp C:\Documents and Settings\Administrator\Application Data\inst.exe :Commands [purity] [emptytemp] [resethosts] [start explorer] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done Attach the new log produced by OTL Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! I have done as you asked. No problems running the fix. went just as you said.I noticed that the computer's resources are not being Taxed as they were. Here is the requested Log File..Thank You Link to post Share on other sites
Kevin Zoll 309 Posted December 6, 2010 Report Share Posted December 6, 2010 Run OTL.exe Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL:OTL O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found. O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present :Commands [emptytemp] [start explorer] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done Attach the new log produced by OTL Link to post Share on other sites
MalwareCheapShot 0 Posted December 6, 2010 Author Report Share Posted December 6, 2010 Run OTL.exe Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL:OTL O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found. O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present :Commands [emptytemp] [start explorer] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done Attach the new log produced by OTL Here is the OTL Log after fix was applied. Link to post Share on other sites
Kevin Zoll 309 Posted December 6, 2010 Report Share Posted December 6, 2010 Download avz4.zip from here Unzip it to your desktop to a folder named avz4 Double click on AVZ.exe to run it. Run an update by clicking the Auto Update button on the Right of the Log window: Click Start to begin the update Note: If you receive an error message, chose a different source, then click Start again After the update, from the "File" menu, choose "Standard Scripts" Put a check next to item 2: Advanced System Investigation Click Execute selected scripts At the next prompt, click the OK button Let the scan run and click "OK" when the completion prompt pops up Now Close out of the Standard Scripts window, and exit AVZ Navigate to the avz4 folder and locate the folder LOG Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip Attach the Compressed file, virusinfo_syscheck.zip, to your next reply. Link to post Share on other sites
MalwareCheapShot 0 Posted December 6, 2010 Author Report Share Posted December 6, 2010 Download avz4.zip from here Unzip it to your desktop to a folder named avz4 Double click on AVZ.exe to run it. Run an update by clicking the Auto Update button on the Right of the Log window: Click Start to begin the update Note: If you receive an error message, chose a different source, then click Start again After the update, from the "File" menu, choose "Standard Scripts" Put a check next to item 2: Advanced System Investigation Click Execute selected scripts At the next prompt, click the OK button Let the scan run and click "OK" when the completion prompt pops up Now Close out of the Standard Scripts window, and exit AVZ Navigate to the avz4 folder and locate the folder LOG Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip Attach the Compressed file, virusinfo_syscheck.zip, to your next reply. REPLY:I tried to download the from "HERE" to download AVZ as you specified and got a "404 ERROR" and did not want to do anything until told to do so by you. So what is next move. I have noticed that computer is slower than molasses! THANK YOU AGAIN. Link to post Share on other sites
Kevin Zoll 309 Posted December 6, 2010 Report Share Posted December 6, 2010 Stop using the reply with quotes button. It is adding needless text to your replies. Download ComboFix from one of these locations: Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsSee HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. ----------------------------------------------------------- Attach logs for: ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to post Share on other sites
MalwareCheapShot 0 Posted December 6, 2010 Author Report Share Posted December 6, 2010 Hope this is right button to reply with? Well after I posted last I tried AVZ again and it downloaded. Here is the AVZ Log you requisted. So befor I use next thread I will WAIT for your Expert Advice! Thanks..(1) More thing I am not spell checking as all my writing disappears and never returns. Link to post Share on other sites
Kevin Zoll 309 Posted December 6, 2010 Report Share Posted December 6, 2010 Close all windows then double click on AVZ.exe Click File > Custom scripts Copy & paste the contents of the following codebox in the box in the programbegin SetAVZGuardStatus(True); SearchRootkit(true, true); DeleteFile('C:\WINDOWS\system32\MsSip1.dll'); DeleteFile('C:\WINDOWS\system32\MsSip2.dll'); DeleteFile('C:\WINDOWS\system32\MsSip3.dll'); RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1','$DLL'); RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2','$DLL'); RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3','$DLL'); ClearHostsFile; ExecuteSysClean; RebootWindows(true); end. Note: When you run the script, your PC will be restarted Click Run Restart your PC if it doesn't do it automatically. Attach a fresh AVZ log. Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to post Share on other sites
Recommended Posts