Deathlocke

Infected PC

12 posts in this topic

I ran the Anti-malware Virus scan on my PC this morning and I ran into a bit of a problem it found 4 Serious High risk viruses but when I click on Quarantine this is what I get. H:\Documents\Downloads\ba.exe/BIOSAG.EXE - File not found

H:\Downloads\ba.exe/BIOSAG.EXE - File not found

N:\DROTHAR-PC\Backup Set 2011-04-24 070003\Backup Files 2011-06-12 070003\Backup files 1.zip/BIOSAG.EXE - File not found

N:\DROTHAR-PC\Backup Set 2011-04-24 070003\Backup Files 2011-06-12 070003\Backup files 1.zip/TVICHW32.VXD - File not found

My Question is how did the Anti-Malware find 4 High Risk Viruses in files that cannot be found??

I ran the Deep Scan and found these problems. I included the OTL.txt file and the Asquared Report file...

0

Share this post


Link to post
Share on other sites

These are appear to be Intel Chipset drivers for your motherboard.

H:\Documents\Downloads\ba.exe/BIOSAG.EXE 	detected: Trojan.Agent2!IK
H:\Downloads\ba.exe/BIOSAG.EXE 	detected: Trojan.Agent2!IK
N:\DROTHAR-PC\Backup Set 2011-04-24 070003\Backup Files 2011-06-12 070003\Backup files 1.zip/BIOSAG.EXE 	detected: Trojan.Agent2!IK
N:\DROTHAR-PC\Backup Set 2011-04-24 070003\Backup Files 2011-06-12 070003\Backup files 1.zip/TVICHW32.VXD 	detected: Trojan.Agent2!IK


Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O4 - HKLM..\RunOnce: [lplayu_0]  File not found
    O4 - HKLM..\RunOnce: [lplayu_1]  File not found
    O4 - HKLM..\RunOnce: [lplayu_2]  File not found
    O4 - HKLM..\RunOnce: [lplayu2] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
    O4 - HKLM..\RunOnce: [lplayu3] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
    O4 - HKCU..\RunOnce: [LP Cookie Remover] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
    O4 - HKCU..\RunOnce: [LP Firefox removal1] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
    O4 - HKCU..\RunOnce: [lpunonce] C:\Users\Drothar\AppData\Local\Temp\lplayun.exe ()
    O4 - Startup: C:\Users\Drothar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RAT 9 Charge Indicator.lnk = C:\Users\Drothar\AppData\Roaming\Microsoft\Installer\{72A099DE-9782-4679-85AD-0731EF87EA53}\_5B5E5C8CB886861B14F432.exe ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O32 - AutoRun File - [2010/11/26 17:24:17 | 000,000,000 | -H-D | M] - C:\Autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2008/08/08 23:27:09 | 000,000,000 | ---D | M] - D:\Autorun -- [ NTFS ]
    O32 - AutoRun File - [2010/11/26 17:24:18 | 000,000,000 | -H-D | M] - D:\Autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2010/11/26 17:24:18 | 000,000,000 | -H-D | M] - E:\Autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2006/04/17 10:21:47 | 000,000,000 | ---D | M] - G:\Autorun -- [ CDFS ]
    O32 - AutoRun File - [2006/03/03 12:02:09 | 000,000,086 | R--- | M] () - G:\Autorun.inf -- [ CDFS ]
    O32 - AutoRun File - [2005/10/14 17:07:27 | 000,106,496 | R--- | M] () - G:\autorun.exe -- [ CDFS ]
    O32 - AutoRun File - [2011/03/21 11:40:07 | 000,001,333 | ---- | M] () - H:\AutoHarvest-3.00 - Shortcut.lnk -- [ NTFS ]
    O32 - AutoRun File - [2011/03/21 11:40:08 | 000,001,305 | ---- | M] () - H:\AutoLoot-1.4 - Shortcut.lnk -- [ NTFS ]
    O32 - AutoRun File - [2011/03/21 11:40:08 | 000,000,841 | ---- | M] () - H:\autorun - Shortcut.lnk -- [ NTFS ]
    O32 - AutoRun File - [2006/10/19 18:59:08 | 000,000,045 | ---- | M] () - H:\autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2009/02/03 18:29:07 | 000,004,287 | ---- | M] () - N:\AutoHarvest-3.00.zip -- [ NTFS ]
    O32 - AutoRun File - [2009/02/03 18:39:59 | 000,000,908 | ---- | M] () - N:\AutoLoot-1.4.zip -- [ NTFS ]
    O32 - AutoRun File - [2006/10/19 18:59:08 | 000,000,045 | ---- | M] () - N:\autorun.inf -- [ NTFS ]
    O33 - MountPoints2\{8087ab72-53c0-11e0-a835-806e6f6e6963}\Shell - "" = AutoRun
    O33 - MountPoints2\{8087ab72-53c0-11e0-a835-806e6f6e6963}\Shell\AutoRun\command - "" = F:\Setup\rsrc\Autorun.exe
    O33 - MountPoints2\{8087ab72-53c0-11e0-a835-806e6f6e6963}\Shell\dinstall\command - "" = F:\Directx\dxsetup.exe
    O33 - MountPoints2\{8087ab73-53c0-11e0-a835-806e6f6e6963}\Shell - "" = AutoRun
    O33 - MountPoints2\{8087ab73-53c0-11e0-a835-806e6f6e6963}\Shell\AutoRun\command - "" = G:\Autorun\UbiAutorun.exe -- [2005/11/02 18:38:59 | 000,204,800 | R--- | M] (UBISOFT)
    [2008/08/14 08:21:12 | 000,086,920 | ---- | C] (Adobe Systems Incorporated) -- C:\ProgramData\adobetmp000114775
    
    :Commands
    [Purity]
    [EmptyFlash]
    [ResetHosts]
    [start Explorer]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Edited by ShadowPuterDude
corrected error is OTL fix
0

Share this post


Link to post
Share on other sites

Well I ran the fix through OTL. I copied every single thing in the Code Box like you requested and the I pasted it into OTL and then I clicked on Run Fix. This Error Message Popped up. Does this mean that the fix did not work or that it was unable to complete.

0

Share this post


Link to post
Share on other sites

I corrected an error in the OTL fix. Run the corrected fix in my previous post.

0

Share this post


Link to post
Share on other sites

Well I copied and Pasted from the Box just like before and now this is the error message that I got....

0

Share this post


Link to post
Share on other sites

Copy & paste the fix into notepad first and make sure it looks exactly like the one I posted. Then Copy & Paste it to OTL.

0

Share this post


Link to post
Share on other sites

ok I copied and Pasted the fix into my Notepad. I read through the fix in notepad 3 times and it is identical to what you posted. I then copied and pasted it into OTL and ran the Fix. I am still getting this error popup message. the Error is as follows.

0

Share this post


Link to post
Share on other sites

Here is the OTL.txt file that was generated When I ran OTL again after the Error Message. Im not sure if it will help you out or not, but I am sending it to you just in case.

0

Share this post


Link to post
Share on other sites

  • Copy/paste the attached fix into the Custom Scans/Fixes box located at the bottom of OTL.
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

0

Share this post


Link to post
Share on other sites

ok well the fix made it completely through and rebooted the Computer then I reran OTL and here is the OTL.txt file that was generated after the fix had been applied I haven't run Emsisoft Anti-Malware scan yet but I will post the file when Iam done running it to see if everything has been fixed.

0

Share this post


Link to post
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.


Attach logs for:

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

0

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude, SpySentinel, or JeanInMontana to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

0

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.