S&D cannot be deleted. S&D and IE exe cannot be launched

[psbsubs4]

This is some follow-up to the prior post so please also see the prior post. Two items.


1. The rootkit instructions were just about scanning so I did not do any repair steps. Just wanted to be sure I was doing the right thing there.

2. When a repair is done and a reboot is required, is there a rule of thumb whether or not to reboot in normal vs. safe mode? That is, does a reboot into safe mode bypass whatever pending update there is that required a reboot in the first place and therefore I should do those reboot by booting into a normal session?

 

[ken545]

Hi,

There was nothing to repair so your fine.

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again


C:\WINDOWS\system32\drivers\vbma3a2b.sys <--This file



If the site is busy you can try this one
http://virusscan.jotti.org/en

 

[psbsubs4]

When I did that, the VirusTotal screen "went dark" and a window popped up that said

SENDING FILE
Do not close this window until the upload ends. The time required for this operation depends on the file size, the net load and your connection speed

then the pop up window closed, the "darkness" goes away to where I see the regular VirusTotal screen but nothing happens. There is no report, no message, no query to get an e-mail address from me to send a report to. It is as if I had never uploaded the file at all.

Am I doing something wrong or is the virus intercepting what I am trying to do?

I tried to zip the file and attach it to this post for the zip process got an error. The log for the zip process says


Action: Add (and replace) files Include subfolders: yes Save full path: no
Include system and hidden files: yes
Adding vbma3a2b.sys
Warning: could not open for reading: C:\WINDOWS\system32\drivers\vbma3a2b.sys
copying Zip file

 

[ken545]

Hi,

I did not ask you to zip and attach the file, what am I going to do with it. I just need you to upload it to a site to be checked.

Try the second link I posted if VirusTotal won't work

 

[psbsubs4]

I did the choose file then submit file and in the Status: / Upload progress: area it says

File is empty (0 bytes)!

which brings to mind the error that I got when trying to zip the file, which was

Warning: could not open for reading:

I bet these scanning sites are not able to open up the file.

 

[ken545]

Try this, I just want to make sure its not a legit file before we remove it

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :file
  vbma3a2b.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[psbsubs4]

The tool cannot find the file (and I verified that it is still there). I also tried the tool with the fully qualified path.

SystemLook 04.09.10 by jpshortstuff
Log created at 16:58 on 06/01/2011 by Paul Brown
Administrator - Elevation successful

========== file ==========

vbma3a2b.sys - Unable to find/read file.

-= EOF =-

SystemLook 04.09.10 by jpshortstuff
Log created at 16:58 on 06/01/2011 by Paul Brown
Administrator - Elevation successful

========== file ==========

C:\WINDOWS\system32\drivers\vbma3a2b.sys - Unable to find/read file.

-= EOF =-

 

[ken545]

The file is not zipped, its just an .exe file

If they wont work, try doing this in Safemode

To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode






Plug this into System Look

:file
C:\WINDOWS\system32\drivers\vbma3a2b.sys






Make sure to use Internet Explorer for this

• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path, one at a time, into the "Suspicious files to scan" box on the top of the page
• make sure the scan is complete and the results saved before submitting the next one.
  
  C:\WINDOWS\system32\drivers\vbma3a2b.sys
  
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

 

[psbsubs4]

Hi,

Tried w/ & w/o path in safe mode under admin ID. Same results. Cannot read file. Also, I cannot do the 2nd 1/2 of your instructions because IE was disabled in addition to SB S&D way back at the beginning of when all of this started. I have been using Google Chrome to access the internet.


SystemLook 04.09.10 by jpshortstuff
Log created at 19:28 on 07/01/2011 by Administrator
Administrator - Elevation successful

========== file ==========

C:\WINDOWS\system32\drivers\vbma3a2b.sys - Unable to find/read file.

-= EOF =-

SystemLook 04.09.10 by jpshortstuff
Log created at 19:29 on 07/01/2011 by Administrator
Administrator - Elevation successful

========== file ==========

vbma3a2b.sys - Unable to find/read file.

-= EOF =-

 

[ken545]

That may work with Chrome, not sure, give it a try

 

[psbsubs4]

It tells me "Error. Can't upload the file".

Also...

I thought I remembered that during one of my attempts early on to install SB S&D that it had the option to add a scan to a right click menu and I selected to do that.

I thought I would try it on this file that we are trying to check out. (Safe mode; admin ID.) The right click option was not there but there was one there for Malwarebytes. I tried that but it did not launch. I reinstalled the app, tried the right click on the file again and it launched the app and tried to scan. The status showed a few seconds ticking by (so the scan was "in progress") and then the application screen just disappeared (just like when doing a full scan.)

 

[ken545]

Lets not worry about that for the time being, lets run this program


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

 

[psbsubs4]

I cannot run the app (Safe mode; admin ID.)

A tiny window with no boarders and a progress bar opens. The progress bar goes all the way to the right, nothing else happens and then a few seconds later the tiny window goes away.

Regarding my last post, when I was in the Malware tool, I saw a tab or button or something that was a "File assassin". Should I try running that against the vbma3a2b.sys file?

 

[ken545]

Hi,

Removing this garbage can most times be very frustrating but hang in there and we will get it removed. I have been at the this close to 7 years and am affiliated with many malware forums, all of us helpers work together helping each other to remove this junk, what you have is a Rootkit, its new and I was not aware of it until a few hours ago. That file is bad but File Assassin would do no good as this infection will just put it back. Combofix will remove this infection but the rootkit is preventing it from running , so this is what you need to do.

Right Click on My Computer > Right Click on Properties > click Hardware > on the top click Tools > on the top click View
> click on Show Hidden Devices > look under Non-Plug and Play Drivers.

Look for vbma3a2b or vbma or something like [cmz vmkd], if found, Right Click on it and select Disable. <--Important...not delete

Then give Combofix another go

 

[psbsubs4]

Thanks for the encouraging words. I appreciate them. One of the blessings of children is that they teach patience. I stil have room for improvement but I like to think I have learned some over the years! So I am hanging in there!

I think I got to the same place (BTW, I am running XP, SP3). Safe mode, Admin ID, My Computer, Properties, hardware, I clicked Device Manager, then View, then Show Hidden Devices. I do not see any of the file names that you have listed. Here is what I see:

(Hopefully I did not miss anything or have any typos.)
Typed once, verified once and again checked the spelling on all of the odd looking stuff.)

ADF Networking Support Environment
ASPI32
Beep
ceaf (with a caution sign on it)
Cisco systems inc, IPsec driver
Creative Interface Manager Driver (WDM)
Creative SOundFont Manager Driver (WDM)
dmboot
dmload
fips
Generic Packer Classifier
HTTP
IP Network Address Translator
IPSEC Driver
ksecdd
Logitech LVPr2Mon Driver
mnmdd <-- tripple checked the spelling
mountmgr
NDIS System Driver
NDIS Usermode I/O Protocol
NDProxy
NetBios over Tcpip
Normandy SR2
Null
ONSIO <-- tripple checked the spelling
PartMgr
ParVdm <-- tripple checked the spelling
RDPCDD <-- tripple checked the spelling
Remove access auto connection Driver
Remove access IP ARP Driver
SASDIFSV <-- tripple checked the spelling
SASKUTIL <-- tripple checked the spelling
Secdrv <-- tripple checked the spelling
TCP/IP Protocol Driver
VgaSave <-- tripple checked the spelling
VolSnap <-- tripple checked the spelling
vsdatant <-- tripple checked the spelling
Windows Drover Foundation - User-mode Driver Framework Platform Driver
Windows socket 2.0 non-IFS Service provider Support Environment

 

[ken545]

You may not have gone far enough

Right Click on My Computer > Right Click on Properties > click Hardware > on the top click Tools > on the top click View
> click on Show Hidden Devices > look under Non-Plug and Play Drivers.

 

[psbsubs4]

I do not have a "Tool" button to pick but I think I am getting to where you want me to go.... just another way...

I just forgot to say the Non-plug and Play Drivers part. I took a bmp pic of where I am at and zipped it. You can look at the attachment to see where I was at.

 

[ken545]

First reboot your system into normal windows and log in with your usual account, not adminstator and give it another look

Right Click on My Computer > Right Click on Properties > click Hardware > on the top click Tools > on the top click View
> click on Show Hidden Devices > look under Non-Plug and Play Drivers.


If you still dont see them look here
Device Manager under System Devices

When you find them right click and disable them and then give CF another try

 

[psbsubs4]

Normal logon (not safe mode) with normal ID (which has admin rights but is NOT the official "Administrator" account that I have been using when I boot into safe mode).

[cmz vmkd] was under System devices. I disabled it. Launched Combofix. It showed the same tiny window again and it seemed to get further in the install (the hour class would show, go away, come back, go away again ... did that about a 1/2 dozen times but then it still just stopped running (the tiny little window went away)). By tiny window, I mean tiny... just barely large enough for the progress bar to fit on. BTW, the progress bar goes all the way to the right like it did 100% of that particular part of the install and then after that is when the hour glass comes and goes like it is trying to do more of an install.

 

[psbsubs4]

See prior post. I am adding in here a zipped jpeg pic of the System Devices. BTW, neither of the VBMA items showed in the system devices area. Just the [cmz vmkd] one is what showed.