Tavo virus

OK ...I'm glad you can double click your drives again ...

That's because these files have been deleted :-

C:\autorun.inf
D:\autorun.inf
G:\autorun.inf
H:\autorun.inf

The Diagnostic.txt you posted showed these :-

Files found on C:
autorun.inf

Files found on D:
autorun.inf

Files found on G:
autorun.inf

Files found on H:
autorun.inf

So I can only assume you ran the Mountpoints Diagnostic before you ran the Flash_Disinfector tool ... & not the other way round ... or the Diagnostic would have read altogether differently ... don't worry about not finding the spq.bat one of the malware removal programs must have removed it, without the autorun.inf file to run it, it's history...

Please remind me what problems you still have, & give Combofix another try ...

steam said:
Delete the Combofix.exe file you have on your desktop ...

Please download Combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
and save to the desktop.

No need to install the recovery console again, you only need to do that once ...

Just follow the directions below...

Close all open Windows including this one.

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic. :-

http://www.bleepingcomputer.com/forums/topic114351.html

1. Double click on combofix.exe & follow the prompts.

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply

If you need to refer to the tutorial, it's here :-

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Click to expand...

steam
 
okay, Combofix still doesn't work.

I have disabled all the adware, antivirus softwares that i know of that's running on the background. They are Spybot, Symantic antivirus.

Unless of course of all the other anti virus softwares you told me to scan also establishes a secret background running process, I believe that i have executed the Combofix under specified conditions.

The combo fix would be froze at the "Please wait, Combo fix is starting soon" screen, and it will just stay there for EVER. after a while, i'd ususally close the Combofix, and try to run it again, then i would not ever see a message in the Combo fix windows.

Lastly, I believe I can not enter the boot menu to reach the safemode by pfress f8 when the computer starts
 
Hi

I don't believe the problem is anything you have running in the background...

There are worms which corrupt Combofix, so that it wont run (one in particular) ... though your logs don't show it's presence ...

We have a special download of Combofix for these occasions ...

But before you can download it, we must make sure ALL traces of your present Combofix are removed ...

I am going to get you to run an uninstall command to remove Combofix ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Clipboard01-1.gif


After you have done that ... I want to draw your attention to these entries in one of the scans :-

Virus:Trj/Bancos.RQ Not disinfected C:\Documents and Settings\David\??\ComboFix.exe[327882R2FWJFW\pv.cfexe]

Virus:Trj/Bancos.RQ Disinfected C:\ComboFix(2)\pv.cfexe

these are false positives ... but it's the location I want you to check ...

RE: C:\ComboFix(2)\pv.cfexe

This infers you have 3 Combofix folders ...

C:\ComboFix
C:\ComboFix(1)
C:\ComboFix(2)

Make sure they are ALL deleted ...

RE: C:\Documents and Settings\David\??\ComboFix.exe ( I presume this is your desktop)

Make sure NO Combofix.exe remains on your desktop

Lastly, there may be files in your temporary internet files, so ....

In IE click > Tools > Internet Options > Delete files ...

When you have done all that ... download Combofix from here, & try to run it again ...

http://download.bleepingcomputer.com/sUBs/Combo-Fix.exe

-
RE: safemode

Have you tried to add a safemode option to the boot.ini - would you like to know how ?

steam
 
i can't even delete combo-fix, I ran the code:

"ComboFix /u" and after i presses ok, combofix just pops out, and gets stuck there showing nothing but a blue screen.

and i ran the version that u gave me, cuz i thought i've got the combo fix all deleted, i even did a search of phrases on "combofix" in c drive, and i deleted all things associated with it.

so, now the new version doesn't work either, so i guess i never really did deleted the old one...
 
HI

There is no apparent reason why Combofix shouldn't run, please run these rootkit scans, (rootkits are hidden files etc,) let's see if they show anything ...

Download AVG Anti-Rootkit and save to your desktop

http://free.grisoft.com/softw/70free/setup/avgarkt-setup-1.1.0.42.exe

1. Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit.
2. Accept the license and follow the prompts to install.
3. You will be asked to reboot to finish the installation so click "Finish".
4. After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
5. You will see a window with four buttons at the bottom.
6. Click "Search For Rootkits" and the scan will begin.
7. You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
8. When the scan has finished, a small window will open so you can view the results.
9. Right click and select "Save Result To File".
10. By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file). Copy and paste the results in your next reply.
11. If anything was found, click "Remove selected items"
12. If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.

& this one ...

Please download Sophos Anti-Rootkit,and save it on your desktop.

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\Program Files\Sophos\Sophos Anti-Rootkit and double-click sargui.exe to start the program.
3. Make sure the following are checked:

- Running processes
- Windows Registry
- Local Hard Drives

4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste:-

%temp%\sarscan.log

then press Enter.

7. This should open the log from the rootkit scan.

Post the log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.

steam
 
and i just tried to run combofix again, it still doesn't work,

note: i've repeated the steps required prior to run the special combofix.
 
Hi David

Please run this :-

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum

-
Then please go to your system32 folder ... look for this file :-

C:\WINDOWS\system32\taskman32.exe ... it's malware

Please zip the file (in case I ask you to send me it later) ... then we're going to delete the unzipped file ...

Remember the malware file is taskman32.exe with the 32 in the filename ...

C:\WINDOWS\system32\taskman.exe is legitimate, DON'T touch that.

-

THEN ...

1. Download and unzip Avenger (by Swandog46) to your desktop. > http://swandog46.geekstogo.com/avenger.zip
2. Double click the Avenger.exe file
3. Click OK
4. Select Input script manually
5. Click the Magnifying Glass icon
6. Highlight the text in the code box below, & copy and paste it into the View/edit script box

Code: 
Files to delete:
C:\WINDOWS\system32\taskman32.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


7. Click Done
8. Click the Traffic Light icon to start the program.
9. click Yes to execute the script and click Yes when asked to reboot your computer
10. Post the contents of the file C:\Avenger.txt

After the reboot... Post the contents of the file C:\Avenger.txt

-
Lastly please do this :-

1. Right click My computer
2. Click properties
3. Clock the Advanced tab
4. Click the settings button in the "startup & recovery" box
5. lick the edit button
6. The Boot.ini file will open ... copy & paste the contents here please.

As soon as you've copied the contents, close the page ...

WARNING ... DO NOT edit the Boot.ini or your computer may not boot again ...

steam
 
it asks me to reboot is safe mode first, when in normal mode, i can't execute anything, the when entered Y, the program just closes itself

now i have no clue how to get into the safe mode first.....
 
ah... i'm sorry, i gave the safe mode booting another try, and it worked this time, i guess its beenng working all the time.....:oops:

here is the result of the sdfix:


SDFix: Version 1.164

Run by David on 30/03/2008 at 03:44 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 15:52:57
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"="C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:潡orrent"
"D:\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="D:\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"D:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="D:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"D:\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="D:\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"D:\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="D:\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 16 Jan 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Mon 16 Jan 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Mon 16 Jan 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Mon 16 Jan 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Mon 16 Jan 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 58,880 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 17 Nov 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 26 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT3.tmp"
Wed 27 Feb 2008 113,491,064 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT2.tmp"
Tue 13 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 25 Mar 2008 24,064 ...H. --- "C:\Documents and Settings\David\My Documents\ggr252\~WRL0491.tmp"
Wed 26 Mar 2008 42,496 ...H. --- "C:\Documents and Settings\David\My Documents\ggr252\~WRL0386.tmp"
Wed 26 Mar 2008 42,496 ...H. --- "C:\Documents and Settings\David\My Documents\ggr252\~WRL3609.tmp"
Wed 26 Mar 2008 46,080 ...H. --- "C:\Documents and Settings\David\My Documents\ggr252\~WRL2111.tmp"

Finished!
 
and i could not AT ALL follow the instruction given for the averanger software.

1. Download and unzip Avenger (by Swandog46) to your desktop. > http://swandog46.geekstogo.com/avenger.zip
2. Double click the Avenger.exe file
3. Click OK
4. Select Input script manually
5. Click the Magnifying Glass icon
6. Highlight the text in the code box below, & copy and paste it into the View/edit script box

Code:

Files to delete:
C:\WINDOWS\system32\taskman32.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


7. Click Done
8. Click the Traffic Light icon to start the program.
9. click Yes to execute the script and click Yes when asked to reboot your computer
10. Post the contents of the file C:\Avenger.txt

After the reboot... Post the contents of the file C:\Avenger.txt
 
Sorry about Avenger ... it's a new version ... please try this :-

If you've already downloaded it to your desktop, start from # 2.

>>

Download avenger2 by swandog46 :-

http://swandog46.geekstogo.com/avenger2/download.php

1. Click the above link & save to your desktop ...

2. Right click on the Avenger.zip folder and select "Extract to Avenger...

You will now have an Avenger folder on your desktop.

3. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing Ctrl+C

Code: 
Files to delete:
C:\WINDOWS\system32\taskman32.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

4. open the Avenger folder & doubleclick the Avenger.exe file

5. Right click on the window under Input script here:, and select Paste

6. make sure the Scan for rootkits is checked ...

& the Automatically disable any rootkits found is NOT checked ...

7. Click on Execute

8. Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply

steam
 
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\taskman32.exe" not found!
Deletion of file "C:\WINDOWS\system32\taskman32.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
 
You must log in or register to reply here.
Back
Top