Need help with virus that takes over admin powers
urbane Ok I have some bizarre virus that has these properties Back to Top
Jintan Welcome to BG forums urbane,[Version]
Notepad then press OK), and copy the text inside the Code box above and paste it into the open Notepad textbox.correct.inf RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.RSIT will also create a second log , info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).
here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives. Back to Top
urbane The INF folder allows me 0.1 seconds to hit ctrl alt delete, if i dont then task manager disabled again lol. My logs is a lot of info. I accidentally closed the second log info.txt and i cant get it back. Here is the first log Back to Top
Jintan Very active infection. See if you can do the following repair scan, and if not, we will have to go through some manual change steps instead.here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com , then click the renamed 456out.com to run that scan.
here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives. Back to Top
urbane Done, here it is Back to Top
Jintan Not seeing any actual changes by ComboFix just then. But let's act on what shows now, and check one unusual service as well.notepad and press Enter) and copy/paste the text in the codebox below into it:KillAll::
CFScript.txt @ECHO OFF
notepad and press Enter). "cfgcheck.bat"
here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives. Back to Top
urbane here is the new combo fix with GFScript Back to Top
Jintan Progress. That Registry check shows that service is legit. Let's see what might be still interfering there.here and download the installer for Gmer to your desktop, then click that file to run Gmer.hidden " or "rootkit ", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. We don't want any crashes just from taking an initial look at things.Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).
here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives. Back to Top
urbane ok Regedit and Task manager are disabled again, seems the virus is back in full action. Ok i hope i did this right Back to Top
urbane The command batch servcheck.bat worked... Back to Top
urbane Well I don't know, I did your instructions. Back to Top
urbane Oh Back to Top
Jintan Good you got that worked out. But no infection services showing here, and the last Gmer log indicating something loading itself.here and place it on your C drive (so the file is then C:\mbr.exe). cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after each:cd\ exit and press Enter to close the command window.Options - Only non MS files . Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. Back to Top
urbane Can you post another link please, that doesn't work Back to Top
Jintan Sorry - some of my pre-made steps include links that don't work in this forum's software. This is the download for that. Back to Top
urbane Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net Back to Top
Jintan That indicates none of the newer boot level driver files being misused, so okay in that area. I did not answer this earlier: Back to Top
urbane The virus makes these registries Back to Top
Jintan Thanks for clearing that up. Gmer shows the malware driver file changed names, which suggests a change during reboot procedure. No malware services being located, to pinpoint what is using the file. Which we truly need right now, to get the repairs going there.Options - Only non MS files . Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.here and download reglooks.exe to your Desktop. Doubleclick on it to run it and when it has finished scanning, a log named result.txt will open in Notepad. Copy the log and post it in this thread. Back to Top
urbane Here is GMER: Back to Top
37 posts in this thread. 1 2
Forum Information Currently it is Friday, July 30, 2010 2:00 PM (GMT +2)View Active Threads Who's Online This forum has 31950 registered members. Please welcome our newest member, Willow .Details tanisstray 5 Latest Threads
|