Trojanspm/lx [Solved]
Started by
jrdriv
, Sep 15 2009 09:30 PM
#1
Posted 15 September 2009 - 09:30 PM
#2
Posted 26 September 2009 - 07:29 PM
Hello, jrdriv, and welcome to GeeksToGo!
Please download Win32kDiag.exe to your desktop. Double-click to run it. A log should appear when it is finished. Post that log here.
If it doesn't pop up, a log should be located on your desktop as "Win32kDiag.txt".
You may need download and transfer it from a clean computer, since you can't seem to get to the internet.
Please download Win32kDiag.exe to your desktop. Double-click to run it. A log should appear when it is finished. Post that log here.
If it doesn't pop up, a log should be located on your desktop as "Win32kDiag.txt".
You may need download and transfer it from a clean computer, since you can't seem to get to the internet.
#3
Posted 27 September 2009 - 01:22 PM
First of all thanks for the reply. I got the log and here it is...
Running from: C:\Documents and Settings\J-ROD\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\J-ROD\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Cannot access: C:\WINDOWS\system32\drivers\sbd20e6.sys
[1] 2009-08-11 22:27:20 45344 C:\WINDOWS\system32\drivers\sbd20e6.sys ()
Finished!
Running from: C:\Documents and Settings\J-ROD\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\J-ROD\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Cannot access: C:\WINDOWS\system32\drivers\sbd20e6.sys
[1] 2009-08-11 22:27:20 45344 C:\WINDOWS\system32\drivers\sbd20e6.sys ()
Finished!
#4
Posted 27 September 2009 - 03:57 PM
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
#5
Posted 27 September 2009 - 09:28 PM
Ok, I ran it once and it said error deleting one file, so i did it again, and it still says it on the file but heres both the logs...
exeHelper by Raktor - 09
Build 20090925
Run at 22:28:59 on 09/27/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\desot.exe
Deleting file C:\WINDOWS\svchast.exe
Deleting file C:\WINDOWS\ppp3.dat
Deleting file C:\WINDOWS\ppp4.dat
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe
Deleting file C:\WINDOWS\system32\sonhelp.htm
Deleting file C:\WINDOWS\system32\critical_warning.html
Deleting file C:\WINDOWS\system32\logon.exe
Error deleting C:\WINDOWS\system32\logon.exe
Deleting file C:\Program Files\AdvancedVirusRemover\PAVRM.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
exeHelper by Raktor - 09
Build 20090925
Run at 22:31:28 on 09/27/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe
Deleting file C:\WINDOWS\system32\logon.exe
Error deleting C:\WINDOWS\system32\logon.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
exeHelper by Raktor - 09
Build 20090925
Run at 22:28:59 on 09/27/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\desot.exe
Deleting file C:\WINDOWS\svchast.exe
Deleting file C:\WINDOWS\ppp3.dat
Deleting file C:\WINDOWS\ppp4.dat
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe
Deleting file C:\WINDOWS\system32\sonhelp.htm
Deleting file C:\WINDOWS\system32\critical_warning.html
Deleting file C:\WINDOWS\system32\logon.exe
Error deleting C:\WINDOWS\system32\logon.exe
Deleting file C:\Program Files\AdvancedVirusRemover\PAVRM.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
exeHelper by Raktor - 09
Build 20090925
Run at 22:31:28 on 09/27/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe
Deleting file C:\WINDOWS\system32\logon.exe
Error deleting C:\WINDOWS\system32\logon.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
#6
Posted 27 September 2009 - 09:57 PM
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
#7
Posted 27 September 2009 - 11:05 PM
I did everything that was explained, and combofix was running, then the computer restarted. It continued to run, and it was going through the different stages. But when it looked like it was about to finish the computer restarted. When it came back on it went to a blue error screen, and I couldn't do anything. So, i manually restarted the computer and now I'm not sure if I should run the Combofix again? Because there is no combofix log on my desktop.
#8
Posted 28 September 2009 - 06:47 AM
Take a look in the C:\Qoobox folder. There should be a log.txt or another log file in there.
#9
Posted 28 September 2009 - 05:55 PM
There's not really a log file in that folder. I went to C:\Qoobox\Quarantine\Catchme and found...
-------- 2009-09-27 - 23:27:36 -------------
disk not found C:\WINDOWS\system32\sdra64.exe
File "C:\WINDOWS\system32\sdra64.exe" added successfully
driver loading error file "C:\WINDOWS\system32\sdra64.exe" deleted successfully
I dont know if this is it. But in C:\Qoobox that is the only text document I could find. There are other text documents on th C:\ . But again not sure if these are it.
The text documents on the C:\ are ...
CMLoader-nothing really in this.
dlcc
dlccscan
DTSHDSpOut-nothing in this.
inferno-nothing really in this.
TSCDebug-nothing really in this.
-------- 2009-09-27 - 23:27:36 -------------
disk not found C:\WINDOWS\system32\sdra64.exe
File "C:\WINDOWS\system32\sdra64.exe" added successfully
driver loading error file "C:\WINDOWS\system32\sdra64.exe" deleted successfully
I dont know if this is it. But in C:\Qoobox that is the only text document I could find. There are other text documents on th C:\ . But again not sure if these are it.
The text documents on the C:\ are ...
CMLoader-nothing really in this.
dlcc
dlccscan
DTSHDSpOut-nothing in this.
inferno-nothing really in this.
TSCDebug-nothing really in this.
#10
Posted 29 September 2009 - 07:03 AM
Okay. We'll try something else.
Download avz4.zip from here
When restarted
Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post
To attach a file, do the following:
Download avz4.zip from here
- Unzip it to your desktop to a folder named avz4
- Double click on AVZ.exe to run it.
- Run an update by clicking the Auto Update button on the Right of the Log window:
- Click Start to begin the update
- Start AVZ.
- Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
- Click on the “Execute selected scripts”.
- Automatic scanning, healing and system check will be executed.
- A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
- It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
- All applications will work properly after the system restart.
When restarted
- Start AVZ.
- Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
- Click on the "Execute selected scripts".
- A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post
To attach a file, do the following:
- Click Add Reply
- Under the reply panel is the Attachments Panel
- Browse for the attachment file you want to upload, then click the green Upload button
- Once it has uploaded, click the Manage Current Attachments drop down box
- Click on to insert the attachment into your post
#11
Posted 29 September 2009 - 08:07 PM
First off, I got avz and ran it, but in the begining when i was supposed to Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box...There was no "Healing/Quarantine and.....". But in that exact spot was, "Advanced System Analysis with Malware Removal mode enabled". I figured this was it, and ran it. In the end, I have the two zip files that are needed.
virusinfo_syscheck.zip 36.02KB 207 downloads virusinfo_syscure.zip 36.88KB 232 downloads
virusinfo_syscheck.zip 36.02KB 207 downloads virusinfo_syscure.zip 36.88KB 232 downloads
#12
Posted 30 September 2009 - 07:07 AM
- Close all windows then double click on AVZ.exe
- Click File > Custom scripts
- Copy & paste the contents of the following codebox in the box in the program
DeleteService('1651030f.sys');
DeleteFile('C _linenums:0'>beginSetAVZPMStatus(True);SetAVZGuardStatus(True);SearchRootkit(true, true); SetServiceStart('1651030f.sys', 4); DeleteService('1651030f.sys'); DeleteFile('C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\oixyujegyx.dll'); BC_DeleteFile('C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\oixyujegyx.dll'); DeleteFile('C:\WINDOWS\System32\drivers\1651030f.sys'); BC_DeleteFile('C:\WINDOWS\System32\drivers\1651030f.sys');BC_ImportDeletedList;ExecuteSysClean;BC_Activate;RebootWindows(true);end.
- Note: When you run the script, your PC will be restarted
- Click Run
- Restart your PC if it doesn't do it automatically, and post back with a new OTL log.
#13
Posted 30 September 2009 - 06:17 PM
I ran the script successfully and the computer automatically restarts. But there is no log that I can find. Is there a specific location to look in?
#14
Posted 30 September 2009 - 09:15 PM
There is no log for it. Just scan with OTL again and post that log.
#15
Posted 01 October 2009 - 09:48 PM
I wasn't quite sure on what to run so I searched OTL, and found OTL by OldTimer.
I ran it and got a log, but every time I try to post it on here internet explorer shuts down. I can paste it in the box but when I hit reply Internet Explorer shuts down.
I ran it and got a log, but every time I try to post it on here internet explorer shuts down. I can paste it in the box but when I hit reply Internet Explorer shuts down.
Edited by jrdriv, 01 October 2009 - 10:02 PM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users