Avast WEBforum
Other => Viruses and worms => Topic started by: johnd991 on April 09, 2013, 02:11:38 AM
-
Hi
I suddenly got this nasty virus... and need help removing it.
AVG says:
"Virus identified Win64/Patched.A, C:\Windows\System32\services.exe";"Cannot be cleaned Remove manually"
I'm aa=ttahcing OTL.txt, Extras.txt and aswMBR.txt.
MalwareBytes doesn't find anything anymore, all cookies were deleted a few scans ago.
Please advise what to do...
Thanx!
-
hey and welcome to the forum. could you attach the latest malware antimalware scan you have made too.
a malware expert will help you when on is online later today.
-
@johnd991
Hello and welcome to avast.
--------------------------------
Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/
Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.
- Unzip/unrar MBAR in a folder to your Desktop
- Open the folder where the contents were unzipped to run mbar.exe
- Click on Next > then on Update button to download fresh definitions.
- When database updates click Next
- In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"
- If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
- The Clean up procedure will be Scheduled for process.
- When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
>> Please attach the two following logs from the mbar folder:
system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.
--------------------------------
Please download zoek.exe (http://home.kpn.nl/stefsmeenk/zoek.exe/) and save it to your desktop.
- Close any open browsers.
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
firefoxlook;
chromelook;
C:\Windows\assembly\GAC_32\Desktop.ini;f
C:\Windows\assembly\GAC_64\Desktop.ini;f
C:\Users\Tilen\AppData\Roaming\Mozilla\Firefox\Profiles\4g4im7rk.default\searchplugins\askcom.xml;f
C:\Windows\Installer\{bf8081d8-c18c-3d3a-4071-697bc4cafbd0};f
autoclean;
- Click on Run script button
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
-
Thank you, guys! But I managed to get it cleaned up... at 4am my computer was clean :)
It is my work computer, so I couldn't wait and started running AVG, aswMBR.exe, tdsskiller.exe, Spybot a few times and eventually it got all cleaned up... then I thought I would try another suggestion that /I found, use Combofix... and it messed up my computer! The network connection was down... after a few hours of going nuts of what is going on, a command 'sf /scannow' fixed all my corrupt dlls and now it works great!
Still running AVG, mbar and Spybot constantly to make sure it is all clean and they all report zero threats.
I'm attaching the latest logs.
What do you think, is my system clean?
Thanx!
-
Hi,
...use Combofix... and it messed up my computer! The network connection was down... after a few hours of going nuts of what is going on, a command 'sf /scannow' fixed all my corrupt dlls and now it works great!
For this reason we all + sUBs, continuously suggesting to all users to do not run ComboFix unsupervised, but hardly anyone is listening us or alert.
http://www.techsupportforum.com/1829551-post6.html
http://www.bleepingcomputer.com/forums/topic273628.html
Attach here C:\ComboFix.txt log.
PS: It's "sfc /scannow" as it stand for systemfilechecker.
It is my work computer
I didn't know that becouse i'm not offer free help for firm's computers. Now I see that in the logs ...
------------------------------
This how you can uninstall ComboFix:
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
---------------------------
Re-run Malwarebytes AntiRootkit one more time to remove some remaining.
--------------------------
Delete zoek.exe ;
Attach here:
C:\ComboFix.txt
fresh Malwarebytes AntiRootkit's system-log.txt
-
Thank you, I'm attaching latest system-log.txt file.
All combofix files have been deleted - now I know not to use it unless instructed so!
Well, self employed, so work computer is personal computer... but it doesn't matter. I appreciate your time anyway.
Log file looks OK, right?
-
Let's run one more check,
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
dir /s /a "C:\Windows\Installer\{bf8081d8-c18c-3d3a-4071-697bc4cafbd0}" /c
C:\Windows\System32\services.exe /md5
- Then click the RUN SCAN button at the top.
- Attach here fresh OTL.txt logreport.
-
Here are 2 files, one without 'Scan all users' checked and one with - I wasn't sure if you perhaps forgot to write to check the box... so I ran both options.
Thanx!
-
I still see some Combofix leftovers. Download this and run it ...
http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE
-----------------------------------------
Run quick OTLFix
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:files
C:\WINDOWS\INSTALLER\{BF8081D8-C18C-3D3A-4071-697BC4CAFBD0}
- Then click the Run Fix button at the top.
I don't need that reports.
**********************
> Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
*************************
I see you working with USB's
O32 - AutoRun File - [2013.03.20 08:31:06 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011.04.12 05:38:58 | 000,000,122 | R--- | M] () - D:\autorun.inf -- [ UDF ]
I recommended to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link (http://amf.mycity.rs/mcshield/)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
-
Thank you, all tasks done!
Installed MCShield...
I have 3 external usb disks and a couple of usb keys... if I have MCShield running, can I just plug them in and run scanners (antivirus, mam, spybot) through them? Or what you suggest to do to check if they have virueses, trojans on them?
Thanx!!!