Nyrate-B, TDSSpack-Z and Generic-S problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jt922554, Jul 28, 2015.

  1. jt922554

    jt922554 Private E-2

    Hi

    I'm having problems removing Mal/Nyrate-B, Mal/TDSSPack-Z and Mal/Generic-S infections. I've carried out the tasks in the Read and Run.... section but my AV program (Sophos) still reports detecting it.

    Below are the logs created:
    Edit: Rogue Killer log is being reported as invalid file (its in .Json format)
    TDSS Log is being reported as too large (419 KB)
     

    Attached Files:

    jt922554, Jul 28, 2015
    #1
  2. jt922554

    jt922554 Private E-2

    Hi again,

    Just read another post ref .json file. Will re run RogueKiller and post log as text file.

    EDIT: TDSS Killer log is now attached
     

    Attached Files:

    jt922554, Jul 28, 2015
    #2
  3. jt922554

    jt922554 Private E-2

    Hi yet again.

    Ok, I've finally managed to attach RogueKiller log.

    Hopefully, you'll have all the info for now.

    Thanks,

    JT
     

    Attached Files:

    jt922554, Jul 28, 2015
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Run Hitman Pro again and activate the 30 day trial license and use it to cleanup all the Malware remnants and Potential Unwanted Programs that it reports.

    After running Hitman Pro, reboot the PC and then run a new scan with Hitman Pro and attach a new log.


    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Are you still having a problem? If so, attach a log from Sophos that shows exactly what and where it is detecting a problem.
     
    chaslang, Jul 30, 2015
    #4
  5. jt922554

    jt922554 Private E-2

    Hi Chaslang, thanks for your help.

    Hit a problem already. I ran Hitman Pro but it is saying my trial period has expired and wont remove the items it detected. The expiration date is 25/10/14.
    I have tried removing the program and downloading a new one but it is still telling me my trial version has expired.

    I have run JRT and attached the log.
    I have also tried to attached the SAV file from Sophos but the file is too large for uploading (7.2Mb).

    Do you want me to attach the log to my post?

    Thanks

    JT
     

    Attached Files:

    • JRT.txt
      File size:
      3.9 KB
      Views:
      2
    jt922554, Jul 30, 2015
    #5
  6. jt922554

    jt922554 Private E-2

    Hi Chaslang,

    I've run the PC for a few hours now and I haven't had any problems. Hopefully, the infection is fixed.

    Do I need to do anything else?

    Thanks

    JT
     
    jt922554, Jul 30, 2015
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ah yes! I see that now. ;)

    Let's use the below instead.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bakijjialdiiboeaknfpmflphhmljfkd
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\02DECAB759E2FA94AB13703EA9908B73]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{444785F1-DE89-4295-863A-D46C3A781394}]
[-HKEY_USERS\S-1-5-21-3415452827-2767079731-927830596-1000\Software\Classes\Wow6432Node\CLSID\{bebbc426-4f16-4567-8fe1-be198c982027}]
[-HKEY_USERS\S-1-5-21-3415452827-2767079731-927830596-1000_Classes\Wow6432Node\CLSID\{bebbc426-4f16-4567-8fe1-be198c982027}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    Make sure you tell me how things are working now!
     
    chaslang, Jul 30, 2015
    #7
  8. jt922554

    jt922554 Private E-2

    Hi Chaslang,

    I have run OTM and attached the log.

    Apologies for being a noob but should there be 2 logs to attach? I found the OTM log (in the (dd/mm/yyyy...etc format) and have attached it. I navigated to the ...\moved files folder as suggested and there is only a log I have already attached in there, plus a .res file and a folder with the same name format as the OTM log.

    Yesterday, I ran my PC for a few hours with no detection problems from Sophos. I then set the OTM programme to run while I was out and on my return a few hours later my EMSISOFT antivirus was running. I thought at first it was part of the cleaning process but when i minimised the window, OTM was asking me to reboot the PC, which i did and it terminated Emsisoft.

    Not sure what's going on there, could be a coincidence I suppose, as the program was showing it running as a scheduled scan and the 5th process out of 6. I don't normally schedule a scan with this programme though!( I don't know what the other processes were as I was out.)

    On a sadder note, since running OTM the Sophos notifications have appeared again, reporting the same detections.

    Thanks again for your help,

    JT
     

    Attached Files:

    jt922554, Jul 31, 2015
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should not have multiple antivirus programs installed.

    Please compress your Sophos log into a ZIP file and attach it.
     
    chaslang, Jul 31, 2015
    #9
  10. jt922554

    jt922554 Private E-2

    Hi Chaslang.

    I misnamed the type of programme running. It was anti Malware NOT Antivirus. I am only using Sophos antivirus. Apologies for that

    Anyway,I have attached the SAV file from Sophos using 7 zip and changed the type of file created to .zip (the upload programme reports the .7zip file extension as an unrecognised file when I tried to attach it). Hope it works!

    Thanks

    JT
     

    Attached Files:

    jt922554, Aug 1, 2015
    #10
  11. jt922554

    jt922554 Private E-2

    Can I download win 10 or wait until we're finished?

    Thanks

    JT
     
    jt922554, Aug 1, 2015
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should wait! But what download are you referring to and were you planning on doing an upgrade to Win 10 or a clean install? Clean installs are highly the recommended way to go? And if you are going to do a clean install, you don't need to fix the current system.

    Your Sophos log shows a lot of things that we were trying to remove from the temp folder with OTM. Can you boot in safe mode and manually remove those items or do you get blocked from deleting them in safe mode? It could be that some legit software on your PC is creating these files. You could try putting a couple of them into a ZIP file and attach it for us to look at.
     
    chaslang, Aug 3, 2015
    #12
  13. jt922554

    jt922554 Private E-2

    Hi chaslang.

    Under the circumstances I think i will do a clean install of win 10. It will be easier and quicker than trying to sort out my PC!!!

    If I need help in the future at least I know where to come :)

    Thank you very much for your help and your time, it was very much appreciated.

    Cheers.

    JT
     
    jt922554, Aug 4, 2015
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Aug 5, 2015
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds