Redirects->Trojans->0Access->No Internet

[rockyjo]

For both Panda and CFix, in order to re-run, is it correct to click on the downloaded exec file on the desktop just like the first time (when it unloads its files onto your system), or is there some file you should click on in c: that starts the program(s)?

RJ

[thisisu]

Quote:

Originally Posted by rockyjo

For both Panda and CFix, in order to re-run, is it correct to click on the downloaded exec file on the desktop just like the first time (when it unloads its files onto your system)

Yes this is correct.

[rockyjo]

thisu,

Panda ZAcess Tool said "detected and requested some bad files" and now I'm trying to find the log file. Will upload when found or if you see this quickly, where do I find the log file?

RJ

[thisisu]

The log file will be on the same location the tool was run from.

So if you ran the tool from your desktop, the log will also be on your desktop.
Its name is yorkyt.exe.log

[rockyjo]

Thanks. Looks like it appended it to the first run...
RJ

[thisisu]

Yes but it's clean

[rockyjo]

Hi thisisu,

So what are all those dsalfkjg;dslkhgkashd that it lists? How do I fix those?

RJ

[rockyjo]

And what is the problem that caused CFix to freeze like when it was infected, prior to when we got a log from CFix?

RJ

[thisisu]

Quote:

Originally Posted by rockyjo

And what is the problem that caused CFix to freeze like when it was infected, prior to when we got a log from CFix?

RJ

I don't know but you were never able to run ComboFix. I think it may have something to do with the low amount of resources your PC has.

[thisisu]

Quote:

Originally Posted by rockyjo

Hi thisisu,

So what are all those dsalfkjg;dslkhgkashd that it lists? How do I fix those?

RJ

Are you referring to this?

Code:

2012-04-15 18:54:32: Listing processes...
2012-04-15 18:54:32:    :[System Process]:0
2012-04-15 18:54:32:    :System:4
2012-04-15 18:54:32:    :smss.exe:480
2012-04-15 18:54:32:    :csrss.exe:540
2012-04-15 18:54:32:    :winlogon.exe:568
2012-04-15 18:54:32:    :services.exe:616
2012-04-15 18:54:32:    :lsass.exe:632
2012-04-15 18:54:32:    :svchost.exe:796
2012-04-15 18:54:32:    :svchost.exe:892
2012-04-15 18:54:32:    :svchost.exe:976
2012-04-15 18:54:32:    :svchost.exe:1132
2012-04-15 18:54:32:    :svchost.exe:1248
2012-04-15 18:54:32:    :spoolsv.exe:1388
2012-04-15 18:54:32:    :svchost.exe:1488
2012-04-15 18:54:32:    :CTSVCCDA.EXE:1528
2012-04-15 18:54:32:    :mbamservice.exe:1568
2012-04-15 18:54:32:    :nvsvc32.exe:1624
2012-04-15 18:54:32:    :wdfmgr.exe:1668
2012-04-15 18:54:32:    :wuauclt.exe:1828
2012-04-15 18:54:32:    :alg.exe:2020
2012-04-15 18:54:32:    :wscntfy.exe:1060
2012-04-15 18:54:32:    :explorer.exe:1292
2012-04-15 18:54:32:    :wmiprvse.exe:1744
2012-04-15 18:54:32:    :yorkyt.exe:1620

These are processes. None of them are bad.

What actual malware related problems are you having with your PC?

[rockyjo]

thisisu,

Sorry, I thought CFix ran once, but just got to 0Access message and then froze.

No, I was referring to Panda saying it detected some bad files, and upon cursory read of log file, noticed quite a few of following (which I thought might be the bad files referenced): some examples from log...

2012-04-30 16:29:41: Looking at \Device\HarddiskVolume1\WINDOWS\system32\wbem\wmipcima.dll WMIPCIMA.DLL
2012-04-30 16:29:41: ... Failed to identify driver D8555A09D5862497F4156E9E4CCC808B, using metod 2...
2012-04-30 16:29:41: Looking at \Device\HarddiskVolume1\WINDOWS\Temp\yt\run.bat
2012-04-30 16:29:41: ... Failed to identify driver 2CD77B980B2CC3D655589A2E315AAB57, using metod 2...
2012-04-30 16:29:41: Looking at \Device\HarddiskVolume1\WINDOWS\Temp\yt\nemesiscmd.exe
2012-04-30 16:29:41: ... Failed to identify driver 459A04CCA068CAB8799C2F84068C222D, using metod 2...
2012-04-30 16:29:42: Looking at \Device\HarddiskVolume1\WINDOWS\Temp\yt\PRSBLib.dll
2012-04-30 16:29:42: ... Failed to identify driver B3C157A66ECDBCD3570E2DA139225589, using metod 2...

RJ

[thisisu]

Quote:

Originally Posted by rockyjo

some examples from log...

Nope, none of these are bad Most are related to yorkyt.exe

Are you having any malware problems at this point?

[rockyjo]

Then, nope, not that I'm aware of , so must be time to clean up/wrap up...
RJ

[thisisu]

Glad to hear it

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe