Unknown antivirus killer

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by LunaryRose, May 26, 2012.

  1. LunaryRose

    LunaryRose Private E-2

    I am sorry to be asking without many logs but I've really tried.

    I had Eset Nod32 4 and it was running alright untill at one point it just stoped working saying that it can't initialise POP3 and HTML and I couldn't fix it in any way so...

    I tried lots of antiviruses and tools (Deleted them all after use) but the problem is, whenever I try to install it it will either stop midway during the instalation and say some error about my system or being unable to install(There was no other antivirus at the time) or it will install but it will be unable to run live protection and unable to update too or windows security esentialls actually do update but after that update it's unable to update and it always finds 1 virus that is actually not even there (I checked manual removal of it.)

    A program like Malwarebytes found 8 virus things but as soon as I went out of safe mode it got disabled live protection and unable to update or anything, it can still scan but it won't find anything at all.

    I managed to install avira but its infected too so I can't start realtime or actually do anything anymore, but here is the log I managed to get from it :c

    Again I appologise I don't have appropriate logs or anything but this thing is making antiviruses unable to do anything or any other tool.
     

    Attached Files:

    Last edited: May 26, 2012
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Last edited: May 26, 2012
  3. LunaryRose

    LunaryRose Private E-2

    I noticed Farbar Recovery Scan Tool helped in another topic and it seems to be functioning good, so I used that, not really sure what it does but here is the log thingy that it produced.

    And most of the antiviruses and stuff produce a error in safe mode too (Unable to delete mostly) so I can't really do it all in safe mode unless I keep switching back and forth to safe mode and from safe mode (Atleast the 2 I tried so far), but if necesarry I'll do that o_o
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Uninstall Messenger Plus!

    Now dowload MGtools to your C: drive. Run the exec. and attach the C:\MGLogs.zip
     
  5. LunaryRose

    LunaryRose Private E-2

    Done, sorry for not deleting MSN plus...I never had problems with it, but I get it, I won't use it anymore ^^;

    Anyways I ran the tool and this is what it gave
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not finding much in the way of malware on your system. Use windows explorer to find and delete:
    C:\ProgramData\AVG2012
    C:\ProgramData\Avira
    C:\ProgramData\McAfee
    C:\ProgramData\ESET
    C:\Windows\SysNative\drivers\730a1693cd6aed41.sys

    Now download ComboFix to your desktop and run it. Attach the log.
     
  7. LunaryRose

    LunaryRose Private E-2

    I deleted the 4 folders you specified but I am having problems deleting : C:\Windows\System32\drivers\730a1693cd6aed41.sys

    It claims I don't have permition to delete it nor that I have administrative rights, I checked the "Security" tab of it in properties and it claims I have no rights to edit or modify any rights (Added to the fact it doesn't even show who has rights) then when I click advanced it shows it's current owner as : "Unable to display current owner."

    I checked other .sys files around it and they all show me the owner and rights and all that stuff so I'd say that file is really suspicious, but anyways I ran the Combofix anyways and here is what it says.
     

    Attached Files:

  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
    KILLALL::
    Driver::
    dsfbssau
    ewgznswb
    ffwvqgew
    jebouozf
    okhwchrt
    syrnuowu
    tlvcjamb
    wyhuubda
    X6va005
    X6va007
    X6va008
    RsFx0103
    730a1693cd6aed41
    File::
    C:\570ae114e4e07b35be3dae122cf7b75a
    c:\windows\system32\drivers\dsfbssau.sys
    c:\windows\system32\drivers\ewgznswb.sys 
    c:\windows\system32\drivers\ffwvqgew.sys 
    c:\windows\system32\drivers\jebouozf.sys 
    c:\windows\system32\drivers\okhwchrt.sys 
    c:\windows\system32\drivers\syrnuowu.sys 
    c:\windows\system32\drivers\tlvcjamb.sys 
    c:\windows\system32\drivers\wyhuubda.sys 
    c:\users\USER\AppData\Local\Temp\005E801.tmp
    c:\users\USER\AppData\Local\Temp\007288C.tmp 
    c:\windows\SysWOW64\Drivers\X6va008 
    c:\windows\system32\DRIVERS\RsFx0103.sys
    c:\users\USER\AppData\Local\Temp\005E801.tmp
    c:\users\USER\AppData\Local\Temp\007288C.tmp
    c:\windows\SysWOW64\Drivers\X6va008
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va007]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va008]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\730a1693cd6aed41]
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip
    • C:\ComboFix.txt

    Make sure you tell me how things are working now!
     
  9. LunaryRose

    LunaryRose Private E-2

    Sadly it didn't work, it's unable to delete some file here is the log

    Also MG tools said it can't find SysNative or something like that, I have System32 instead of that folder, thanks for helping me so far on this, I really appreciate it ^^
     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please run CCleaner and clean out your temp folders.

    I need to go out for a while, so let's have you do this and I will check it tomorrow. ( Sorry for the delay, but it's both a holiday and my birthday ):

    Download OTL to your desktop.


    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.


    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
  11. LunaryRose

    LunaryRose Private E-2

    Don't worry, it's alright~ I'm just glad someone's helping me ^^

    I ran them both and here are the files~
     

    Attached Files:

  12. LunaryRose

    LunaryRose Private E-2

    Oh and happy B-day ^^ hope you have fun!
     
  13. LunaryRose

    LunaryRose Private E-2

    Why can't I edit my previous posts? >_< I feel bad for triple posting, anyways I wanted to say that I felt like fiddling and deleted the 730a1693cd6aed41.sys with cmd's "DEL" command, it deleted the file with no problems and I tested stuff and I managed to finally install my antivirus back and put up it's realtime protection up again ^^ now should I run some extra scan just to check if anything remains?
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good job. Our next step would have been to use OTL to remove that file. So good job. You can run your Eset scan and also back it up with SAS and MBAM. Let me know if you have any more issues.

    In the meantime, If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds