IPB

Welcome Guest ( Log In | Register )

 
Closed TopicStart new topic
> Please Help! Torjan Generic And Torjan
Chattchitto
post 29.10.2008 02:51
Post #1


Member
**

Group: Members
Posts: 29
Joined: 12.06.2008




These Are The notifications i got from kaspersky anti-virus: (please downoad them they are in txt format)

http://www.mediafire.com/?1mueo2mlgg1 [Reports/System Security/ Tune]
http://www.mediafire.com/?jonmz2nxzyn [Reports/System Security/ Absent]

(They Are Uploaded Here too)

And the absent keeps growing!!!! its now 3000!!

+

every few minutes kaspersky give me this notification:

Tune: Loading object hxxp://206.222.9.187/~dsacom/41.exe, containing torjan program Torjan.Win32.Agent.ajqf. Detected.

please help guys

Edit: malware link spoiler.

This post has been edited by richbuff: 29.10.2008 02:57
Go to the top of the page
 
+Quote Post
richbuff
post 29.10.2008 03:01
Post #2


Are You Kidding?
*****************

Group: Moderators
Posts: 1000192
Joined: 14.06.2007
From: currently: falling out of a kayak in the middle of the Mediterranean, near Kekova Island, Turkey




Attach the zipped avz sysinfo.zip, instructions, see: http://forum.kaspersky.com/index.php?showtopic=69276


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
Chattchitto
post 29.10.2008 03:02
Post #3


Member
**

Group: Members
Posts: 29
Joined: 12.06.2008




QUOTE(richbuff @ 29.10.2008 01:01) *
Attach the zipped avz sysinfo.zip, instructions, see: http://forum.kaspersky.com/index.php?showtopic=69276


Done smile.gif
Go to the top of the page
 
+Quote Post
Chattchitto
post 29.10.2008 03:06
Post #4


Member
**

Group: Members
Posts: 29
Joined: 12.06.2008




QUOTE(richbuff @ 29.10.2008 01:01) *
Attach the zipped avz sysinfo.zip, instructions, see: http://forum.kaspersky.com/index.php?showtopic=69276


This One Is From AVZ, The Other One Was From Get System Info
Go to the top of the page
 
+Quote Post
richbuff
post 29.10.2008 03:08
Post #5


Are You Kidding?
*****************

Group: Moderators
Posts: 1000192
Joined: 14.06.2007
From: currently: falling out of a kayak in the middle of the Mediterranean, near Kekova Island, Turkey




Wrong file. That is a gsi.txt. The zipped AVZ sysinfo.zip is needed, run the AVZ utility, instructions linked above.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
Chattchitto
post 29.10.2008 03:11
Post #6


Member
**

Group: Members
Posts: 29
Joined: 12.06.2008




QUOTE(richbuff @ 29.10.2008 01:08) *
Wrong file. That is a gsi.txt. The zipped AVZ sysinfo.zip is needed, run the AVZ utility, instructions linked above.


yeah sry man i posted the correct one
Go to the top of the page
 
+Quote Post
richbuff
post 29.10.2008 03:29
Post #7


Are You Kidding?
*****************

Group: Moderators
Posts: 1000192
Joined: 14.06.2007
From: currently: falling out of a kayak in the middle of the Mediterranean, near Kekova Island, Turkey




Upload your gsi sysinfo.txt to the parser site http://gsi.kaspersky.fr/ and post link to GSI Report. Also, Post a Combofix log, please review and follow these instructions Very carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
Chattchitto
post 29.10.2008 03:41
Post #8


Member
**

Group: Members
Posts: 29
Joined: 12.06.2008




http://gsi.kaspersky.fr/lire.php?hl=en&...e2aa8a86566d23f

For The GSI Report

And Now Following Your Next Instructions...
a big thanks man!!
Go to the top of the page
 
+Quote Post
Chattchitto
post 29.10.2008 03:55
Post #9


Member
**

Group: Members
Posts: 29
Joined: 12.06.2008




QUOTE(richbuff @ 29.10.2008 01:29) *
Upload your gsi sysinfo.txt to the parser site http://gsi.kaspersky.fr/ and post link to GSI Report. Also, Post a Combofix log, please review and follow these instructions Very carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.


All Done Here's The ComboFix File:

Go to the top of the page
 
+Quote Post
Chattchitto
post 29.10.2008 04:04
Post #10


Member
**

Group: Members
Posts: 29
Joined: 12.06.2008




Is There Something I Should Do Next?
Go to the top of the page
 
+Quote Post
richbuff
post 29.10.2008 04:26
Post #11


Are You Kidding?
*****************

Group: Moderators
Posts: 1000192
Joined: 14.06.2007
From: currently: falling out of a kayak in the middle of the Mediterranean, near Kekova Island, Turkey




Run this script, instructions are in thread linked above, PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\Documents and Settings\EDDE\run32dll.exe','');
QuarantineFile('C:\Documents and Settings\EDDE\nOT-a-bOT.exe','');
DeleteFile('C:\Documents and Settings\EDDE\run32dll.exe');
DeleteFile('C:\Documents and Settings\EDDE\nOT-a-bOT.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.


Do you have any information about the following files: C:\SYSTEM, system.exe and C:\RESTORE, dark.exe?


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
Chattchitto
post 29.10.2008 04:32
Post #12


Member
**

Group: Members
Posts: 29
Joined: 12.06.2008




QUOTE(richbuff @ 29.10.2008 02:26) *
Run this script, instructions are in thread linked above, PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\Documents and Settings\EDDE\run32dll.exe','');
QuarantineFile('C:\Documents and Settings\EDDE\nOT-a-bOT.exe','');
DeleteFile('C:\Documents and Settings\EDDE\run32dll.exe');
DeleteFile('C:\Documents and Settings\EDDE\nOT-a-bOT.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.


Do you have any information about the following files: C:\SYSTEM, system.exe and C:\RESTORE, dark.exe?


No.. not at all.
I'm inserting your script now, thanks for your quick help man!!
just 2 questions... should i delete the " Qoobox " Folder in C:\ ? [i think it was created by combofix]
and should i worry about dark.exe and system.exe? lol
Go to the top of the page
 
+Quote Post
richbuff
post 29.10.2008 04:47
Post #13


Are You Kidding?
*****************

Group: Moderators
Posts: 1000192
Joined: 14.06.2007
From: currently: falling out of a kayak in the middle of the Mediterranean, near Kekova Island, Turkey




First, run the script, then post back about any changes noted with your original infection signs and symptoms. Then, please zip up C:\qoobox\quarantine and upload to a filehost such as http://rapidshare.de/ Then, PM me the link to the uploaded file. Click my user name and select Send message. After that, uninstall Combofix by: Start > run > type combofix /u > ok.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
Chattchitto
post 29.10.2008 05:08
Post #14


Member
**

Group: Members
Posts: 29
Joined: 12.06.2008




QUOTE(richbuff @ 29.10.2008 02:47) *
First, run the script, then post back about any changes noted with your original infection signs and symptoms. Then, please zip up C:\qoobox\quarantine and upload to a filehost such as http://rapidshare.de/ Then, PM me the link to the uploaded file. Click my user name and select Send message. After that, uninstall Combofix by: Start > run > type combofix /u > ok.


Ok. I'm Uploading The File Now
Well Everything Is Back To Normal Now rolleyes.gif
thanks again for your quick help man!!!
Go to the top of the page
 
+Quote Post
Chattchitto
post 29.10.2008 05:15
Post #15


Member
**

Group: Members
Posts: 29
Joined: 12.06.2008




When trying this: Start > run > type combofix /u
I'm getting an error message that windows cannot find combofix ! (i even tried qoobox)
Go to the top of the page
 
+Quote Post
richbuff
post 29.10.2008 05:25
Post #16


Are You Kidding?
*****************

Group: Moderators
Posts: 1000192
Joined: 14.06.2007
From: currently: falling out of a kayak in the middle of the Mediterranean, near Kekova Island, Turkey




If you are typing it in correctly, with a space between the x and the /, and receive that message, then that will suffice. Thank you for the qoobox link, and you're welcome. By the way, your GSI report shows incompatible Messenger Plus! Live, so uninstall it if you notice any surfing or other issues.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post

Closed TopicStart new topic

 



Lo-Fi Version Time is now: 21.09.2014 00:02