1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please HELP with virus residing in memory

Discussion in 'Virus & Other Malware Removal' started by awa13, Apr 25, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,800
    I think it is probably something blocking the MBR scan in combofix
    lets see if thsi will do anything & get rid of a few probabale suspects

    Start OTS. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.


    Code:
    [Kill All Processes]
    [Unregister Dlls]
    [Modules - No Company Name]
    YY -> sfamcc00001.dll -> C:\Documents and Settings\Daddy\Local Settings\Temp\sfamcc00001.dll
    YY -> sfareca00001.dll -> C:\Documents and Settings\Daddy\Local Settings\Temp\sfareca00001.dll
    [Registry - Safe List]
    < Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    YN -> "C:\Program Files\AVG\AVG8\avgemc.exe" -> [C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe]
    YN -> "C:\Program Files\AVG\AVG8\avgupd.exe" -> [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe]
    YN -> "C:\Program Files\Grisoft\AVG7\avgamsvr.exe" -> [C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe]
    YN -> "C:\Program Files\Grisoft\AVG7\avgcc.exe" -> [C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe]
    YN -> "C:\Program Files\Grisoft\AVG7\avginet.exe" -> [C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe]
    [Files/Folders - Created Within 30 Days]
    NY ->  18 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    NY ->  1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    [Files/Folders - Modified Within 30 Days]
    NY ->  sfrpruqi.sys -> C:\WINDOWS\System32\drivers\sfrpruqi.sys
    NY ->  1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
    NY ->  1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY ->  1 C:\Documents and Settings\Daddy\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Daddy\Local Settings\Temp\*.tmp
    NY ->  1 C:\Documents and Settings\Daddy\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Daddy\Local Settings\Temp\*.tmp
    [Files - No Company Name]
    NY ->  sfrpruqi.sys -> C:\WINDOWS\System32\drivers\sfrpruqi.sys
    NY ->  bnsre.sys -> C:\WINDOWS\System32\drivers\bnsre.sys
    [Alternate Data Streams]
    NY -> @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    NY -> @Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A9171F21
    NY -> @Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B755D674
    NY -> @Alternate Data Stream - 152 bytes -> C:\Documents and Settings\Daddy\Desktop\ATF-Cleaner.exe:SummaryInformation
    NY -> @Alternate Data Stream - 48 bytes -> C:\WINDOWS:002453FAB82A0404
    [Empty Temp Folders]
    [EmptyFlash]
    [Start Explorer]
    [ZipFiles]
    [Reboot]
    

    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS scan.

    I will review the information when it comes back in.

    Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
     
  2. awa13

    awa13 Thread Starter

    Joined:
    Aug 1, 2006
    Messages:
    405
    Uh oh. Um, please don't get angry and please don't abandon me, but in the interim last evening I ran a utility from AVG that reset the Windows Security Center so that it would no longer show AVG's scanner was active that ComboFix was picking up. It worked too, cause ComboFix didn't give me that error when I tried to run it again all those times.

    Then after uninstalling Avast, I updated Spybot S&D (because I wanted to turn on the system protection settings because I had to go to my banking website and did not want to be without any form of protection at all) and after the update I proceeded to the next step which was to immunize and when I did, I got a window popping up telling me that not everything could be immunized because I had some sort of Anti-Virus program or the like, blocking those entries (see attached) even though any/all of my anti-virus programs have been uninstalled.

    THEN, thinking it may be SuperAnti-Spyware, I uninstalled that program also because of the WINLOGON entry - which was successful.

    Oh jeez, I just couldn't sit still. So anyway, I am telling you all of this right now because I did not know if any of the things I just mentioned would interfere (or no longer even be relevant - like AVG) with the script you just wrote for me.

    {sigh} - I hope you are somehow laughing and don't close this ticket (but I had to take care of some things at my bank's website).

    Please reply and let me know if I should still implement that script you kindly wrote for me into OTS.


    (Spybot's "Teatimer" is no longer running - I turned it off)
     

    Attached Files:

  3. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,800
    run teh OTS fix but make sure spybot teatimer is off otherwise, it will block any fixes
     
  4. awa13

    awa13 Thread Starter

    Joined:
    Aug 1, 2006
    Messages:
    405
    you got it. Running it now. Thank you.
     
  5. awa13

    awa13 Thread Starter

    Joined:
    Aug 1, 2006
    Messages:
    405
    This is definately not my day. I accidentally closed the log file that was created - any chance it is saved somewhere?

    I noticed success on most things and also noticed some failures before I lost the window.

    Attached is the new OTS log.

    Sorry (again).

    ---------------

    Continuing problems with computer:

    - Don't know if ComboFix will work now or not
    - Computer dragging a little, but improves with time
    - Computer takes a LONG time to boot from the Computer Logo through Windows logo & progress bar, to user sign on screen. It's like something is scanning in the background cause the computer revs up. Wish we could see what's going on.
    - After closing Internet Explorer, sometimes iexplorer.exe or two still remains in Task Manager Processes indefinately with high mem usage (must manually kill it).
    _________________________________

    Did I screw it up, or is that notepad with log of actions saved somewhere so I can post it back here?
     

    Attached Files:

    • OTS.Txt
      File size:
      151.4 KB
      Views:
      1
  6. awa13

    awa13 Thread Starter

    Joined:
    Aug 1, 2006
    Messages:
    405
    Well, tried ComboFix again and this time it crashed earlier than usual. When I rebooted my computer, this time I got that error about Windows recovering from a serious error .. blah blah ... and had to restore my desktop.
     
  7. awa13

    awa13 Thread Starter

    Joined:
    Aug 1, 2006
    Messages:
    405
    Found the OTS LOG! Here are the results:

    All Processes Killed
    [Modules - No Company Name]
    [Registry - Safe List]
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\AVG\AVG8\avgemc.exe deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\AVG\AVG8\avgupd.exe deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avgamsvr.exe deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avgcc.exe deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avginet.exe deleted successfully.
    [Files/Folders - Created Within 30 Days]
    C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
    C:\WINDOWS\System32\SET10.tmp deleted successfully.
    C:\WINDOWS\System32\SET11.tmp deleted successfully.
    C:\WINDOWS\System32\SET15.tmp deleted successfully.
    C:\WINDOWS\System32\SET16.tmp deleted successfully.
    C:\WINDOWS\System32\SET19.tmp deleted successfully.
    C:\WINDOWS\System32\SET1A.tmp deleted successfully.
    C:\WINDOWS\System32\SET1B.tmp deleted successfully.
    C:\WINDOWS\System32\SET1E.tmp deleted successfully.
    C:\WINDOWS\System32\SET20.tmp deleted successfully.
    C:\WINDOWS\System32\SET4B.tmp deleted successfully.
    C:\WINDOWS\System32\SETA31.tmp deleted successfully.
    C:\WINDOWS\System32\SETA32.tmp deleted successfully.
    C:\WINDOWS\System32\SETA34.tmp deleted successfully.
    C:\WINDOWS\System32\SETA82.tmp deleted successfully.
    C:\WINDOWS\System32\SETA8E.tmp deleted successfully.
    C:\WINDOWS\System32\SETE.tmp deleted successfully.
    C:\WINDOWS\System32\SETF.tmp deleted successfully.
    C:\WINDOWS\003584_.tmp deleted successfully.
    [Files/Folders - Modified Within 30 Days]
    C:\WINDOWS\System32\drivers\sfrpruqi.sys moved successfully.
    C:\Documents and Settings\Daddy\Local Settings\Temp\DIO9.tmp deleted successfully.
    C:\Documents and Settings\Daddy\Local Settings\Temp\MAR5.tmp deleted successfully.
    C:\Documents and Settings\Daddy\Local Settings\Temp\MAR6.tmp deleted successfully.
    C:\Documents and Settings\Daddy\Local Settings\Temp\SFCA.tmp deleted successfully.
    C:\Documents and Settings\Daddy\Local Settings\Temp\SFCB.tmp deleted successfully.
    C:\Documents and Settings\Daddy\Local Settings\Temp\~DF525.tmp deleted successfully.
    C:\Documents and Settings\Daddy\Local Settings\Temp\~DF9C55.tmp deleted successfully.
    File delete failed. C:\Documents and Settings\Daddy\Local Settings\Temp\~DF9C55.tmp scheduled to be deleted on reboot.
    [Files - No Company Name]
    File C:\WINDOWS\System32\drivers\sfrpruqi.sys not found!
    C:\WINDOWS\System32\drivers\bnsre.sys moved successfully.
    [Alternate Data Streams]
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:A9171F21 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:B755D674 deleted successfully.
    ADS C:\Documents and Settings\Daddy\Desktop\ATF-Cleaner.exe:SummaryInformation deleted successfully.
    ADS C:\WINDOWS:002453FAB82A0404 deleted successfully.
    [Empty Temp Folders]


    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: All Users
    ->Flash cache emptied: 148 bytes

    User: Daddy
    ->Temp folder emptied: 343848 bytes
    ->Temporary Internet Files folder emptied: 35378553 bytes
    ->Java cache emptied: 123992 bytes
    ->Flash cache emptied: 511 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56475 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 343 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 28643 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 307573842 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 328.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users
    ->Flash cache emptied: 0 bytes

    User: Daddy
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb

    < End of fix log >
    OTS by OldTimer - Version 3.1.47.2 fix logfile created on 04282012_075053

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\Daddy\Local Settings\Temp\~DF9C55.tmp not found!
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_420.dat not found!

    Registry entries deleted on Reboot...
     
  8. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,800
    I am trying to see what else might be blocking Combofix
    I will get back to you as soon as I get soem ideas from the developer
     
  9. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,800
    go to start/run & type in this line ( be careful to leave a space between the X & / ) and then press enter

    ComboFix /nombr

    Hopefully combofix will run fully & we can have a go at clearing up this
     
  10. awa13

    awa13 Thread Starter

    Joined:
    Aug 1, 2006
    Messages:
    405
    That was painful.

    Got a present for you. See attached. :)
     

    Attached Files:

  11. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,800
    how is it now
    is it still taking ages to reboot or is it slow etc

    It looks like Combofix has deleted what at first glance loo like genuine files
    I think we need to examoine them to see what it has deleted them
    can you please go to C:\qoobox & right click the quarantine folder, select send to compressed(zip) folders
    that will make a zipped copy of the quarantine folder
    then
    please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files and submit to antivirus companies if needed

    Just press new topic, fill in the needed details
    In the subject box please put: Files for DVK01

    In the body of the post paste the contents of the code box:
    Code:
    combofix Quarantine folder from 
    http://forums.techguy.org/virus-other-malware-removal/1050724-please-help-virus-residing-memory-2.html#post8337603
    

    & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file
     
  12. awa13

    awa13 Thread Starter

    Joined:
    Aug 1, 2006
    Messages:
    405
    OK, why is it that I cannot find the "new topic" button?
     
  13. awa13

    awa13 Thread Starter

    Joined:
    Aug 1, 2006
    Messages:
    405
    There is no New Topic button.
     
  14. awa13

    awa13 Thread Starter

    Joined:
    Aug 1, 2006
    Messages:
    405
    Pay no attention to me please. I am following your instructions now ..
     
  15. awa13

    awa13 Thread Starter

    Joined:
    Aug 1, 2006
    Messages:
    405
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1050724