HELP. I cant remove virus JS:pdfka-gen[expl], and 7 others high risk.!

Viruses and worms
1

Hello.

If anyone can help i woul greatly appreciate it!

After slow pc and false popups i found these after i finally managed to complete scan with avast(it crashed several attempts).

Js:Pdfka-gen[expl]
win32:rootkit-gen[rtk]
win32:malware-gen
win32:malware-gen
win32:malware-gen
win32:rootkit-gen[rtk]
win32:dropper-gen[drp]
win32:dropper-gen[drp]

now the repeats above have ifferent file names. i am aware of things in the task manager that are not normal but unsure of which to remove, not knowledgei have. the only thing i have removed is: msmsg.exe twice. it helped but the trojansa are still there after scan.

i cant even open in safe mode, its stopping that too.

any help please?? every other help site just tries to ghet you to suscribe to anew anti virus etc !

thanks

Genevieve.

2

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

3

ok, thanks. here we go (hopefully).

  1. aware removal results after reboot:
4

2: malwarebytes result an removal:

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.02.07

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 8.0.6001.18702
Acer UK :: ACER-77636EF25D [administrator]

02/02/2013 19:35:28
mbam-log-2013-02-02 (19-35-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196795
Time elapsed: 35 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Recycled\Dc12.exe (PUP.Bundle.Installer.OI) → Quarantined and deleted successfully.

(end)

AN NEXT…

5
  1. oTL LOGS:
6

OTL EXTRA LOG.

OK IM ON THE NEXT ONE, WATCH THIS SPACE… one eye open :S…

7

MBR result:

swMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-02-03 04:13:46

04:13:46.062 OS Version: Windows 5.1.2600 Service Pack 3
04:13:46.062 Number of processors: 1 586 0xD08
04:13:46.062 ComputerName: ACER-77636EF25D UserName: Acer UK
04:13:51.046 Initialize success
04:14:07.296 AVAST engine defs: 13020201
04:14:25.140 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
04:14:25.140 Disk 0 Vendor: WDC_WD800UE-22HCT0 09.07D09 Size: 76319MB BusType: 3
04:14:25.171 Disk 0 MBR read successfully
04:14:25.171 Disk 0 MBR scan
04:14:25.187 Disk 0 unknown MBR code
04:14:25.187 Disk 0 Partition 1 80 (A) 0C FAT32 LBA MSWIN4.1 76316 MB offset 63
04:14:25.203 Disk 0 scanning sectors +156296385
04:14:25.250 Disk 0 scanning C:\WINDOWS\system32\drivers
04:14:45.562 Service scanning
04:15:14.390 Modules scanning
04:15:30.546 Disk 0 trace - called modules:
04:15:30.578 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
04:15:30.578 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x82fce410]
04:15:30.578 3 CLASSPNP.SYS[f86b5fd7] → nt!IofCallDriver → \Device\000000aa[0x82f941e8]
04:15:30.578 5 ACPI.sys[f84cc620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-4[0x82faad98]
04:15:31.375 AVAST engine scan C:\WINDOWS
04:15:48.953 AVAST engine scan C:\WINDOWS\system32
04:18:53.968 AVAST engine scan C:\WINDOWS\system32\drivers
04:19:15.078 AVAST engine scan C:\Documents and Settings\Acer UK
04:25:58.406 File: C:\Documents and Settings\Acer UK\Application Data\Skype\mary.clough4\voicemail\hostname.exe HIDDEN
04:26:01.468 AVAST engine scan C:\Documents and Settings\All Users
04:26:26.906 Scan finished successfully
04:28:26.718 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Acer UK\Desktop\MBR.dat”
04:28:26.750 The log file has been saved successfully to “C:\Documents and Settings\Acer UK\Desktop\aswMBR.txt”

ithink thats it! i didnt ‘fix’ MBR, as warning meassge an unsure whether ok to at moment, same for OTL. just posted results here.

i must say it IS running faster an behaving (slap slap) better than before already :). im sure these eegits know when ur on to them !

Oh the ERROR MEESSAGE I got when i found the threats in 1st avast scan when i tried to quarantuine them was: VIRUS CHEST SERVER IS NOT RUNNING. RPC COMMUNICATION FAILEd. (214742219).

8

OK lets see if we can fix the problems and remove the last remnants

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\S-1-5-21-3898252998-1916788112-3907506120-1005\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=112060&tt=060612_5_&babsrc=SP_ss&mntrId=320d180e00000000000000c09f8b18c3
IE - HKU\S-1-5-21-3898252998-1916788112-3907506120-1005\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={35113D2D-6DCC-4CA3-A2B7-EEEF3A318592}&mid=&lang=&ds=&pr=&d=&v=&sap=dsp&q={searchTerms}

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wmi]
"Description"="Provides systems management information to and from drivers."
"DisplayName"="Windows Management Instrumentation Driver Extensions"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000003
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wmi\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,\
  00
"ServiceMain"="WdmWmiServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wmi\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00



:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

9

HI, thanks for reply.

SCan result after fix and reboot OTL, + fss scan result.

2 things are still happening:

  1. pop up saying ‘skype is corrupt an needs to be reinstalled’ …which is crap

  2. pop up ‘drwatson postmortem debugger has encountered problem and needs to close’… what is this???

ta

10

To clear the Dr Watson error download this MS reg fix to your desktop http://download.microsoft.com/download/7/5/1/751c3454-ffc4-418a-8320-51066f4ee4ce/DisableDrWatson.reg
Double click the file and allow to merge

Is the virus chest working now ?

For Skype, there is malware that corrupts some of the files, an install over the top will cure that

How is the computer behaving otherwise

11

in avast it still has same error message, ‘virus chest server is not running’, APART FROM IN THE 1ST VIRUS where error message change to 'the system cannot find the specified path(3)

its behaving fine, no crashing, an pop ups stopped so far even though virus still there. im running avast scan again now too.

i ran rogue killer too, i’ll attatch the different logs

12

i just foundrogue killer quarantine report: (i think thats the one i meant to give):
:).

also, i foun 14 adware entries after spybot search an destroy scan. babylon tool bar!! i removd this ages ago yet its still lurking in my ‘tabs’ as main page search engine. i cant get rid of it! its a pain in the arse. >:(. i ont know whter thats relevant but i was just thinking of anything else that might help. spybot scans still running.

im still getting ‘internet explorer error , need to close’ messages

3 things in task manager:

drwtsn32.exe x 2 (still there , even though i ran the ms reg fix) do i need to reboot? theres x3 now!
msmsgs.exe - keeps reappearing
rundlll.exe - keeps reappearing. is this ok or not?

13

Looking at the RK report

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

14

give me 12 hrs please…

ok 8)

15

on reboot. IE. asksfor info not relevant to what i ve seen b4

back 2moz with details …ok …{letter’ ', the fifth letter of the alphabet isnt working onmy keyboar… so ppleeasr g3et it… , gnte…gen

16

any1 online now??

17

hello , this is gen, please emailme cos thi s is getting hopeless, an if the XXX havemyb email, i really ont thiunk that it IS GOING to be a problem…

keyloggers suck it it yoi pri…cks grrrrrrrrrrrrrr 8)… finger! U WILL LOSE!!!

apologies :-[

18

combo fix ran, but stalled i think. it stopped after ‘deleting folder’ bit. i restarted computer. where will it store the log please?

avast scan showe the virus JS:pdfka-gen[expl] has gone but i have about 5X WIN32:ROOTKIT-GEN, ANd 5X WIN32:MALWARE-GEN. they cant be move to vault, still says virus chest server not running. rpc communication failed

i cant seem to fin howto attatch the avast log, soe things evade me, sorry for being dense ::).

SHoul i run combofix again? i will wait for reply.

going to look for the log for it now.

pc is still getting a few ‘page not respond’. the other problem was something emailing everyone on my email contacts with spam/avertising an spreaing malware but i wont know about that yet. really slow screen exit when closing a window… like ssslllooow crawl!

excuse my previous msg, it was late and i was getting really p++++m off! sorry :-X

19

No apologies this can be very frustrating but, I recommend that you modify the post and remove the email address or it will be harvested by spammers

OK do you have a spare USB drive as it looks like we will need to kill this outside of windows

Create an emergency repair USB drive:
Download Dr Web Live USB to your desktop

[]Connect a USB flash drive to the computer. Registering the plugging in event takes no more than 10 seconds.
[]Launch drwebliveusb.exe.
[*]The program will detect available USB-devices automatically and prompt you to choose the one you’d like to use as an emergency repair drive. You can format the device if you like (a warning will be displayed before you proceed with formatting). In order to read the License agreement, follow a corresponding link found in the program window (the page containing the license agreement text will be loaded in your default browser).

https://dl.dropbox.com/u/73555776/liveusb_ru.jpg

[]To create a bootable USB flash drive, press the Create Dr.Web LiveUSB button.
[]Files will be copied automatically.
[]Once the copying process is completed, press the Exit button to close the application.
[]Reboot the infected computer with the USB in the drive
[]Ensure that the first boot device is USB - If you are not sure about that then see this page for instructions
[]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdbootscreen.gif

[*]Use arrow keys to select DrWeb-LiveCD (Default)

[*]When the system is loaded, check the disks or folders you want to scan, and click on ?Start?.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdDriveselection.gif

[]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
[]Once completed reboot to normal windows
[*]No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist

20

I havent got one unfortunately. i think i may have to take it in to repair place. :'(.m unless theres anymore options.

Heres the last two avast scans i did. one full, andquick scan today that found even more!!!

THanks for all your help though!! :-*