Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-BNK.Win32


  • This topic is locked This topic is locked
66 replies to this topic

#1 eastsider72

eastsider72

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 03 June 2011 - 11:57 PM

I cannot get any of the rkill's to work. The 1st link did not work. I was able to download the next 3. Of those, only the exe file was even openable on my computer (windows vista). I did "run as administrator". The black box did pop up, but it didn't go away. I got an error stating "G:\rkill.exe The NTVDM CPU has encountered an illegal instruction. CS:0000 IP:0075 OP:f000 f0 3705 Choose 'close' to terminate this application"

What do I do now?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 04 June 2011 - 09:22 AM

eastsider
You can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 eastsider72

eastsider72
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 04 June 2011 - 07:38 PM

Thank you for helping me.

I ran the iExplore.exe but got the same error message. My work computer (the clean one I'm downloading from) flashed warnings about a possible threat when I tried to download eXplorer.exe. Any idea what I should do next?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 04 June 2011 - 09:42 PM

OK, we will do this forst.. This is vosta and what is the Antivirus?


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.



Now an Online scan:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


[color="#8B0000"]NOTE: In some instances if no malware is found there will be no log produced.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 eastsider72

eastsider72
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 04 June 2011 - 11:14 PM

It seems like I should be able to just do this, but it's not working. I downloaded the TDSSKiller.exe and tried to run it. Got the exact same warning message as when I tried the rkill originally. I also tried to renaim it 123abc.com both ways describe above (by simply renaming it & by renaming it as I downloaded it). Still the same error message.

As for the on line scan, I'm unable to get the website to show up for any longer than 1 second before a page recommending that I get a copy of "Vista Total Security 2011". When I hit the back button, the ESET page comes back up, but only for a split second before the vista warning page takes over again.

The infected computer uses windows vista home premium. Out antivirus on the infected computer is a free version of AVG.

Thanks again for helping. What a pain this is!

#6 eastsider72

eastsider72
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 04 June 2011 - 11:23 PM

In case you were asking about the antivirus on the good computer, I do not know as it is a work computer & I've not downloaded anything to it previously. The error I get when I try to download eXplorer.exe is a Cicso page.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 05 June 2011 - 10:35 AM

Some offices habe restrictions on what you can download. I promise it is safe but there may be no wat around it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 eastsider72

eastsider72
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 05 June 2011 - 08:59 PM

So I ignored all the warnings & downloaded eXplorer.exe anyway. I just tried to run it on the infected computer, but got the exact same error message as described before.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 05 June 2011 - 09:07 PM

EXE Helper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Try ESET amd TDDS again,
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 eastsider72

eastsider72
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 05 June 2011 - 09:57 PM

C:\Users\Eastsider72\Desktop\EXEHEL~1.com
The NTVDM CPU has encountered an illegal instruction
CS:0000 IP:0075 OP:f0 00 f0 37 05 Choose 'Close' to terminate the application.


That message came up after trying exeHelper.com. The black window pops up but so does the error warning. This is the same error I keep getting with each of the rkill variations I've tried. I feel like I'm doing something wrong, but I don't know what it is. I'm following the instructions that are posted. I download the file to the work computer, save it to a stick drive, transfer the stick drive to the infected computer, copy the file onto the infected computer desktop, then attempt to run it, sometimes with a double click, sometimes using 'run as administrator'. I keep getting that error message. I get the option to either 'close' or 'ignore'. Am I supposed to ignore the warning?

Please don't take this as anything negative toward the assistance that you are offering. I'm very grateful for the help. Without this forum I'd already be on my way to Best Buy to pay someone $100 to do these exact same things. I'm just reading other posts & seeing these fixes working for everyone else & I'm left wondering why I'm screwing this up?!?

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 06 June 2011 - 03:12 PM

No problem, try the ignore option. I suspect a variant in the malware as it is not allowing normal proceedures.

If still no joy we will have to move you and get a deeper look.


Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 eastsider72

eastsider72
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 06 June 2011 - 09:51 PM

Sorry. Same error when trying to run DeFogger (step 6). This time I clicked 'IGNORE' to the warning that popped up. It cycled thru a few more almost identical warnings to which I continued to click 'IGNORE'. Finally, I got a new warning stating...

NTVDM.EXE has stopped working
A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.

The only option from there is to click the 'CLOSE PROGRAM' button which then opens another screen prompting me to download a windows update.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 07 June 2011 - 03:43 PM

OK just run OTL and incluse that log in the new topic.
  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 eastsider72

eastsider72
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 07 June 2011 - 11:44 PM

Oh man, am I some kind of a boob. I just knew I was doing something to screw this up all along. Turns out this work computer (with no mouse so doing everything via a little touch screen) was allowing me to save a file that looked to be the things that I wanted to download, but was actually not. The real file names with extensions were saved to my stick drive, but somehow they were not the true files. When I didn't get the icon to show up on the last file you suggested, I decided to do some sleuthing & figured out that I was downloading the files incorrectly the whole time. I am SOOOOOOOO sorry for the wasted time. Once I downloaded the rkill & malwarebyte files correctly, they ran & I got the log which I will post next. Thank you so much for helping me, even though I ended up waisting much of your time. If you could please review the malwarebytes log for me... Again, thank you.

#15 eastsider72

eastsider72
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 07 June 2011 - 11:46 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6805

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19048

6/7/2011 11:32:21 PM
mbam-log-2011-06-07 (23-32-21).txt

Scan type: Quick scan
Objects scanned: 180076
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5CBF8C22-E9A6-11D7-90FE-000AE4012DB4} (Switch.Dialer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Whalens\AppData\Local\raj.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Whalens\AppData\Local\raj.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Whalens\AppData\Local\raj.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
c:\Users\Whalens\AppData\Roaming\microsoft\Windows\start menu\Programs\windows recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\Whalens\local settings\application data\raj.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\Users\Whalens\Desktop\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\Users\Whalens\AppData\Roaming\microsoft\Windows\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\Users\Whalens\AppData\Roaming\microsoft\Windows\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users