Malware removal help request

By mpipis
Dec 2, 2008
Topic Status:
Not open for further replies.
  1. Followed the 8 step process, think I have something hiding in the restore files, and im not sure how to fix/remove that part. Any help would be greatly apperciated.

    Requested logs attached


    Thankyou
  2. rf6647

    rf6647 TechSpot Maniac Posts: 931

    Welcome to TS. It's helpful when you call attention to findings in the log, as you did, and adding symptoms is useful for understanding the threat / infection. The included log from Avast gives a third view of the infections on your computer. For your case, we will supplement our guide with a special scan / tool. Please review the 8-step guide for MBAM usage.

    Observation: More progress is needed.
    • Your logs show found but unanswered items - React to unanswered items appearing in scan logs
    • NO Action’ - Remove Selected when offered by MBAM
    • 'Delete on Reboot’ - Restart the computer after concluding the scan

    Overview -
    • ComboFix is a very effective tool that scans / fixes hard to clean infections. Additionally, it includes diagnostic information.
    • Uninstall old copy of ComboFix
    Supplement to guide. Successive scans used to uncover additional infections.
    • Update both MBAM & SAS. Rerun them both.

    • This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
      • Typically extra repeat scans are not needed
      .
    • Follow ComboFix instructions referenced below.

    • Scan with HJT. (part of instructions for ComboFix)

    • Posts logs. Report progress & what changes are observed. Include logs that found infections.

  3. mpipis

    mpipis Newcomer, in training Topic Starter

    Get the following error on reboot

    Error loading
    C:\windows\system32\bofayti.dl

    i click ok and everything continues to load.

    While running MBAM scan avsat gave the following warning

    12/3/2008 10:20:51 AM SYSTEM 184 Sign of "Win32:Buzus-JM [Trj]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{17941672-83C6-4705-B807-583FD0076E1E}\RP537\A0133259.EXE" file.

    Was unable to move it to the avast chest, but was able to delete the file. Havent had anymore warnings ........yet

    I've ran MBAM 6 times now, but one threat always seems to stay, even after its removed, it will show up in another scan.

    Looks like this:
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lozayoziya (Trojan.Agent) -> Quarantined and deleted successfully.

    SAS came up clean after 2 scans.

    Im not sure if I should run ComboFix, since MBAM does not come up clean.

    I've attached the the MBAM logs, first one is what was removed one the first scan, the 2nd MBAM log shows what is found everytime I re-run MBAM.
  4. rf6647

    rf6647 TechSpot Maniac Posts: 931

    As with most scans, the repeat scans looks for any infection that is now unmasked or a clean run. Always assess if symptoms remain.

    Please run ComboFix & HJT. ComboFix cleans & provides diagnostic information that is used to find enabling infections that remain or just residue.
  5. mpipis

    mpipis Newcomer, in training Topic Starter

    The "automated" requests for IE have stopped, I'm not getting any dll loading errors, and I'm not getting any avast warnings.


    Attached new logs.
  6. rf6647

    rf6647 TechSpot Maniac Posts: 931

    Thanks for establishing the symptoms are gone. The ComboFix log is also clear.

    Some cleanup items: uninstall ComboFix & establish a clean restore point.

    Cleanout Old System Restore Points

    Disk Cleanup From the Taskbar
    • Start > Programs > Accessories > System Tools > Disk Cleanup
    • Click OK to accept C:
    • Tick all Boxes
    • Click More Options
    • Click System Restore and OK to "Are you sure" and the OK to Run.
    • Results -
      • Only the most recent Restore Point remains
      • Clears 'Shadow Copies' [ Volume Shadow Copy running is the default ]
        • used by specialized back up programs.
        • reclaims a huge amount of disk space.
        • removes infected files
    Establish a clean System Restore point
    • Start > Programs > System Tools > System Restore
    • Left Pane > System Restore Settings
    • Tick 'Turn off system restore on all drives', Click 'Apply'
    • Wait for completion
    • Untick ' 'Turn off system restore on all drives', Click 'Apply'
    • Wait for completion. OK to end menu. Exit
  7. mpipis

    mpipis Newcomer, in training Topic Starter

    Im sorry this is late. Thank you for your time and help. Everything worked out very well, and I learned some new programs. Going to spend a bit more time here, you guys have a fantastic site, loaded with great info and advice.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.