-
Posts
19,864 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by screen317
-
-
Hi Udaron, and welcome to MalwareBytes,
Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Please download SDFix by AndyManchesta and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.cmd to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
-screen317
- Restart your computer
-
Echoing AdvancedSetup's comments, yes please do keep Ad-Aware and avast! in conjunction with the programs I recommended.
Take care.
-
Hi thegerm,
Please open HijackThis, and select Do a system scan only.
Place a checkmark next to the following entries:
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
Then, close all other open windows, leaving only HijackThis open, and select Fix checked.
Aside from that, good work. Your log appears to be clean!
Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:
1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.
2) Download and install Spybot-Search & Destroy, which has great features (specifically Immunization and TeaTimer) that help prevent malware from getting on your computer. Also a great scanner for weekly checks of the health of your system.
3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.
4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.
5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.
6) Be sure to update your Antivirus and Antispyware programs often!
Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?
Safe surfing,
-screen317
-
Hi,
Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u
This uninstalls all of ComboFix's components.
Restart your computer, and run the Kaspersky scan again please.
Also post a fresh HijackThis log. Let me know if any problems remain.
-screen317
-
Hi,
Good to hear, and you're very welcome.Here are both logs from HijackThis and ComboFix. The taskbar problem has since stopped, it no longer has anything in it that it shouldn'tLet's check for leftovers.
Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
- Once the files are downloaded click on Next
- Click on Scan Settings and configure as follows:
- Scan using the following Anti-Virus database:
- Extended
[*]Scan Options:
- Scan Archives
- Scan Mail Bases
- Extended
[*] Click OK and, under select a target to scan, select My Computer
- Scan using the following Anti-Virus database:
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
-screen317
-
Hello, and welcome to MalwareBytes.
Configure Windows XP to show hidden files:
Navigate to Start --> My Computer.
Select the Tools menu and click Folder Options. Select the View tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
Then, please go to VirusTotal, and upload the following file for analysis:
C:\WINDOWS\system32\rkvdr.dll
Post the results in your reply.
Next, please go to this website, and complete the form as follows:
Link to topic where this file was requested: http://www.malwarebytes.org/forums/index.php?showtopic=4245
Browse to the file you want to submit:
Click Browse, and navigate to the following file:
C:\WINDOWS\system32\rkvdr.dll
Leave any comments, further information about this file, or contact information: From screen317 (MalwareBytes)
Next, we'll use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
-screen317
- When the tool is finished, it will produce a report for you.
-
Hi tharu, and welcome to MalwareBytes,
Please read the Pre- HJT Post Instructions, and post the required logs.
Once you do so, I'll be more than happy to assist you.
-screen317
-
Hmm...
Well, according to PCPitStop...
This system performs extremely well on our benchmarks and appears to be among the fastest systems available!It might have something to do with your video card...
NVIDIA's GeForce 8600 GTS performs better than their NVIDIA GeForce 8500 GT (which is what you have). I would take a look in that direction.
Otherwise, I've done all that I'm able to do. If you want to delve deeper into this issue, the great folks at TechSupportForum have a section on PC Gaming Support that I linked to for you.
Please download OTMoveIt
- Double click OTMoveIt.exe.
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
Please take the following steps to help prevent reinfection:
1) Download and install Spybot-Search & Destroy, which has great features (specifically Immunization and TeaTimer) that help prevent malware from getting on your computer. Also a great scanner for weekly checks of the health of your system.
2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.
3) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.
4) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.
5) Be sure to update your Antivirus and Antispyware programs often!
Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?
Safe surfing,
-screen317
- Double click OTMoveIt.exe.
-
Hi Matt,
Can you describe your lagging in more detail? What exactly is lagging? Games? Videos? Overall performance?
You have a great amount of memory... We cleared your Temp files... Your computer appears to be in good shape, sans the description you're providing.
-
Hi Matt,
PCPitStop noted some things that you can do to improve the shape your computer is in.
Pay particular attention to these items:
-
That's odd.
(Small talk while the scan is running )Which other two programs do you use?
-
Please use this link instead:
-
Hi Matt,
Please download ATF Cleaner by Atribune from here, and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
The rest are optional - if you want to remove the whole lot, check Select All.
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
Restart your computer.
Next, let's defragment your system. I use Diskeeper Lite to defragment. It is the trial version of Diskeeper, and you can use it forever. I recommend installing it and defragmenting as soon as possible.
After that, please run the PCPitStop tests again, and we'll address what concerns it brings up.
-screen317
-
Hi Matt,
Good to hear.P.S I am no longer getting the pop up box saying the computer will shut down in 60 seconds....MattPlease delete BlackLight. It came up clean.
How are things running now? Any recurring problems?
-
Hi Matt,
Are you still receiving the "computer will shut down in 60 seconds" box? If so, when did this begin happening (specifically, after which step)?
Please download F-Secure's Blacklight from here
- Save it to your Desktop
- Double-click blbeta.exe then accept the agreement.
- click > scan then > next,
- You'll see a list of all items found.
- Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
- There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
- Post the contents of the log in your next reply.
-screen317
- Save it to your Desktop
-
Hi Matt,
Whenever the "computer will shut down in 60 seconds" box appears, navigate to Start --> Run, and type in the following command:
shutdown -a
Please download Combofix by sUBs.
1. Save it to your Desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log, as well as a fresh HijackThis log, in your next reply.
-screen317
-
Hi Matt,
- Please double-click OTMoveIt.exe to run it.
- Copy the file path below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Documents and Settings\Owner\DoctorWeb - Return to OTMoveIt, right click on the "Paste Standard List Of Files/Folders to move" window and choose Paste.
- Click the red Moveit! button.
- Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
- Open Notepad and paste the text into a new file.
- Save the file to the desktop as OTMoveIt.txt and post it in your next reply.
- Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Next, navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u
This uninstalls all of ComboFix's components.
Next, double click OTMoveIt.exe.
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
Post a fresh HijackThis log, and let me know what problems remain.
-screen317
- Please double-click OTMoveIt.exe to run it.
-
Hi Matt,
Please go to this website, and complete the form as follows:
Link to topic where this file was requested: http://www.malwarebytes.org/forums/index.p...amp;#entry14285
Browse to the file you want to submit:
Click Browse, and navigate to the following file:
C:\WINDOWS\system32\driver\security\services.exe
Leave any comments, further information about this file, or contact information: From screen317; identified as a backdoor by PCPitStop.
Next, please download Dr.Web CureIt to your Desktop.
Run Dr.Web CureIt as follows:
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found:
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) - After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
-screen317
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
-
Hi Matt,
Kaspersky detected an associated file as infected; do the following, and we'll make sure.Hey there agian, this version of Nero was on the computer when i bought it but i dont think it is cracked, is there a way I can tell?Please go to VirusTotal, and upload the following file for analysis:
C:\Documents and Settings\Owner\My Documents\Downloads\Nero 8 Ultra Edition v8.0.3.1\nero8-fdb.iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe
Post the results in your reply.
I'll do you one better. Let's find out what's causing the lackluster performance, and maybe we can do something about it without you having to pay for it... maybe....also could you please reccomend a program (not too expensive) to "TWEAK" my system and make it a bit better performance wisePlease register (it's free, don't worry) with PCPitStop and run the full tests here. When the tests are complete, a results page will pop up. Click "Share these results with TechExpress" on the left-hand side. Then copy the URL provided and post it here for me.
-screen317
-
Hi Matt,
Are you using a cracked version of Nero? If so, please uninstall it immediately; cracks are one of the top sources of getting malware, and it's probably why you were infected in the first place
Please download OTMoveIt by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file path below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\RECYCLER\S-1-5-21-1935655697-2077806209-839522115-1003\Dc5.dll
C:\WINDOWS\system32\drivers\security\Mssvc.exe
C:\WINDOWS\system32\drivers\security\service.exe - Return to OTMoveIt, right click on the "Paste Standard List Of Files/Folders to move" window and choose Paste.
- Click the red Moveit! button.
- Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
- Open Notepad and paste the text into a new file.
- Save the file to the desktop as OTMoveIt.txt and post it in your next reply.
- Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
-screen317
- Save it to your desktop.
-
Hi Matt,
Please delete the following file:
C:\WINDOWS\system32\sleep32.dll
Next, please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
- Once the files are downloaded click on Next
- Click on Scan Settings and configure as follows:
- Scan using the following Anti-Virus database:
- Extended
[*]Scan Options:
- Scan Archives
- Scan Mail Bases
- Extended
[*] Click OK and, under select a target to scan, select My Computer
- Scan using the following Anti-Virus database:
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
Also... Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 6u5.
- Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
- Click the "Download" button to the right.
- In the pull down menu next to Platform select Windows
- Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
- Click Continue
- Click on the link to download Windows Offline Installation and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u5-windowsi586-p.exe to install the newest version.
Restart your computer, post a fresh HijackThis log, and let me know what problems remain.
-screen317
-
Hi Matt,
Please go to VirusTotal, and upload the following file for analysis:
C:\WINDOWS\system32\sleep32.dll
Post the results in your reply.
-screen317
-
Hi Matt,
Next we'll use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
-screen317
- When the tool is finished, it will produce a report for you.
-
Hello Mattwardinterglaze, and welcome to MalwareBytes.
My apologies for the delay. We're all volunteers, and we've been swamped.
Please download HijackThis from here.
Save it to a permanent folder (such as C:\HJT).
Next, open HijackThis, and select Do a system scan and save a logfile.
A Notepad document will open. Please post the contents of that document.
Next, please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
-screen317
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
Can't get rid of these spyware/trojans, argh!
in Resolved Malware Removal Logs
Posted
Hi,
Let's check for leftovers after a little cleanup
I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
After all of the fixes are complete it is very important that you enable TeaTimer again.
Next, please open HijackThis, and select Do a system scan only.
Place a checkmark next to the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {A3A19E17-954F-4303-B897-7A4A301505F0} - (no file)
O2 - BHO: (no name) - {BC7D8DE8-EF3D-4F44-8B54-03759FAC1367} - (no file)
O20 - Winlogon Notify: cbXPiHYS - cbXPiHYS.dll (file missing)
Then, close all other windows, leaving only HijackThis open, and select Fix checked.
Restart the computer normally.
Enable TeaTimer after the restart.
Next, please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
[*]Scan Options:
[*] Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
Also... Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Updating Java:
Restart your computer, and post a fresh HijackThis log. Let me know if any problems remain.
-screen317