Jump to content

Yourhighness

Experts
 View Profile  See their activity

  • Posts

    156

  • Joined

  • Last visited

 Content Type 

Posts posted by Yourhighness

    Trojan Agent and Vundo

    in Resolved Malware Removal Logs

    Posted

    Hi HurrHurr,

    Step #1

    1. Open notepad and copy/paste the text in the codebox below into it:
      http://www.malwarebytes.org/forums/index.php?showtopic=7918&pid=37727&st=0entry37727
Collect::c:\windows\SYSTEM32\dinizuha.dllc:\documents and settings\Jiquori Roberson\Application Data\ozibydi.sysc:\documents and settings\Jiquori Roberson\Application Data\ydud.datc:\program files\Common Files\laxifif._dlc:\program files\Common Files\imededa.infc:\documents and settings\Jiquori Roberson\Application Data\oreve.binc:\program files\Common Files\olagym.scrw c:\documents and settings\Jiquori Roberson\Application Data\nyhohaji.scrc:\documents and settings\All Users\Application Data\dufokymaju.pifc:\documents and settings\Jiquori Roberson\Application Data\iqyzadom.scrc:\program files\Common Files\fijosoqu.dllc:\program files\Common Files\ebepub.infc:\documents and settings\All Users\Application Data\bevewanuji.exec:\program files\Common Files\asetewemo.regc:\documents and settings\All Users\Application Data\pamexime.sysc:\documents and settings\All Users\Application Data\ximeguk.comc:\documents and settings\All Users\Application Data\doha.batc:\documents and settings\All Users\Application Data\hygefyrec.dllc:\documents and settings\Jiquori Roberson\Application Data\ceqejus.pifc:\documents and settings\All Users\Application Data\rojaz.dllc:\documents and settings\Jiquori Roberson\Application Data\hobyve.comc:\documents and settings\Jiquori Roberson\Application Data\usyse.binc:\documents and settings\Jiquori Roberson\Application Data\tovyfe.regc:\documents and settings\All Users\Application Data\volef.sysc:\program files\Common Files\tyqedete.pifc:\documents and settings\All Users\Application Data\tipitudod.regc:\program files\Common Files\qynilubo.dllc:\documents and settings\All Users\Application Data\izikadelo.sysc:\program files\Common Files\ucocakow.regc:\program files\Common Files\ihevav.dlc:\documents and settings\All Users\Application Data\amoged.scr
DirLook::c:\program files\Dl_cats


    2. Save this as CFScript.txt
      CFScript_small.gif
    3. Refering to the picture above, drag CFScript.txt into ComboFix.exe
    4. When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
      Note:
      Do not mouse click combofix's window whilst it's running. That may cause it to stall
    5. Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
      Please submit this file via the html page that should popup after running ComboFix.
      Please include a link to this topic in the message.

    Step #2

    Please navigate to McAfee.

    Then kindly follow all listed steps.

    Make sure you save a log file.

    You can do this by clicking:

    • the File menu and select Save report to file

    Make sure you name it in a manner that is easy for you to remember.

    Then save it to a place that will also be easy for you to remember (ie. desktop).

    Then select the complete contents of that file and post it in your next reply, along with any other logs that may have been requested to be posted.

    Thanks!

    Step #3

    Please go to Eset Onlinescan (NOD32)

    (You need to use InternetExplorer or enable IEView in Firefox)

    • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
    • Now click Start
    • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
    • Click Start (the Onlinescanner will now prepare itself for running on your pc)
    • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
    • Press Scan
    • The Onlinescan will now start and scan your pc (this could take a while)
    • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
    • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
    • The Scanresults will now open in Notepad
      • Click into the text area, right-click and chose "select all" (or use ctrl+a)
      • Right-click again and chose "copy" (or ctrl+c)
      • Close Notepad

      [*]Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.

    Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

    Step #4

    Please post back with the combofix, stinger and nod32 onlinescanner log. Thanks!

    Several Trojans in different flavours

    in Resolved Malware Removal Logs

    Posted

    hi there,

    yes please do install that update. it includes some security patches. that some of the HJT entries were missing, is ok. i am a bit in a hurry and unfortunately was not able to reply to you last night. please have the following scan also being carried out:

    Download and Save Blacklight to your desktop:

    • Double-click blbeta.exe then accept the agreement, click > scan then > next
    • You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
    • Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

    i will reply then with more information tonight.

    thanks. yohi

    Trojan Agent and Vundo

    in Resolved Malware Removal Logs

    Posted

    hi HurrHurr,

    Your Panda scan suggests that you have had / have a serious infection aboard! Bagle

    Step #1

    Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10...allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

    Step #2

    Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

    I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Step #3

    Your logs show that you have (a) online poker programme(s) installed on your computer. I know that you may use these (this) game(s) on a regular basis but I think it's important to note that often these kind of programmes are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programmes yourself on purpose. There are so many online poker games out there these days that it is close to impossible to keep track of whether a programme is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the programme, then you can do so by following the below steps:

    Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs, search for the poker game and remove it.

    If you are unsure of anything, please dont hesitate to ask.

    Step #4

    Run HijackThis, press Scan, and put a check mark next to all these entries:

    O2 - BHO: (no name) - {8982ea39-f685-4832-832d-740a2ded7f4a} - C:\WINDOWS\system32\godadoju.dll (file missing)

    O4 - HKUS\S-1-5-19\..\Run: [dupunizome] Rundll32.exe "C:\WINDOWS\system32\gayuhiyu.dll",s (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-20\..\Run: [dupunizome] Rundll32.exe "C:\WINDOWS\system32\gayuhiyu.dll",s (User 'NETWORK SERVICE')

    O20 - AppInit_DLLs: karina.dat c:\windows\system32\yinonude.dll

    Close all other windows and browsers, and press the Fix Checked button.

    Step #5

    Please download ComboFix from one of these locations:

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Thanks!

    Several Trojans in different flavours

    in Resolved Malware Removal Logs

    Posted

    Hi there,

    Step #1

    Run HijackThis, press Scan, and put a check mark next to all these entries:

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O4 - HKUS\S-1-5-19\..\Run: [vasateneso] Rundll32.exe "C:\WINDOWS\system32\larifise.dll",s (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-20\..\Run: [vasateneso] Rundll32.exe "C:\WINDOWS\system32\larifise.dll",s (User 'NETWORK SERVICE')

    O20 - AppInit_DLLs: c:\windows\system32\dalotuhu.dll c:\windows\system32\modopodu.dll

    Close all other windows and browsers, and press the Fix Checked button.

    Step #2

    Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10...allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

    Step #3

    Please download ComboFix from one of these locations:

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Thanks!

    Trojan Agent and Vundo

    in Resolved Malware Removal Logs

    Posted

    hi HurrHurr!

    Welcome to Malwarebytes.org!

    Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

    Please also take note of the following:

    • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
    • The fixes are specific to your problem and should only be used for this issue on this machine
    • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
    • If you don't know, stop and ask! Don't keep going on.
    • Please reply to this thread. Do not start a new topic.

    Step #1

    • Please download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

    Step #2

    * Clean your Cache and Cookies in InternetExplorer:

    • Close all instances of Outlook Express and Internet Explorer
    • Go to Control Panel > Internet Options > General tab
    • Click the "Delete Cookies" button
    • Next to it, Click the "Delete Files" button
    • When prompted, place a check in: "Delete all offline content", click OK

    * Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

    • Go to Tools > Options.
    • Click Privacy in the menu on the left side of the Options window.
    • Click the Clear button located to the right of each option (History, Cookies, Cache).
    • Click OK to close the Options window
      Alternatively, you can clear all information stored while browsing by clicking Clear All.
      A confirmation dialog box will be shown before clearing the information.

    * Clean other Temporary files + Recycle bin

    • Go to start > run and type: cleanmgr and click ok.
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Press OK to remove them.

    Step #3

    Please post back with the logs. Thanks!

    Several Trojans in different flavours

    in Resolved Malware Removal Logs

    Posted

    hi Ralph,

    welcome to Malwarebytes.org!

    Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

    Please also take note of the following:

    • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
    • The fixes are specific to your problem and should only be used for this issue on this machine
    • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
    • If you don't know, stop and ask! Don't keep going on.
    • Please reply to this thread. Do not start a new topic.

    Step #1

    * Clean your Cache and Cookies in InternetExplorer:

    • Close all instances of Outlook Express and Internet Explorer
    • Go to Control Panel > Internet Options > General tab
    • Click the "Delete Cookies" button
    • Next to it, Click the "Delete Files" button
    • When prompted, place a check in: "Delete all offline content", click OK

    * Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

    • Go to Tools > Options.
    • Click Privacy in the menu on the left side of the Options window.
    • Click the Clear button located to the right of each option (History, Cookies, Cache).
    • Click OK to close the Options window
      Alternatively, you can clear all information stored while browsing by clicking Clear All.
      A confirmation dialog box will be shown before clearing the information.

    * Clean other Temporary files + Recycle bin

    • Go to start > run and type: cleanmgr and click ok.
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Press OK to remove them.

    Step #2

    • Please download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

    Thanks!

    FP in Windows files

    in File Detections

    Posted 

    TEMP = %USERPROFILE%\Lokale Einstellungen\TempTMP = %USERPROFILE%\Lokale Einstellungen\Temp
ComSpec = %SystemRoot%\system32\cmd.exeFP_NO_HOST_CHECK = NONUMBER_OF_PROCESSORS = 1OS = Windows_NTPath = %systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Programme\Gemeinsame Dateien\GTK\2.0\bin;C:\Programme\Haufe\iDesk\iDeskService;C:\Programme\Haufe\iDesk\iDeskService\PATHEXT = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE = x86PROCESSOR_IDENTIFIER = x86 Family 6 Model 8 Stepping 1, GenuineIntelPROCESSOR_LEVEL = 6PROCESSOR_REVISION = 0801PROMPT = $p$gTEMP = C:\WINDOWS\TEMPTMP = C:\WINDOWS\TEMPT Sinus STick Dir = C:\Programme\DT\Sinus 154 stick\ (thats my moms WLAN stick)Winbootdir = C:\WINDOWSWindir = C:\WINDOWS

    Thats it. Thanks.

    FP in Windows files

    in File Detections

    Posted

    Any news? I would have to do it via remote desktop. My mom hasnt complained about any problems, besides one reg key that had been left over due to my sillyness and causing the boot to take forever. Thats fixed and no other security programme found any issues afaik. If I can be of help, let me know.

    FP in Windows files

    in File Detections

    Posted

    ok, doing this now. As I am here only on a stay-over and know that my mom does not install anything and does not run this pc on a daily basis, it must be something to do with the windows update.

    Does it help, if i tell you that the detection occurs once the "extra and heuristic" scan starts?

    Malwarebytes' Anti-Malware 1.28

    Datenbank Version: 1261

    Windows 5.1.2600 Service Pack 3

    12.10.2008 17:13:23

    mbam-log-2008-10-12 (17-13-10).txt

    Scan-Methode: Quick-Scan

    Durchsuchte Objekte: 128969

    Laufzeit: 15 minute(s), 51 second(s)

    Infizierte Speicherprozesse: 1

    Infizierte Speichermodule: 0

    Infizierte Registrierungsschl

    FP in Windows files

    in File Detections

    Posted

    mhhm,

    no help :blink:.

    Malwarebytes' Anti-Malware 1.28

    Datenbank Version: 1261

    Windows 5.1.2600 Service Pack 3

    12.10.2008 16:16:31

    mbam-log-2008-10-12 (16-16-25).txt

    Scan-Methode: Quick-Scan

    Durchsuchte Objekte: 128835

    Laufzeit: 23 minute(s), 18 second(s)

    Infizierte Speicherprozesse: 1

    Infizierte Speichermodule: 0

    Infizierte Registrierungsschl

    FP in Windows files

    in File Detections

    Posted

    hiya :).

    Also , did you install/uninstall any other security software around the same thime that this happened ?

    Nope. Just MBAM and what I posted in the other thread about avira not liking the installer. I had to cancel install, disable guard and reinstall mbam. Worked fine though.

    Uninstalling and reinstalling now. I ll use CCleaner afterwards and do another scan when reinstalled. Will take atleast 30 minutes though as this is like really ancient hardware here :blink: .

    FP in Windows files

    in File Detections

    Posted

    Hi guys,

    just did an update and made a scan with latest database, I think its flagging windows update files as trojans and the like:

    Malwarebytes' Anti-Malware 1.28

    Datenbank Version: 1259

    Windows 5.1.2600 Service Pack 3

    12.10.2008 14:08:16

    mbam-log-2008-10-12 (14-08-04).txt

    Scan-Methode: Quick-Scan

    Durchsuchte Objekte: 128871

    Laufzeit: 25 minute(s), 38 second(s)

    Infizierte Speicherprozesse: 1

    Infizierte Speichermodule: 0

    Infizierte Registrierungsschl

    PowerToys FP?

    in File Detections

    Posted

    hi,

    talking about cool switch - alt tab replacement. see here and here for more info.

    Malwarebytes' Anti-Malware 1.28

    Datenbank Version: 1177

    Windows 5.1.2600 Service Pack 2

    19.09.2008 22:19:52

    mbam-log-2008-09-19 (22-09-47).txt

    Scan-Methode: Quick-Scan

    Durchsuchte Objekte: 42424

    Laufzeit: 2 minute(s), 53 second(s)

    Infizierte Speicherprozesse: 0

    Infizierte Speichermodule: 0

    Infizierte Registrierungsschl

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.