Jump to content

SpySentinel

Experts
  • Content Count

    1,848
  • Joined

  • Last visited

Posts posted by SpySentinel

  1. We need to execute an Avenger2 script

    Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    1. Please download The Avenger2 by SwanDog46.
    2. Unzip avenger.exe to your desktop.
    3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
      Files to move:
      C:\Windows\System32\logevent.dll | C:\Windows\System32\cngaudit.dll


    4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
    5. Read the prompt that appears, and press OK.
    6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
    7. Press the "Execute" button.
    8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
      Note: It is possible that Avenger will reboot your system TWICE.
    9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

    Now please try running ComboFix

  2. Sorry for the delay.

    We need to execute an Avenger2 script

    Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    1. Please download The Avenger2 by SwanDog46.
    2. Unzip avenger.exe to your desktop.
    3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
      Files to move:
      C:\Windows\System32\logevent.dll | C:\Windows\System32\cngaudit.dll


    4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
    5. Read the prompt that appears, and press OK.
    6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
    7. Press the "Execute" button.
    8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
      Note: It is possible that Avenger will reboot your system TWICE.
    9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

    Now please try running ComboFix

  3. Hi Ian,

    Your log looks clean, Great Job :unsure:

    Follow these steps to uninstall Combofix and tools used in the removal of malware

    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      CF_Cleanup.png

    Now for some cleanup..

    Please download OTC and save it to Desktop.

    • Please make sure you are connecting to the Internet
    • Double-click OTC.exe
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes

    Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:

    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.

        1. Change the Download signed ActiveX controls to Prompt
        2. Change the Download unsigned ActiveX controls to Disable
        3. Change the Initialize and script ActiveX controls not marked as safe to Disable
        4. Change the Installation of desktop items to Prompt
        5. Change the Launching programs and files in an IFRAME to Prompt
        6. Change the Navigate sub-frames across different domains to Prompt
        7. When all these settings have been made, click on the OK button.
        8. If it prompts you as to whether or not you want to save the settings, press the Yes button.

    • Next press the Apply button and then the OK to exit the Internet Properties page.




      • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
      • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
      • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
      • Install SpywareGuard - SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.
      • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • McAfee Site Advisor <= McAfee Site Advisor protects your browser against malicious sites and warns you when you go to one.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software

  4. Nope, it runs in the background then goes away, so you should not have noticed anything. ComboFix should work now:

    Please download ComboFix from

    Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

    1. If you are using Firefox, make sure that your download settings are as follows:
      • Tools->Options->Main tab
      • Set to "Always ask me where to Save the files".

    [*]During the download, rename Combofix to Combo-Fix as follows:

    CF_download_FF.gif

    CF_download_rename.gif

    [*]It is important you rename Combofix during the download, but not after.

    [*]Please do not rename Combofix to other names, but only to the one indicated.

    [*]Close any open browsers.

    [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

    [*]Double click on combo-Fix.exe & follow the prompts.

    [*]When finished, it will produce a report for you.

    [*]Please post the "C:\Combo-Fix.txt" for further review.

    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

  5. Hi ians2b, My name is SpySentinel and I will be filling in while chamber is away for a while.

    Download TFC by OldTimer to your desktop

    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  6. Hi Major_Tom,

    Please delete ComboFix and:

    Please download ComboFix from

    Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

    1. If you are using Firefox, make sure that your download settings are as follows:
      • Tools->Options->Main tab
      • Set to "Always ask me where to Save the files".

    [*]During the download, rename Combofix to Combo-Fix as follows:

    CF_download_FF.gif

    CF_download_rename.gif

    [*]It is important you rename Combofix during the download, but not after.

    [*]Please do not rename Combofix to other names, but only to the one indicated.

    [*]Close any open browsers.

    [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

    [*]Double click on combo-Fix.exe & follow the prompts.

    [*]When finished, it will produce a report for you.

    [*]Please post the "C:\Combo-Fix.txt" for further review.

    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

  7. Hi Major Tom and welcome to Malwarebytes :)

    Please go ahead and post the Win32Diag Report as well as:

    Please download ComboFix from

    Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

    1. If you are using Firefox, make sure that your download settings are as follows:
      • Tools->Options->Main tab
      • Set to "Always ask me where to Save the files".

    [*]During the download, rename Combofix to Combo-Fix as follows:

    CF_download_FF.gif

    CF_download_rename.gif

    [*]It is important you rename Combofix during the download, but not after.

    [*]Please do not rename Combofix to other names, but only to the one indicated.

    [*]Close any open browsers.

    [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

    [*]Double click on combo-Fix.exe & follow the prompts.

    [*]When finished, it will produce a report for you.

    [*]Please post the "C:\Combo-Fix.txt" for further review.

    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

  8. Hi swat1276, welcome to Malwarebytes :)

    Please download ComboFix from

    Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

    1. If you are using Firefox, make sure that your download settings are as follows:
      • Tools->Options->Main tab
      • Set to "Always ask me where to Save the files".

    [*]During the download, rename Combofix to Combo-Fix as follows:

    CF_download_FF.gif

    CF_download_rename.gif

    [*]It is important you rename Combofix during the download, but not after.

    [*]Please do not rename Combofix to other names, but only to the one indicated.

    [*]Close any open browsers.

    [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

    [*]Double click on combo-Fix.exe & follow the prompts.

    [*]When finished, it will produce a report for you.

    [*]Please post the "C:\Combo-Fix.txt" for further review.

    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

  9. Step #1

    1. Go to Start->Run and type in notepad and hit OK.

    2. Then copy and paste the content of the following codebox into Notepad:

    @echo off

    copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

    Exit

    3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

    4. Double click fixes.bat.

    Step #2

    We need to execute an Avenger2 script

    Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    1. Please download The Avenger2 by SwanDog46.
    2. Unzip avenger.exe to your desktop.
    3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
      Files to move:
      c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


    4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
    5. Read the prompt that appears, and press OK.
    6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
    7. Press the "Execute" button.
    8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
      Note: It is possible that Avenger will reboot your system TWICE.
    9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

    Step #3

    Now try running ComboFix and Malwarebytes, then post the logs here.

  10. 1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    File::

    C:\xxxx.exe

    Driver::

    YKRLTOUV

    Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

  11. Your log looks clean, Great Job <_<

    Follow these steps to uninstall Combofix and tools used in the removal of malware

    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      CF_Cleanup.png

    Now for some cleanup..

    Please download OTC and save it to Desktop.

    • Please make sure you are connecting to the Internet
    • Double-click OTC.exe
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes

    Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:

    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.

        1. Change the Download signed ActiveX controls to Prompt
        2. Change the Download unsigned ActiveX controls to Disable
        3. Change the Initialize and script ActiveX controls not marked as safe to Disable
        4. Change the Installation of desktop items to Prompt
        5. Change the Launching programs and files in an IFRAME to Prompt
        6. Change the Navigate sub-frames across different domains to Prompt
        7. When all these settings have been made, click on the OK button.
        8. If it prompts you as to whether or not you want to save the settings, press the Yes button.

    • Next press the Apply button and then the OK to exit the Internet Properties page.




      • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
      • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
      • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
      • Install SpywareGuard - SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.
      • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • McAfee Site Advisor <= McAfee Site Advisor protects your browser against malicious sites and warns you when you go to one.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.