Jump to content

SpySentinel

Experts
  • Content Count

    1,848
  • Joined

  • Last visited

Posts posted by SpySentinel

  1. No you did nothing wrong. This happens some times, its the program not you.

    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

  2. This is a new variant of a new infection. The reason that folder was empty is because those files are empty.

    Step #1

    1. Go to Start->Run and type in notepad and hit OK.

    2. Then copy and paste the content of the following codebox into Notepad:

    @echo off

    copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

    Exit

    3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

    4. Double click fixes.bat.

    Step #2

    We need to execute an Avenger2 script

    Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    1. Please download The Avenger2 by SwanDog46.
    2. Unzip avenger.exe to your desktop.
    3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
      Files to move:
      c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


    4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
    5. Read the prompt that appears, and press OK.
    6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
    7. Press the "Execute" button.
    8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
      Note: It is possible that Avenger will reboot your system TWICE.
    9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

    Step #3

    Now try running Malwarebytes, then post the log here.

  3. Please try this:

    1. Go to Start->Run and type in notepad and hit OK.

    2. Then copy and paste the content of the following codebox into Notepad:

    MD "%USERPROFILE%"\desktop\malware

    xcopy C:\WINDOWS\addins\addins\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\AppPatch\Custom\Custom\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D1.tmp\ZAP2D1.tmp "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP380.tmp\ZAP380.tmp "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP490.tmp\ZAP490.tmp "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\assembly\temp\temp\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\assembly\tmp\tmp "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\Config\Config\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\Debug\UserMode\UserMode\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\Connection Wizard\Connection Wizard\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\ERDNT\ERDNT\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\ime\imejp\applets\applets\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\ime\imejp98\imejp98\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\1041\1041\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\1042\1042\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\1054\1054\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\2052\2052\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\3076\3076\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\3com_dmi\3com_dmi\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\Adobe\update\update\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Recent\Recent\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\dhcp\dhcp\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\system32\drivers\disdn\disdn\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\BATCH\BATCH\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\Config\News\News\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\System\DFS\DFS\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\Temp\Temp\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\10\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware /c /q /r /h /y

    Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*

    3. Save the file as "Upload.bat". Make sure to save it with the quotation marks.

    4. Double click Upload.bat.

    It should create a Zipped Folder on your desktop called Malware

    Right click on your desktop and Choose New .zip/compressed folder. Then call it Malware2. Drag the Malware Folder in the Malware2.zip folder.

    Then go to

    http://www.malwarebytes.org/forums/index.php?showforum=55

    and Attach the Malware folder in a new post. Please add this into your post "Files for SpySentinel"

  4. Download ComboFix from one of these locations:

    Link 1

    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Do not run ComboFix yet

    Download this program

    Drag ComboFix into Inherit.exe.

    Then wait for it to say "OK"

    • ComboFix should run now.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  5. Download TFC by OldTimer to your desktop

    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  6. Sorry for the delay.

    1. Go to Start->Run and type in notepad and hit OK.

    2. Then copy and paste the content of the following codebox into Notepad:

    MD "%USERPROFILE%"\desktop\malware.zip

    xcopy C:\WINDOWS\addins\addins\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\AppPatch\Custom\Custom\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D1.tmp\ZAP2D1.tmp "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP380.tmp\ZAP380.tmp "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP490.tmp\ZAP490.tmp "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\assembly\temp\temp\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\assembly\tmp\tmp "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\Config\Config\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\Debug\UserMode\UserMode\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\Connection Wizard\Connection Wizard\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\ERDNT\ERDNT\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\ime\imejp\applets\applets\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\ime\imejp98\imejp98\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\1041\1041\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\1042\1042\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\1054\1054\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\2052\2052\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\3076\3076\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\3com_dmi\3com_dmi\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\Adobe\update\update\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\config\systemprofile\Recent\Recent\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\dhcp\dhcp\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\system32\drivers\disdn\disdn\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\BATCH\BATCH\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\Config\News\News\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\System\DFS\DFS\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\pchealth\helpctr\Temp\Temp\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\10\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    xcopy C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup\Device\__max++>\^ "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*

    3. Save the file as "Upload.bat". Make sure to save it with the quotation marks.

    4. Double click Upload.bat.

    It should create a Zipped Folder on your desktop called Malware.zip

    Then go to

    http://www.malwarebytes.org/forums/index.php?showforum=55

    and Attach the Malware.zip folder in a new post. Please add this into your post "Files for SpySentinel"

  7. Your log looks clean, Great Job <_<

    Follow these steps to uninstall Combofix and tools used in the removal of malware

    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      CF_Cleanup.png

    Now for some cleanup..

    Please download OTC and save it to Desktop.

    • Please make sure you are connecting to the Internet
    • Double-click OTC.exe
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes

    Download TFC by OldTimer to your desktop

    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

    Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:

    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.

        1. Change the Download signed ActiveX controls to Prompt
        2. Change the Download unsigned ActiveX controls to Disable
        3. Change the Initialize and script ActiveX controls not marked as safe to Disable
        4. Change the Installation of desktop items to Prompt
        5. Change the Launching programs and files in an IFRAME to Prompt
        6. Change the Navigate sub-frames across different domains to Prompt
        7. When all these settings have been made, click on the OK button.
        8. If it prompts you as to whether or not you want to save the settings, press the Yes button.

    • Next press the Apply button and then the OK to exit the Internet Properties page.




      • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
      • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
        No Firewall Onboard
        You don't seem to have a firewall program installed. Using a firewall will allow you to allow/deny access for applications that want to go online. Select one of these, or another of your choice:

      [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

      [*]Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      [*]Install SpywareGuard - SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

      [*]Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • McAfee Site Advisor <= McAfee Site Advisor protects your browser against malicious sites and warns you when you go to one.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software

  8. A few things I forgot to ask. I was able to uninstall most of the non-working programs, but for some reason I am unable to get rid of rootrepeal. I have the icon on my desktop but when I try to trash it I get the error message

    Cannot delete RootRepeal: Access is denied.

    Make sure the disk is not full or write-protected and that the file is not currently in use.

    When I go to the control panel>add or remove programs

    I am unable to find it. Is there another way to delete it?

    Yes, we will handle removing RootRepeal once you are clean

    Also, should I uninstall any of the programs that I used, ie, combofix, etc?

    We will leave them for now, we may need them again. Once you are clean I will have you remove them.

    Download TFC by OldTimer to your desktop

    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  9. Hi Steve,

    Step #1

    1. Go to Start->Run and type in notepad and hit OK.

    2. Then copy and paste the content of the following codebox into Notepad:

    @echo off

    rmdir "C:\Windows\AppPatch\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}"

    Exit

    3. Save the file as "Remove.bat". Make sure to save it with the quotation marks.

    4. Double click Remove.bat.

    Step #2

    1. Go to Start->Run and type in notepad and hit OK.

    2. Then copy and paste the content of the following codebox into Notepad:

    @echo off

    copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

    Exit

    3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

    4. Double click fixes.bat.

    Step #3

    We need to execute an Avenger2 script

    Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    1. Please download The Avenger2 by SwanDog46.
    2. Unzip avenger.exe to your desktop.
    3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
      Files to move:
      c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


    4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
    5. Read the prompt that appears, and press OK.
    6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
    7. Press the "Execute" button.
    8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
      Note: It is possible that Avenger will reboot your system TWICE.
    9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

    Step #4

    Now try running Malwarebytes, then post the log here.

  10. Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    Adobe Reader 7.0

    J2SE Runtime Environment 5.0

    Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

    Please go to the link below to update.

    http://www.adobe.com/products/acrobat/readstep2.html

    javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Upgrading Java:

    • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
    • Click the "Download" button to the right.
    • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
    • Click on Continue.
    • Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u14-windows-i586.exe and select "Run as an Administrator.")

    Download TFC by OldTimer to your desktop

    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

  11. Yes, but first:

    Step #1

    We need to execute an Avenger2 script

    Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    1. Please download The Avenger2 by SwanDog46.
    2. Unzip avenger.exe to your desktop.
    3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
      Files to move:
      C:\WINDOWS\ServicePackFiles\i386\scecli.dll | C:\WINDOWS\system32\scecli.dll


    4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
    5. Read the prompt that appears, and press OK.
    6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
    7. Press the "Execute" button.
    8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
      Note: It is possible that Avenger will reboot your system TWICE.
    9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

    Step #2

    Now try to run MBAM in safe mode.

  12. Run ESET Online Scan

    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the esetOnline.png button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

      1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

      3. Check esetAcceptTerms.png
      4. Click the esetStart.png button.
      5. Accept any security warnings from your browser.
      6. Check esetScanArchives.png
      7. Push the Start button.
      8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      9. When the scan completes, push esetListThreats.png
      10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      11. Push the esetBack.png button.
      12. Push esetFinish.png

        You can refer to this animation by neomage if needed.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.