Jump to content

SpySentinel

Experts
  • Content Count

    1,848
  • Joined

  • Last visited

Posts posted by SpySentinel

  1. Step #1

    1. Go to Start->Run and type in notepad and hit OK.

    2. Then copy and paste the content of the following codebox into Notepad:

    @echo off

    copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

    Exit

    3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

    4. Double click fixes.bat.

    Step #2

    We need to execute an Avenger2 script

    Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    1. Please download The Avenger2 by SwanDog46.
    2. Unzip avenger.exe to your desktop.
    3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
      Files to move:
      c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


    4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
    5. Read the prompt that appears, and press OK.
    6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
    7. Press the "Execute" button.
    8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
      Note: It is possible that Avenger will reboot your system TWICE.
    9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

    Step #3

    Now try running ComboFix and Malwarebytes, then post the logs here.

  2. 1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Collect::

    c:\documents and settings\trader\Application Data\vimobak.com

    c:\windows\xonarif.bat

    c:\windows\system32\sulefevo.dll

    c:\windows\ukefyruma.bin

    c:\windows\yrepa.scr

    c:\documents and settings\trader\Application Data\mygurecan.exe

    c:\documents and settings\trader\Local Settings\Application Data\gyky.bin

    c:\windows\system32\anuna.com

    c:\windows\muhyxoxujy.dll

    c:\documents and settings\trader\Application Data\nubike.sys

    c:\windows\uryq.scr

    c:\documents and settings\trader\Application Data\sepaqe.scr

    c:\program files\Common Files\cywumokofi.com

    c:\program files\Common Files\ixyqywiju.pif

    c:\program files\Common Files\rabeq.dat

    c:\windows\system32\buxy.com

    c:\documents and settings\trader\Local Settings\Application Data\adec.pif

    c:\windows\kuhe.pif

    c:\windows\system32\himajil.reg

    c:\windows\system32\gibake.com

    c:\documents and settings\All Users\Application Data\jatyd.dll

    c:\windows\nyrowil.scr

    c:\windows\esamebus.pif

    c:\windows\otiwa.exe

    c:\documents and settings\trader\Local Settings\Application Data\uwoqaw.scr

    c:\windows\ebac.sys

    c:\windows\urexe.pif

    c:\windows\depih.bin

    c:\documents and settings\trader\Application Data\ynyl.sys

    c:\documents and settings\trader\Application Data\MalwareRemovalBot

    Driver::

    Viewpoint Manager Service

    Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

  3. Step #1

    1. Go to Start->Run and type in notepad and hit OK.

    2. Then copy and paste the content of the following codebox into Notepad:

    @echo off

    copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

    Exit

    3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

    4. Double click fixes.bat.

    Step #2

    We need to execute an Avenger2 script

    Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    1. Please download The Avenger2 by SwanDog46.
    2. Unzip avenger.exe to your desktop.
    3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
      Files to move:
      c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


    4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
    5. Read the prompt that appears, and press OK.
    6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
    7. Press the "Execute" button.
    8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
      Note: It is possible that Avenger will reboot your system TWICE.
    9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

    Step #3

    Now try running ComboFix and Malwarebytes, then post the logs here.

  4. Yes you will need to uninstall them.

    Please download Malwarebytes' Anti-Malware

    Double Click mbam-setup.exe to install the application.

    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

    Run ESET Online Scan

    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the esetOnline.png button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

      1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

      3. Check esetAcceptTerms.png
      4. Click the esetStart.png button.
      5. Accept any security warnings from your browser.
      6. Check esetScanArchives.png
      7. Push the Start button.
      8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      9. When the scan completes, push esetListThreats.png
      10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      11. Push the esetBack.png button.
      12. Push esetFinish.png

        You can refer to this animation by neomage if needed.
  5. Hi tallisall, Welcome to Malwarebytes :(

    Download ComboFix from one of these locations:

    Link 1

    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  6. Hi Falcon, Welcome to Malwarebytes :(

    We Need to check for Rootkits with RootRepeal

    1. Download RootRepeal from the following location and save it to your desktop.

    [*]Rar Mirrors - Only if you know what a RAR is and can extract it.

    [*]Extract RootRepeal.exe from the archive.

    [*]Open rootRepealDesktopIcon.png on your desktop.

    [*]Click the reportTab.png tab.

    [*]Click the btnScan.png button.

    [*]Check all seven boxes: checkBoxes2.png

    [*]Push Ok

    [*]Check the box for your main system drive (Usually C:), and press Ok.

    [*]Allow RootRepeal to run a scan of your system. This may take some time.

    [*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

  7. Hi karen8127, Welcome to Malwarebytes :(

    We Need to check for Rootkits with RootRepeal

    1. Download RootRepeal from the following location and save it to your desktop.

    [*]Rar Mirrors - Only if you know what a RAR is and can extract it.

    [*]Extract RootRepeal.exe from the archive.

    [*]Open rootRepealDesktopIcon.png on your desktop.

    [*]Click the reportTab.png tab.

    [*]Click the btnScan.png button.

    [*]Check all seven boxes: checkBoxes2.png

    [*]Push Ok

    [*]Check the box for your main system drive (Usually C:), and press Ok.

    [*]Allow RootRepeal to run a scan of your system. This may take some time.

    [*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

  8. Yes it is very nasty, and new, so we are just getting the hang of how to remove it.

    Run ESET Online Scan

    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the esetOnline.png button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

      1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

      3. Check esetAcceptTerms.png
      4. Click the esetStart.png button.
      5. Accept any security warnings from your browser.
      6. Check esetScanArchives.png
      7. Push the Start button.
      8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      9. When the scan completes, push esetListThreats.png
      10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      11. Push the esetBack.png button.
      12. Push esetFinish.png

        You can refer to this animation by neomage if needed.
  9. Hi ph3nom, Welcome to Malwarebytes :(

    We Need to check for Rootkits with RootRepeal

    1. Download RootRepeal from the following location and save it to your desktop.

    [*]Rar Mirrors - Only if you know what a RAR is and can extract it.

    [*]Extract RootRepeal.exe from the archive.

    [*]Open rootRepealDesktopIcon.png on your desktop.

    [*]Click the reportTab.png tab.

    [*]Click the btnScan.png button.

    [*]Check all seven boxes: checkBoxes2.png

    [*]Push Ok

    [*]Check the box for your main system drive (Usually C:), and press Ok.

    [*]Allow RootRepeal to run a scan of your system. This may take some time.

    [*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

  10. Step #1

    1. Go to Start->Run and type in notepad and hit OK.

    2. Then copy and paste the content of the following codebox into Notepad:

    @echo off

    rmdir "C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}"

    Exit

    3. Save the file as "Remove.bat". Make sure to save it with the quotation marks.

    4. Double click Remove.bat.

    Step #2

    We need to execute an Avenger2 script

    Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    1. Please download The Avenger2 by SwanDog46.
    2. Unzip avenger.exe to your desktop.
    3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
      Files to move:
      C:\WINDOWS\ServicePackFiles\i386\scecli.dll | C:\WINDOWS\system32\scecli.dll


    4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
    5. Read the prompt that appears, and press OK.
    6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
    7. Press the "Execute" button.
    8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
      Note: It is possible that Avenger will reboot your system TWICE.
    9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

    Step #3

    Now try running ComboFix and Malwarebytes, then post the logs here.

  11. Spyware Terminator used to be Rogue AntiSpyware, which would pretend to be a legit program then ask to be paid to remove threats that were not actually there. Now it is an ok program, or so they say. It is still uncertain if they should be trusted. I will have a list of free alternatives you can download that are better then Spyware Terminator.

  12. Download the HostsXpert 4.3 - Hosts File Manager.

    • Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.3 - Hosts File Manager
    • Run HostsXpert 4.3 - Hosts File Manager from its new home
    • Click on "File Handling".
    • Click on "Restore MS Hosts File".
    • Click OK on the Confirmation box.
    • Click on "Make Read Only?"
    • Click the X to exit the program.
    • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

    Run ESET Online Scan

    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the esetOnline.png button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

      1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

      3. Check esetAcceptTerms.png
      4. Click the esetStart.png button.
      5. Accept any security warnings from your browser.
      6. Check esetScanArchives.png
      7. Push the Start button.
      8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      9. When the scan completes, push esetListThreats.png
      10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      11. Push the esetBack.png button.
      12. Push esetFinish.png

        You can refer to this animation by neomage if needed.
  13. Step #1

    1. Go to Start->Run and type in notepad and hit OK.

    2. Then copy and paste the content of the following codebox into Notepad:

    @echo off

    copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

    Exit

    3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

    4. Double click fixes.bat.

    Step #2

    We need to execute an Avenger2 script

    Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    1. Please download The Avenger2 by SwanDog46.
    2. Unzip avenger.exe to your desktop.
    3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
      Files to move:
      c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


    4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
    5. Read the prompt that appears, and press OK.
    6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
    7. Press the "Execute" button.
    8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
      Note: It is possible that Avenger will reboot your system TWICE.
    9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

    Step #3

    Now try running ComboFix and Malwarebytes, then post the logs here.

  14. Quick question. My malwarbytes, hijackthis and rootrepeal icons are still blanked out on my desktop. Do I need to re-download them to work or could I rename them in order to get them to run? I will not do anything yet though. I will wait for further instructions. Thank you again SpySentinel for taking the time to help me with this issue.

    Glad to hear CF could run. Yes, unfortunately this infection does that to security programs. So go ahead and re install them.

    You're welcome, glad I can help.

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Collect::

    c:\documents and settings\All Users\Application Data\11057184

    c:\program files\Common Files\odeviwifu.lib

    c:\program files\Common Files\zubugif.vbs

    c:\program files\Common Files\axaxuqo.vbs

    c:\documents and settings\Dave Huynh\Application Data\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe

    Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

  15. Glad to see it worked.

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    RegNull:

    [HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C398E5-2FDF-0CE0-24E6-811B0B5EAD93}*]

    Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

  16. 1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Collect::

    C:\sdlb.exe

    C:\lcbckjms.exe

    C:\djos.exe

    C:\kvhwftjn.exe

    Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Please download Malwarebytes' Anti-Malware

    Double Click mbam-setup.exe to install the application.

    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

  17. 1. Go to Start->Run and type in notepad and hit OK.

    2. Then copy and paste the content of the following codebox into Notepad:

    @echo off

    MD "%USERPROFILE%"\desktop\malware.zip

    xcopy C:\QooBox "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

    Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*

    Exit

    3. Save the file as "Upload.bat". Make sure to save it with the quotation marks.

    4. Double click Upload.bat.

    Then go to http://uploads.malwarebytes.org/

    Under File 1 Choose Browse and select Malware.zip that is on your desktop to upload.

    Please download Malwarebytes' Anti-Malware

    Double Click mbam-setup.exe to install the application.

    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

  18. I would like to see 2 more scans to make sure:

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

    Run ESET Online Scan

    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the esetOnline.png button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

      1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

      3. Check esetAcceptTerms.png
      4. Click the esetStart.png button.
      5. Accept any security warnings from your browser.
      6. Check esetScanArchives.png
      7. Push the Start button.
      8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      9. When the scan completes, push esetListThreats.png
      10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      11. Push the esetBack.png button.
      12. Push esetFinish.png

        You can refer to this animation by neomage if needed.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.