Jump to content

SpySentinel

Experts
  • Content Count

    1,848
  • Joined

  • Last visited

Posts posted by SpySentinel

  1. Hi PW100,

    Sorry for the delay.

    On running RSIT AVG sees it as a threat.

    I allowed AVG to remove it.

    Could the source be compromised?

    I can turn off AVG and run RSIT if you want me to.

    Some AVs detect the tools we use as malicious when really they are not. No worries ;)

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    Adobe Acrobat 5.0

    Java

  2. Sorry for the delay.

    although it doesnt report it it says they are all in comodo quarintine. I just looked in my antivir quarintine and it has one of he dr cureit web quarintined files quarintined in antivir. Its the TR\Crypt.ZPack one.

    Since they are in quarantine, they cannot harm your system. Avira is just detecting them from the DrWeb and Comodo quarantine. The best way to stop the popups is to delete the files in both DrWeb and Comodo quarantine.

    there are also 2 files from the system restore area that are trojans in the comodo quarintine. this is worrying.

    These are not worrisome because once we reset your restore points, they will be gone.

    Please let me know if you are successful at deleting the files in Comodo and DrWeb quarantine.

  3. Hi Mwright,

    You're very welcome :)

    Yes your computer is clean from malware now, and I will be happy to answer any questions you may have.

    however is there a way that I can make a contribution to cause?

    If you like, you can contribute to your favorite local charity since I cannot accept donations as I am employed by Malwarebytes.

    You could also take a look at Malwarebytes Anti-Malware PRO which is a one time cost for a lifetime license.

  4. You're very welcome! Glad to hear your computer us running better :)

    Your log looks clean, Great Job! :)

    Follow these steps to uninstall Combofix and tools used in the removal of malware

    • Click START then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      CF_Uninstall-1.jpg


      Now for some cleanup..
      Please download OTC and save it to Desktop.
      • Please make sure you are connecting to the Internet
      • Double-click OTC.exe
      • Click the CleanUp! button.
      • Select Yes when the "Begin cleanup Process?" prompt appears.
      • If you are prompted to Reboot during the cleanup, select Yes

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

    1. Disable and Enable System Restore. - Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
      The easiest and safest way to do this is:
      • Go to Start > Programs > Accessories > System Tools and click "System Restore".
      • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
      • Then go to Start > Run and type: Cleanmgr
      • Click "OK".
      • Click the "More Options" Tab.
      • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

    [*]I recommend you install an alternate web browser such as FireFox. FireFox is a more secure browser than Internet Explorer and it has some additional tools you can install to help secure it even more.

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    [*]Use a Firewall - I recommend using a firewall which will allow you to stay protected against hackers.

    *Note: Starting with Windows XP SP2, Windows comes with a built in firewall, however, I recommend you choose one of the free firewalls listed below and install it.

    [*]Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    [*]Install SpywareGuard - SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

    [*]Malwarebytes

  5. Hi mwright12,

    Glad to hear your system is running much better :)

    Just a few leftovers we need to take care of.

    Run OTL.exe

    • Under the Custom Scans/Fixes box at the bottom, paste in the following
      :OTL
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars present
      O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
      O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
      O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
      O15 - HKCU\..Trusted Domains: doccentral.com ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: fnismls.com ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: getmedianow.com ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: paragonrels.com ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: rdesk.com ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: rexplorer.net ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: safemls.net ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: showingtime.com ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: sitexdata.com ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: spellchecker.net ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: transactionpoint.com ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: trpoint.com ([]* in Trusted Sites)
      O15 - HKCU\..Trusted Domains: xmlsweb.com ([]* in Trusted Sites)
      [2011/05/31 14:31:29 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Hxitujikapakuk.dat
      [2011/03/30 11:08:11 | 000,014,634 | -HS- | C] () -- C:\Documents and Settings\XP_Pro\Local Settings\Application Data\r0t835ni0n1t18aj4n071sa4s7m
      [2011/03/30 11:08:11 | 000,014,634 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\r0t835ni0n1t18aj4n071sa4s7m
      [2011/03/29 22:33:28 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\XP_Pro\Application Data\124tre.ini
      [2011/03/21 09:22:33 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\XP_Pro\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
      [2011/02/19 12:50:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

      :Commands
      [purity]
      [resethosts]
      [emptytemp]
      [EMPTYFLASH]
      [CREATERESTOREPOINT]
      [Reboot]


    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    Java

  6. You're welcome :)

    Run OTL.exe

    • Under the Custom Scans/Fixes box at the bottom, paste in the following
      :OTL
      O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - File not found
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
      O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
      O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
      O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - File not found
      O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - File not found
      [2011/05/02 21:12:55 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Wtuyuqaza.dat
      [2011/05/02 21:12:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Jjezosuwule.bin
      [2009/10/04 18:29:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
      [2010/04/22 17:31:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
      [2011/04/14 11:24:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
      [2011/04/14 11:27:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
      [2011/03/22 17:22:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\AVG9
      [2011/04/14 11:33:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\AVG10

      :Services
      AVGIDSDriver
      Avgtdix
      Avgrkx86
      Avgmfx86
      AVGIDSEH
      AVGIDSShim
      AVGIDSFilter
      Avgldx86

      :Commands
      [purity]
      [resethosts]
      [emptytemp]
      [EMPTYFLASH]
      [CREATERESTOREPOINT]
      [Reboot]


    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done

  7. From our Terms of Use:

    In addition you will not engage in any sort of spamming, whether it is comment spam (injecting a comment into a thread for the purpose of placing a link back to a website offering the same services offered here; or services totally unrelated to this website), the use of signature links deemed to be for the sole purpose of increasing web traffic to a site of interest by the member, or any combination of those two examples. This includes the Personal Message feature.

    Like Ron said, the program needs to meet with the approval of the Research Team first.

  8. You're welcome :)

    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

  9. Hi mwright12,

    This infection family will hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

    Unhide.exe

    Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

  10. You're welcome :)

    I can understand your frustration. Below, I posted a list of ways to help keep your computer secure in the future:

    • I recommend you install an alternate web browser such as FireFox. FireFox is a more secure browser than Internet Explorer and it has some additional tools you can install to help secure it even more.
    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Use AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Please only choose one.

      Select one of these, or another of your choice. Download, install, and update definitions.

      [*]Use a Firewall - I recommend using a firewall which will allow you to stay protected against hackers.

      *Note: Starting with Windows XP SP2, Windows comes with a built in firewall, however, I recommend you choose one of the free firewalls listed below and install it.

      [*]Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      [*]Install SpywareGuard - SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

      [*]Malwarebytes

  11. You're welcome. :)

    You had a nasty TDL4 MBR rootkit.

    Launch Malwarebytes' Anti-Malware

    • Please check for updates, and if an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked , and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy & Paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

    Run ESET Online Scan

    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the esetOnline.png button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

      1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

      3. Check esetAcceptTerms.png
      4. Click the esetStart.png button.
      5. Accept any security warnings from your browser.
      6. Check esetScanArchives.png
      7. Push the Start button.
      8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      9. When the scan completes, push esetListThreats.png
      10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      11. Push the esetBack.png button.
      12. Push esetFinish.png

        You can refer to this animation by neomage if needed.
  12. Hi mwright12,

    You're very welcome :)

    Launch Malwarebytes' Anti-Malware

    • Please check for updates, and if an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked , and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy & Paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

    Run ESET Online Scan

    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the esetOnline.png button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

      1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

      3. Check esetAcceptTerms.png
      4. Click the esetStart.png button.
      5. Accept any security warnings from your browser.
      6. Check esetScanArchives.png
      7. Push the Start button.
      8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      9. When the scan completes, push esetListThreats.png
      10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      11. Push the esetBack.png button.
      12. Push esetFinish.png

        You can refer to this animation by neomage if needed.
  13. This infection family will hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

    Unhide.exe

    Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

    Launch Malwarebytes' Anti-Malware

    • Check for updates, and ff an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked , and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy & Paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

    Run ESET Online Scan

    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the esetOnline.png button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

      1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

      3. Check esetAcceptTerms.png
      4. Click the esetStart.png button.
      5. Accept any security warnings from your browser.
      6. Check esetScanArchives.png
      7. Push the Start button.
      8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      9. When the scan completes, push esetListThreats.png
      10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      11. Push the esetBack.png button.
      12. Push esetFinish.png

        You can refer to this animation by neomage if needed.
  14. Hi mwright12,

    The bulk of the infection has been taken care of, however there are some leftovers that need to be addressed first.

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    File::

    c:\documents and settings\XP_Pro\Local Settings\Application Data\txu2eftu.exe

    c:\documents and settings\XP_Pro\Local Settings\Application Data\9cmk8hyz.exe

    c:\documents and settings\XP_Pro\Local Settings\Application Data\um0tnw4sr.bat

    c:\documents and settings\XP_Pro\Local Settings\Application Data\jilb6bw5.exe

    c:\documents and settings\XP_Pro\Local Settings\Application Data\tlzsmw3rr.bat

    c:\windows\Ohupevopebasus.bin

    Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.