Jump to content

sjb007

Honorary Members
  • Posts

    117
  • Joined

  • Last visited

Everything posted by sjb007

  1. Hi there Great work, so far so good. Regarding the entry that Avira found; this was detected in the system restore and would have been flushed out at the end of the fix so it would not have presented us with a problem. Regarding AVG; the main reason I wanted to make sure it was out was so that it does not interfere with combofix. I can see AVG is listed in the WMI reference, although it is harmless we can remove it easy enough in these next steps. --------------------------------------- Close any open browsers. Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and copy/paste the text in the quotebox below into it: Skipfix:: SecCenter:: AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Apart from that all appears to be ok log wise, how are things at your side?
  2. Some nice shots there, I'm hoping to grab some from the British SuperBikes later this year. Are the pics hosted with jalbum? The only reason I ask is that I will be looking for some software to host some photo's myself pretty soon.
  3. Hi there Yes it does. Lets run a tool to take them out...... Please download AVG remover from their site. AVG - Download tools A Direct link to the AVG Remover can be found here >> http://download.avg.com/filedir/util..._2011_1149.exe You may also use this tool to uninstall AVG: http://www.appremover.com/appremover/avg/AppRemover.exe Instructions for using this tool can be found here >> Using AppRemover — OPSWAT AppRemover ------------------------------- Combofix Close any open browsers. Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and copy/paste the text in the quotebox below into it: File:: c:\windows\system32\RegistryHelperLM.ocx c:\windows\system32\ugkcjnjiwjx.exe c:\windows\system32\drivers\vibduqo.sys c:\windows\system32\drivers\dbdfynw.sys Driver:: letyf RegNull:: [HKEY_USERS\S-1-5-21-530212586-264376689-721655545-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*%&**] Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply ------------------------------- MalwareBytes Please run a fresh scan with MalwareBytes First I want you to update MBAM so we have the latest definitions onboard..... Please open Malwarebytes Antimalware Now click on the update tab Next - Click on the Check for updates button If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. On the Scanner tab:Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button. [*]The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button. [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". [*]Click OK to close the message box and continue with the removal process. [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. [*]Make sure that everything is checked, and click Remove Selected. [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. [*]Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. ------------------------------- Please post back in your next reply with: The log from Combofix The log from MBAM An update on how things are running now
  4. Hi there Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review.
  5. I myself would not recommend the use of auto log parses. they are not as accurate as we would like them to be and could lure the user into thinking they are infected when they are not. For instance, I have just tested one of the parses mentioned, all my R0 and R1 entries are showing purple alongside every entry relating to MS office, and the whole of my driver section shows red. removing them would render my computer useless. If you have malware issues I would advise that you follow the instructions as set out here >> I'm infected - What do I do now? and post the logs in the correct forum for analysis.
  6. Hi there I do not see any obvious threats from your recent logs, lets run an online scan but this time with F-Secure Please perform this online scan: F-Secure Online Scanner The online scanner is on the bottom right of the page. Direct link: http://support.f-secure.com/enu/home/ols.shtml Follow the directions on the F-Secure page for proper Installation. * You may receive an alert on the address bar at this point to install the ActiveX control. * Click on that alert and then click "Install ActiveX component". * Read the license agreement and click "Accept". * Click "Custom Scan" and be sure the following are checked: Scan whole System Scan all files Scan whole system for rootkits Scan whole system for spyware Scan inside archives Use advanced heuristics * When the scan completes, click the "I want to decide item by item" button. * For each item found, Select "Disinfect" and click "Next". * When done, click the "Show Report" button, then copy and paste the entire report into your next reply.
  7. Hi there Sorry for any delays but as the thread had been closed I had unsubscibed from email notifications. You have only posted the second part of the OTViewIt log. Please post the first part of the report (OTViewIt.Txt) Please also delete the version of combofix that you currently have. Download a fresh copy from one of the locations below and run a fresh scan and post back the resulting log Link 1 Link 2 Link 3 Post back with both logs
  8. Hi there This next program simply collects information about your computer. Download OTViewIt.exe and Save it to your Desktop. Right-click OTViewIt.exe and select Run as Administrator. Click Run Scan When it finishes, it will produce two logs. OTViewIt.txt will be maximized and Extras.txt will be minimized. Please post both logs in your next reply.
  9. Not a problem, only too glad to help I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums Good luck and happy safe surfing!
  10. Hi there. Logs looking good still... Now lets try running MBAM again. First fully uninstall MBAM via the control panel using add/remove programs. Download a fresh copy from Malwarebytes Anti-Malware (MBAM) and save it to your desktop, once fully downloaded install the program and update the databases. If for any reason you are unable to download the database then download them manually from here - Malwarebytes' Anti-Malware Database Let me know how things go
  11. Hi there Please download OTMoveIt3 by OldTimer. Save it to your desktop. Double-click on OTMoveIt3.exe Using notepad copy the lines in the codebox below: Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. Click the red Moveit! button. Copy everything in the Results window (under the green bar), and paste it in your next reply. Close OTMoveIt3 Post back with the results
  12. HI Lets tidy up after ourselves The following will implement some cleanup procedures as well as reset System Restore points: Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /u Now that you appear to be free from malware lets help you stay that way! Update windows on a regular basis - If you do not have automatic updates enabled then Visit Microsoft's Update Page and update your computer from there Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions. Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here Make your Internet Explorer more secure - This can be done by following these simple instructions: Open Internet Explorer, click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialise and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Safer Browsing Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes. Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects) Use an alternative browser Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser. Computer Maintenance Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis. Scan your computer regularly for malware Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active. Secure your router Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access. Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for. I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet. -> So How Did I Get Infected In First Place - By TonyKlein -> How to prevent Malware - By miekiemoes -> I'm not pulling your leg, honest - By Sandi Hardmeie **Kindly respond one more time and let me know if we may consider this thread resolved.
  13. Hi there Zoo Im not seeing anything immediate in your logs, regarding the error code message, im just looking into it now for you to find out what it represents and wil get back to you in due course.
  14. Hi there Things are looking better. The recovery console option should only show for 2 seconds, if you wish to delete the recovery console option then we can run through the necessary steps to do so. Reply and let me know whether you wish to keep it or not.
  15. Only too glad to help Lets tidy up after ourselves The following will implement some cleanup procedures as well as reset System Restore points: Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /u Now that you appear to be free from malware lets help you stay that way! Update windows on a regular basis - If you do not have automatic updates enabled then Visit Microsoft's Update Page and update your computer from there Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions. Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here Make your Internet Explorer more secure - This can be done by following these simple instructions: Open Internet Explorer, click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialise and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Safer Browsing Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes. Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects) Use an alternative browser Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser. Computer Maintenance Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis. Scan your computer regularly for malware Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active. Secure your router Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access. Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for. I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet. -> So How Did I Get Infected In First Place - By TonyKlein -> How to prevent Malware - By miekiemoes -> I'm not pulling your leg, honest - By Sandi Hardmeie Good luck and happy safe surfing
  16. Hi there Please download OTMoveIt3 by OldTimer. Save it to your desktop. Double-click on OTMoveIt3.exe Using notepad copy the lines in the codebox below: Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. Click the red Moveit! button. Copy everything in the Results window (under the green bar), and paste it in your next reply. Close OTMoveIt3 Post back the results and let me know how things are running now
  17. Hi there From what I see your system is clear. What was initially found with Antivir was in system restore and has now been deleted by Antivir. Just a reminant in task scheduler to clear out... Open NOTEPAD.exe and copy/paste the text in the quotebox below into it: @echo offif exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( "c:\windows\Tasks\uhbjlxmv.job" ) do (del /a/f/q %%g >nul 2>&1if exist %%g echo.%%~g>>"%temp%\log.txt")for %%g in ("%systemdrive%\VundoFix Backups"%systemdrive%\Qoobox) do (rd /s/q %%g >nul 2>&1if exist %%g echo.%%~g>>"%temp%\log.txt")if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt") else echo.Deleted Successfully !!nircmd wait 7000del %0Save this as fix.bat Choose to "Save type as - All Files" It should look like this: Double click on fix.bat & allow it to run Post back to tell me what it says. How are things running, any problems to report
  18. Hi There Lets have a look at a fresh set of logs just to make sure that the malware has not returned. Delete the version of combofix that you currently have on your desktop and download the latest version. As before re-name it prior to saving, call it Combo-Fix.exe Download Combofix from any of the links below, and save it to your desktop. Link 1 Link 2 Link 3 Run the tool and post me the log. Please rescan with GMER Locate and double click GMER.exe. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. Click the image to enlarge it In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) [*] Then click the Scan button & wait for it to finish. [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop and add this to your next post as an attachment **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  19. Hi there Lets re-try GMER... Delete the version you already have on your computer. Download GMER Rootkit Scanner from here or here. You must rename it before saving it. Save it to your desktop. Save it under the name of ARK Close/disable all anti virus and anti malware programs so they do not interfere with the running of GMER Extract the contents of the zipped file to desktop. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. Click the image to enlarge it In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) [*] Then click the Scan button & wait for it to finish. [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop and add this to your next post as an attachment **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  20. Hi there Go to start menu - Select Run and in the command box type in notepad Next - copy/paste the text in the code box below into it: - Save this to your desktop as CFScript.txt - Drag the CFScript.txt over onto Combofix.exe and release. Combofix will then execute the script and produce a fresh log. Next...... Download and scan with CCleaner Slim 1.Double click the file and install ccleaner 2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours" 3. Then select the items you wish to clean up. In the Windows Tab: Clean all entries in the "Internet Explorer" section. Clean all the entries in the "Windows Explorer" section. Clean all entries in the "System" section. Clean all entries in the "Advanced" section. Clean any others that you choose. In the Applications Tab: Clean all in the Firefox/Mozilla section if you use it. Clean all in the Opera section if you use it. Clean Sun Java in the Internet Section. Clean any others that you choose. 4. Click the "Run Cleaner" button. 5. A pop up box will appear advising this process will permanently delete files from your system. 6. Click "OK" and it will scan and clean your system. 7. Click "exit" when done. Next...... Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. This animation will guide you through the process: **Note** To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. Post back in your next reply with the log from combofix and the kaspersky results
  21. Hi Havenw Good work with the scans. In this next part im going to ask for a couple of more deep scans which will again produce reports for you to post. Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix ** Ensure you install the recovery console Also ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. ---------------------------- Once done.... ---------------------------- Download GMER Rootkit Scanner from here or here. Extract the contents of the zipped file to desktop. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. Click the image to enlarge it In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) [*] Then click the Scan button & wait for it to finish. [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop and post it back in your next reply **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries Post back with both logs in your next reply
  22. Hi there Please note - During this fix we will be entering into safe mode. Please print out these instructions as your internet connection will not be available to you during this period. You may also copy and paste the fix into a text file and save it in an easy accessable location for reference. Download SDFix by AndyManchesta and save it to your desktop. alternate download. Double click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix) Reboot your computer in SAFE MODE. To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter. Open the SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Finally copy and paste the contents of the results file in your next reply Now lets try scanning with MBAM once again... Please update and generate a fresh MBAM log for me Start MalwareBytes AntiMalware Update Malwarebytes' Anti-Malware Select the Update tab Click Update When the update is complete, select the Scanner tab Select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt Post the MBAM log back along with a fresh HJT log, and the log from SDFix
  23. Not a problem, only too glad to lend a hand I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums Good luck and happy safe surfing!
  24. Not a problem, only too glad to lend a hand I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums Good luck and happy safe surfing!
  25. Hi there ATF is a handy tool to keep to clear out unwanted garbage from your system, it is up to you whether you keep it or not. Regarding OTMoveIt3 - Open the program and click on the CleanUp! button then reboot your computer when requested, that should take care of the remainder of the things that are left.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.