Jump to content

Maurice Naggar

Experts
  • Posts

    27,518
  • Joined

  • Days Won

    74

Everything posted by Maurice Naggar

  1. Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should un-install it. Go to Control Panel and Add-or-Remove programs. Look for it and click the line for it. Select Change/Remove to de-install it. OK & Exit out of Control Panel I see that you are clear of your original issues. You are good to go after this. If you have a problem with these steps, or something does not quite work here, do let me know. The following few steps will remove tools we used; followed by advice on staying safer. We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix ), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function. Note the space after x and before the slash mark. The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk. Click Start, then click Run. In the command box that opens, type or copy/paste combo-fix /u and then click OK. Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe Please double-click OTL.exe to run it. Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes. This step removes the files, folders, and shortcuts created by the tools I had you download and run. Delete the SYSCLEAN downloads and the C:\DCE folder Delete RootRepeal.exe and the RootRepeal download (if still present) Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish. ERUNT you should keep and make use of on some regular basis to make backup of the registry. You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" } Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on. Check in at Windows Update and install any Critical Updates offered. Download and Install Windows Defender by Microsoft (free) if you do not already have it: http://www.microsoft.com/downloads/details...A4-F7F14E605A0D Make certain that Automatic Updates is enabled. How to configure and use Automatic Updates in WinXP: http://support.microsoft.com/kb/306525 Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times) I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm That would help to keep your browser away from known spyware/malware sites. Make regular backups of your system to removable media: DVD, USB external hard drive, etc. On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done: Kaspersky Webscan Online Virus Scanner ESET Online Scanner Panda ActiveScan Trend Micro Housecall F-Secure Online Scanner Read Tony Klein's article How Did I Get Infected In The First Place Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe ! Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html We are finished here. Best regards.
  2. Hello Mike, Have MBAM place them in quarantine. If after a few days/a week, there are no complaints from your everyday applications, you can return later to MBAM and have them deleted permanently.
  3. Good to hear that MBAM found nothing. We are done here and I'll close this topic. I'll have to test my system on the weekend to see about the ATF Cleaner download and if I get the same message. You can accomplish most the same functions as ATF Cleaner by running Disk Cleanup off your Start menu >All Program > Accessories > System Tools Cheers
  4. Then let me add, if you have other people that use this system, advise all not to do web surfing or anything online until after we determine that the malwares are taken care of.
  5. It's spam. What filters do you mean / what do you use ?
  6. If you have another pc you can use, and a known-clean flash-USB-drive (or maybe you can burn a CD).... use another system to download MBAM, put it on the removable media, take it and copy onto the Desktop of the problem pc and proceed forth with MBAM. Tell me if you used Internet Explorer or maybe Firefox to download MBAM the last few times. Q: Is earthlink your internet service provider? I, at this time, cant be sure as to the email issue. But I tend to think (at this moment anyhow) that it is spam coming in to your email account from an outside spammer.
  7. Delete the MBAM download that you have now. IF MBAM was perviously successfully installed, then, get this utility and then run it, and then after that logoff and restart the system. Please do a new download & save Malwarebytes Anti-Malware to your DESKTOP from http://www.besttechie.net/tools/mbam-setup.exe or http://malwarebytes.gt500.org/mbam.jsp Do NOT run the program straight off from your browser while downloading. Save to your desktop. Next, Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform Quick Scan, then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy & Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
  8. Start your MBAM MalwareBytes' Anti-Malware. Click the Settings Tab. Make sure all option lines have a checkmark. Next, Click the Update tab. Press the "Check for Updates" button. When done, click the Scanner tab. Do a Quick Scan. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Reply with copy of the MBAM scan log and tell me, How is the system? What is status as far as the email issue?
  9. The security check log (done way earlier) showed this to have: avast! Antivirus and Norton 360. I should have mentioned something, but had overlooked it. My bad. If you are de-installing Norton360, then make sure that avast (a good AV) is functional and updating. Avast is good. Though I personally tend towards Avira AntiVir or Eset NOD32. If the system has no third-party firewall, consider getting TallEmu's Online Armor. HTH Since the issues are resolved, I'm closing this thread. The advice and procedures used here are only for this pc. Do not use the procedures on another system.
  10. This is closed due to lack of response. If you are the original poster and still have the same issues, and need this re-opened.... send me a PM. The advice and procedures used here are only for this pc. Do not use them on any other system.
  11. I highly suggest you de-install LimeWire and any other filesharing peer-to-peer program. Downloading from such apps very very often leads to malware infections. The result from Combofix is very encouraging. The rootkit is past history. We need to check your system thru MBAM and then a virus check. Start your MBAM MalwareBytes' Anti-Malware. Click the Settings Tab. Make sure all option lines have a checkmark. Next, Click the Update tab. Press the "Check for Updates" button. When done, click the Scanner tab. Do a Quick Scan. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. = Please download and SAVE Trend Micro Sysclean Package on your computer. NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning. Trend Micro Damage Cleanup Engine Make sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1st Basically there are 3 parts that need to be downloaded from these links: Sysclean Package Virus Pattern Files Spyware Pattern Files Create a brand new folder to copy these files to. As an example: C:\DCE Then open each of the zipped archive files and copy their contents to C:\DCE Copy the file sysclean.com to the new folder C:\DCE as well. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator At the command-prompt window, type in the following to start Sysclean and press ENTER and follow the on-screen instructions. After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean. How To Use Compressed (Zipped) Folders in Windows XP Compress and uncompress files (zip files) in Vista Next, start HijackThis. Do a Scan and save log. Reply with copy of the latest MBAM scan log the Sysclean log and the new HJT log and tell me, How is your system now?
  12. The advice and procedures used here were only for this system and not to be followed on any other. If you are a casual viewer and have similar issues, follow forum procedure and start your own topic.
  13. Hello lilhokie, We were very nearly finished a couple of days ago as far as malware removal. But I see a some items that need deleting. Do not run or start any other programs while these utilities and tools are in use! Close any of your open programs while you run these tools. This step will force a restart after it finishes, so do not be alarmed. Right-click on OTL.exe and choose Run As Administrator to run it. Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :files C:\Windows Antivirus Pro.lnk C:\Windows Antivirus Pro D:\$RECYCLE.BIN C:\$RECYCLE.BIN C:\Combo-Fix.exe C:\Qoobox C:\Combofix C:\Combofix.txt C:\RootRepeal :Commands [purity] [emptytemp] [reboot] Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste. Close any browser(s) windows that may be open. Using your mouse, click on the red-lettered button Run Fix. Once you see a message box "Fix complete! Click OK to open the fix log." Click the OK button The log will open in Notepad (your default text editor). Save the log. Then close Notepad. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. I do not need to see the log. = You said Answer: Delete the SYSCLEAN downloads and the C:\DCE folder ATF Cleaner is a handy tool & you should keep & use it, for example, to delete tempoary files and to free up space. ERUNT you should keep on this system, and use on a regular basis to back up the registry. Final cleanups and final removal of tools. Right-click OTL.exe and then select "Run as administrator" to start it. Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes. This step removes the files, folders, and shortcuts created by the tools I had you download and run. Delete the SYSCLEAN downloads and the C:\DCE folder Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish. Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVP http://bertk.mvps.org/html/diskcleanupv.html You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" } Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on. Check in at Windows Update and install any Critical Updates offered. Download and Install Windows Defender by Microsoft (free) if you do not already have it: http://www.microsoft.com/downloads/details...A4-F7F14E605A0D Make certain that Automatic Updates is enabled. Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times) I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm That would help to keep your browser away from known spyware/malware sites. Make regular backups of your system to removable media: DVD, USB external hard drive, etc. Get and apply Vista Service Pack 2. See this article for tips: Vista SP2 FAQ On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done: Kaspersky Webscan Online Virus Scanner ESET Online Scanner Panda ActiveScan Trend Micro Housecall F-Secure Online Scanner Read Tony Klein's article How Did I Get Infected In The First Place Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe ! Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html We are finished here. Best regards. The advice and procedures used here are only for this particular system. Do not use these steps on any other system. This thread is now closed.
  14. Final parting comments: Get & use the MVP Hosts file (links in prior reply) that will help to keep this system away from known bad websites. Stay totally away from "download sites" of unknown repute. If you do not have any anti-malware program on this system, and you have not purchased MBAM, then consider doing so. It will provide some added layer of protection. Blue723, I wish you well and stay safe. The procedures used here were only for this system. If you are a casual viewer and have a smiliar problem, do NOT use these procedures, but create a New topic with your specifics. This thread is closed.
  15. I see that you are clear of your original issues. If you have a problem with these steps, or something does not quite work here, do let me know. Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should to un-install it. {One can always download if needed in future.} Go to Control Panel and Add-or-Remove programs. Look for it and click the line for it. Select Change/Remove to de-install it. De-install Eset online scan. OK & Exit out of Control Panel The following few steps will remove tools we used; followed by advice on staying safer. We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix ), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function. Note the space after x and before the slash mark. The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk. Click Start, then click Run. In the command box that opens, type or copy/paste combo-fix /u and then click OK. Please double-click OTL.exe to run it. Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes. This step removes the files, folders, and shortcuts created by the tools I had you download and run. Delete the Rootrepeal download and Rootrepeal.exe Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish. You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" } Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on. Check in at Windows Update and install any Critical Updates offered. Download and Install Windows Defender by Microsoft (free) if you do not already have it: http://www.microsoft.com/downloads/details...A4-F7F14E605A0D Make certain that Automatic Updates is enabled. How to configure and use Automatic Updates in WinXP: http://support.microsoft.com/kb/306525 Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times) I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm That would help to keep your browser away from known spyware/malware sites. Make regular backups of your system to removable media: DVD, USB external hard drive, etc. On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done: Kaspersky Webscan Online Virus Scanner ESET Online Scanner Panda ActiveScan Trend Micro Housecall F-Secure Online Scanner Read Tony Klein's article How Did I Get Infected In The First Place Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe ! Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html We are finished here. Best regards.
  16. Advise me what you mean by Did you start Internet Explorer?Did IE reach the Kaspersky site? or not? Let's try this scan instead: Using Internet Explorer browser only, go to ESET Online Scanner website: Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator. Accept the Terms of Use and press Start button; Approve the install of the required ActiveX Control, then follow on-screen instructions; Enable (check) the Remove found threats option, and run the scan. After the scan completes, the Details tab in the Results window will display what was found and removed. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Look at contents of this file using Notepad or Wordpad. The Frequently Asked Questions for ESET Online Scanner can be viewed here http://www.eset.com/onlinescan/cac4.php?page=faq From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner. Otherwise the scan will take twice as long to do: everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result. It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner. (And the prompt re-enabling when finished.) If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support. Reply with copy of the Eset scan log
  17. I see that you are clear of your rootkit & malware infections. If you have a problem with these steps, or something does not quite work here, do let me know. The following few steps will remove tools we used; followed by advice on staying safer. Use Control Panel's Add-or-Remove Programs to de-install Kaspersky online scan. We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix ), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function. Note the space after x and before the slash mark. The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk. Click Start, then click Run. In the command box that opens, type or copy/paste combo-fix /u and then click OK. Please double-click OTL.exe to run it. Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes. This step removes the files, folders, and shortcuts created by the tools I had you download and run. Delete the Rootrepeal downloads and rootrepeal.exe Delete the SYSCLEAN downloads and the C:\DCE folder Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish. You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" } Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on. Check in at Windows Update and install any Critical Updates offered. Download and Install Windows Defender by Microsoft (free) if you do not already have it: http://www.microsoft.com/downloads/details...A4-F7F14E605A0D Make certain that Automatic Updates is enabled. How to configure and use Automatic Updates in WinXP: http://support.microsoft.com/kb/306525 Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times) I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm That would help to keep your browser away from known spyware/malware sites. Make regular backups of your system to removable media: DVD, USB external hard drive, etc. On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done: Kaspersky Webscan Online Virus Scanner ESET Online Scanner Panda ActiveScan Trend Micro Housecall F-Secure Online Scanner Read Tony Klein's article How Did I Get Infected In The First Place Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe ! Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html We are finished here. Best regards.
  18. Hello, please go forward & run the following: You will want to print out or copy these instructions to Notepad for offline reference! If you are a casual viewer, do NOT try this on your system! If you are not snodes and have a similar problem, do NOT post here; start your own topic Do not run or start any other programs while these utilities and tools are in use! Do NOT run any other tools on your own or do any fixes other than what is listed here. If you have questions, please ask before you do something on your own. But it is important that you get going on these following steps. = Close any of your open programs while you run these tools. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools If you have a prior copy of Combofix, delete it now ! Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop. Link 1 Link 2 Link 3 * IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator At the command-prompt window, type in the following to begin Combofix and press Enter key A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes. A caution - Do not run Combofix more than once without asking me first. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work. A file will be created at => C:\Combofix.txt. Note: Do not mouseclick combofix's window nor run any program while Combofix is running. That may cause it to stall. = RE-Enable your AntiVirus and AntiSpyware applications.
  19. I see that you are clear of your rootkit infection issues. If you have a problem with these steps, or something does not quite work here, do let me know. The following few steps will remove tools we used; followed by advice on staying safer. We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix ), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function. Note the space after x and before the slash mark. The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk. Click Start, then click Run. In the command box that opens, type or copy/paste combo-fix /u and then click OK. Please double-click OTL.exe to run it. Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes. This step removes the files, folders, and shortcuts created by the tools I had you download and run. Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish. You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" } Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on. Check in at Windows Update and install any Critical Updates offered. Download and Install Windows Defender by Microsoft (free) if you do not already have it: http://www.microsoft.com/downloads/details...A4-F7F14E605A0D Make certain that Automatic Updates is enabled. How to configure and use Automatic Updates in WinXP: http://support.microsoft.com/kb/306525 Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times) I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm That would help to keep your browser away from known spyware/malware sites. Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  20. Hello blue723, You can relax and breath much easier. The rootkit SKYNETnoentmrr is gone. We need to do several follow-ups to deal with other issues. Your logs showed some peer-to-peer filesharing apps, like Limewire & Bittorrent. I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware. "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology." Please de-install Limewire & Bittorrent and any other such app. You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference! If you are a casual viewer, do NOT try this on your system! If you are not blue723 and have a similar problem, do NOT post here; start your own topic Do not run or start any other programs while these utilities and tools are in use! Do NOT run any other tools on your own or do any fixes other than what is listed here. If you have questions, please ask before you do something on your own. But it is important that you get going on these following steps. = Close any of your open programs while you run these tools. Place your USB flash drives in-place so that some of these programs will be able to find them. I'm going to have you get and run two utilities. The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices. Download and Install Microsoft's TweakUI: http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI. Expand the My Computer branch, then the AutoPlay branch, and then select Drives. Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters. Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection. http://download.bleepingcomputer.com/sUBs/...Disinfector.exe There is no GUI interface or log file produced. = Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :files c:\windows\system32\drivers\.sys C:\recycler D:\recycler e:\recycler f:\recycler g:\recycler h:\recycler :Commands [purity] [emptytemp] [reboot] Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste. Close any browser(s) windows that may be open. Using your mouse, click on the red-lettered button Run Fix. Once you see a message box "Fix complete! Click OK to open the fix log." Click the OK button The log will open in Notepad (your default text editor). Save the log. Post a copy of that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. = Start your MBAM MalwareBytes' Anti-Malware. Click the Settings Tab. Make sure all option lines have a checkmark. Next, Click the Update tab. Press the "Check for Updates" button. At this time of posting, the current definitions are # 2651 or later. The latest program version is 1.40 When done, click the Scanner tab. Do a Quick Scan. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. = See this topic in the AumHa Security forum and get the latest Java run-time http://aumha.net/viewtopic.php?f=26&t=41698 De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html = Scan the system with the Kaspersky Online Scanner http://www.kaspersky.com/virusscanner Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished. During this run, make sure your browser does not block popup windows. Have patience while some screens populate. 1) Click the Kapersky Online Scanner button. You'll see a popup window. 2) Accept the agreement 3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar ) 4) For XP SP2-SP3, click the Install button when prompted 5) The necessary files will be downloaded and installed. Please have plenty of patience. 6) After Kaspersky AntiVirus Database is updated, look at the Scan box. 7) Click the My Computer line 8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares 9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply. ( To see an animated tutorial-how-to on the scan, see >>this link<<) Re-enable your antivirus program after Kaspersky has finished. Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired. Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or SmitFraudFix items, or ComboFix's Qoobox & quarantine. Kaspersky is a report only and does not remove files. Post back with copies of the OTL MovedFiles log the latest MBAM scan log Kaspersky.txt report. How is your system now ?
  21. Look over the log. If the summary sections have 0 items tagged, like this: then I won't need it. I'll check back here late tonight and get back with you. Please be patient meantime.
  22. After we close this case, then go get newest Spybot (if you'll be using it on a regular basis). But then be sure to NOT make use of Tea Timer, unless you are fully aware of what it does. And if you purchased MBAM, my personal opinion is that you don't then need Spybot. No, do not turn off your ZoneAlarm firewall. HTH / YW
  23. Yes, correct. As to Flashdrive disinfector and your antivirus, it is squawking about it, but it is a false positive, if you will. Temp disable your AV. Then run the Flash drive disinfector. Last, re-enable your AV. Then continue with all other steps I outlined. Then get me a copy of the Combofix log.
  24. Very good. The Eset scan only found a item already in quarantine. This is good to go after these next steps. De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop. Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 16 -" Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets Trace and Log Files [*]Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. [*]Click OK to leave the Temporary Files Window [*]Click OK to leave the Java Control Panel. To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml When all is well, you should see Java Version: 1.6.0_16 from Sun Microsystems Inc. = Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should to un-install it. Start button > in Start menu -- Control Panel > Uninstall a Program (listed under Programs). {In Classic view, double click Program and features}. Look for it and click the line for it. Select Change/Remove to de-install it. Un-install Eset online scan. OK & Exit out of Control Panel I see that you are clear of your original issues. If you have a problem with these steps, or something does not quite work here, do let me know. The following few steps will remove tools we used; followed by advice on staying safer. We have to remove Combofix and all its associated folders. By whichever name you named it, ( combofix.exe ), put that name in the RUN box stated just below. The "/u" in the command line below is to start Combofix for it's cleanup & removal function. Note the space after x and before the slash mark. The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. In the command box that opens, type or copy/paste combofix /u and then press ENTER key. Right-click OTL.exe and then select "Run as administrator" to start it. Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes. This step removes the files, folders, and shortcuts created by the tools I had you download and run. Delete RootRepeal and any of its leftovers. Delete Gmer and any of its leftovers. Delete the SYSCLEAN downloads and the C:\DCE folder Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish. Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVP http://bertk.mvps.org/html/diskcleanupv.html You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" } Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on. Check in at Windows Update and install any Critical Updates offered. Download and Install Windows Defender by Microsoft (free) if you do not already have it: http://www.microsoft.com/downloads/details...A4-F7F14E605A0D Make certain that Automatic Updates is enabled. Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times) I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm That would help to keep your browser away from known spyware/malware sites. Make regular backups of your system to removable media: DVD, USB external hard drive, etc. Get and apply Vista Service Pack 2. See this article for tips: Vista SP2 FAQ On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done: Kaspersky Webscan Online Virus Scanner ESET Online Scanner Panda ActiveScan Trend Micro Housecall F-Secure Online Scanner Read Tony Klein's article How Did I Get Infected In The First Place Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe ! Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html We are finished here. Best regards.
  25. You've done well. That is good information from the Gmer log and you recovered well. I want to follow up with a bit more cleaning for this rootkit. RIGHT-click on avenger.exe and select Run As Administrator to run The Avenger. Click OK. Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it. Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C. Files to delete: C:\Windows\system32\drivers\SKYNETpfnobsxb.sys C:\Windows\system32\SKYNETriwdkeye.dll C:\Windows\system32\SKYNETitmhrfex.dat C:\Windows\system32\SKYNETvpjedeqn.dll C:\Windows\system32\SKYNETxpoiqjup.dat C:\Windows\system32\SKYNETwsp.dll C:\Windows\System32\drivers\a285ucso.sys Drivers to delete: SKYNETstglbkdq a285ucso In the avenger window, click the Paste Script from Clipboard icon, button. :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above. Click the Execute button. You will be asked Are you sure you want to execute the current script?. Click Yes. You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes. Your PC will now be rebooted. Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour. After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply. Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning. If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description. and then reboot the system again. = Next, a new run of Gmer ======================================================== Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan. ======================================================== RIGHT-click gmer.exe and select Run As Administrator. The program will begin to run. **Caution** These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click Yes. Once the scan is complete, you may receive another notice about rootkit activity. Click OK. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop. If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop. = Reply with copy of C:\Avenger.txt and the Gmer.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.