Jump to content

Raid

Honorary Members
  • Posts

    1,551
  • Joined

  • Last visited

Everything posted by Raid

  1. I may have been a bit hasty, another moderator so kindlygrin* reminded me that securitydescriptors does control some securty aspects of the web... Windows update, https... etc. So woops! for my slightly misinformed post
  2. No. This particular bug would only affect you if your computer was part of a LAN in a configuration that required it authenticate itself to others. It has nothing to do with antivirus, or security otherwise.
  3. Depending on the rootkit in question, it's entirely possible for it to hide... Yes. Cat and mouse game if you will. If you would like to start a fresh thread in the hijackthis log forum, one of the helpers can hopefully get this resolved for you.
  4. Thats fine with me cmoney. And no, Nero is a good application. Unless you don't use it, no reason to remove it. I will look forward to this this weekend then.
  5. Ahh, I'm sorry man. But he's essentially undone everything we've managed to scrape off of the machine. If you have personal data or something, I'd be glad to help you archive it away from the infested machine If you can get them to leave it be, we'll go thru this again... But if you don't think they will comply, Then it's a waste of our time to continue. Sadly, as long as they remain infected, the problems will get worse and I suspect the computer will soon become unusable.
  6. Good grief... Who is using this computer while we are trying to clean it up? Please ask them to stop doing so! And you didn't tell me if you had nero installed or not... Hmm... Okay, boot the computer into safe mode, and start hijack this, check the following and fix them: O1 - Hosts: 127.0.,0 O1 - Hosts: 127.0.01222.volumeplay1.com O1 - Hosts: 127.0.0.3adlaji.cn O1 - Hosts: 127.0.0.lwww.xxie.net O1 - Hosts: 127.0.01www.gfrgfrsa.cn O1 - Hosts: 202.165.102.205 972.aksjd11.com O1 - Hosts: 202.165.102.205 w3og.cn O1 - Hosts: 203.208.35.100 qazc.fourtw.cn O1 - Hosts: 203.208.35.100 www.aujoy.cn O1 - Hosts: 203.208.35.101 www.hao601.cn O1 - Hosts: 203.208.35.101 www.psp476.cn O1 - Hosts: 72.14.235.99 222.1212l112.net O1 - Hosts: 72.14.235.99 444.1212l112.netn O1 - Hosts: 72.14.235.99 555.1212l112.net O1 - Hosts: 72.14.235.99 111.1212l112.net O1 - Hosts: 65.55.21.250 111.3243l24.com O1 - Hosts: 65.55.21.250 222.3243l24.com O1 - Hosts: 65.55.21.250 333.3243l24.com O1 - Hosts: 125.64.8.112 kao2.gmwo03.com O1 - Hosts: 125.64.8.112 kao.gmwo06.com O1 - Hosts: 125.64.8.112 444.gmwo07.com O1 - Hosts: 116.252.185.15 ru.update365.us O1 - Hosts: 116.252.185.15 ad.update365.us O1 - Hosts: 207.46.232.182 popmails.net O1 - Hosts: 203.208.37.99 3.goodhh.com O1 - Hosts: 220.181.37.55 down.rwixr.com O1 - Hosts: 160.79.42.52 www.xdj2008.com O1 - Hosts: 63.175.76.152 www.revtr.cn O1 - Hosts: 219.133.40.91 qq.ljsll.com O1 - Hosts: 203.208.35.102 www.aassccwe.cn O1 - Hosts: 209.132.177.50 973.aksjd11.com O1 - Hosts: 209.132.177.50 974.aksjd11.com O1 - Hosts: 209.132.177.50 971.aksjd11.com O1 - Hosts: 209.132.177.50 975.aksjd11.com O1 - Hosts: 72.14.235.104 user1.12-39.net O1 - Hosts: 72.14.235.147 www.infomt.net O1 - Hosts: 192.150.18.101 ata1.sysions.net O1 - Hosts: 192.150.18.101 ata2.sysions.net O1 - Hosts: 192.150.18.101 ata3.sysions.net O1 - Hosts: 192.150.18.101 ata4.sysions.net O1 - Hosts: 193.120.42.226 8nnnnn99.cn O1 - Hosts: 24.39.54.34 www.haoaoao.cn O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - (no file) O21 - SSODL: dpvvoxmh.dll - {2876D76C-CAAA-4313-AF97-8D1D9A2A1087} - C:\WINDOWS\System32\dpvvoxmh.dll O21 - SSODL: rasdlgcq.dll - {F0C9FBC2-6FA2-479d-B65D-F9D65C613ECC} - C:\WINDOWS\System32\rasdlgcq.dll O21 - SSODL: inetresdxc.dll - {BB4E3499-0132-4d3f-849A-2BE1B26D84E1} - C:\WINDOWS\System32\inetresdxc.dll (file missing) O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - C:\WINDOWS\System32\cliconfgzx.dll O21 - SSODL: dispexcb.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - C:\WINDOWS\System32\dispexcb.dll O21 - SSODL: imgutilhx2.dll - {DA56B183-A731-402b-9235-2CB8803E212D} - C:\WINDOWS\System32\imgutilhx2.dll O21 - SSODL: tzzhuiox.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\polensqs.dll O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll O21 - SSODL: adsntzt.dll - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} - C:\WINDOWS\System32\adsntzt.dll O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll O21 - SSODL: certmgrkd.dll - {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} - C:\WINDOWS\System32\certmgrkd.dll O21 - SSODL: scrruncqsj.dll - {00240024-0024-0024-0024-00240024BB15} - C:\WINDOWS\System32\scrruncqsj.dll O21 - SSODL: bootvidgj.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\bootvidgj.dll O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll O21 - SSODL: polensqs.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\polensqs.dll O21 - SSODL: twainyy.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\twainyy.dll O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll (file missing) Next, I want you to reboot the computer normally and run mbam, update it and please scan again. After doing so, I require fresh hijackthis and mbam logs. Be sure you reboot if mbam asks you to do so.
  7. Okay, judging by the logs, Sysclean had trouble doing everything. I'd like for you to reboot into safe mode and run it from there. Then allow the machine to reboot normally, run mbam, update it, and scan your machine, allow mbam to remove anything it finds, and reboot normally again. Post a fresh hijackthis log and sysclean logs afterwards.
  8. Oi..... I will need a bit of time to process all of that information. However, sadly I can see that you have become more infected now than you were, once again.... Is somebody using this computer while we are trying to clean it or? Also, do you have nero installed?
  9. Okay, I want you to click and remove the following items with Hijackthis: O1 - Hosts: 127.0.0.3 adlaji.cn O1 - Hosts: 127.0.0.l www.xxie.net O1 - Hosts: 127.0.01 www.gfrgfrsa.cn O1 - Hosts: 202.165.102.205 972.aksjd11.com O1 - Hosts: 202.165.102.205 w3og.cn O1 - Hosts: 203.208.35.100 qazc.fourtw.cn O1 - Hosts: 203.208.35.100 www.aujoy.cn O1 - Hosts: 203.208.35.101 www.hao601.cn O1 - Hosts: 203.208.35.101 www.psp476.cn O1 - Hosts: 72.14.235.99 222.1212l112.net O1 - Hosts: 72.14.235.99 444.1212l112.netn O1 - Hosts: 72.14.235.99 555.1212l112.net O1 - Hosts: 72.14.235.99 111.1212l112.net O1 - Hosts: 65.55.21.250 111.3243l24.com O1 - Hosts: 65.55.21.250 222.3243l24.com O1 - Hosts: 65.55.21.250 333.3243l24.com O1 - Hosts: 125.64.8.112 kao2.gmwo03.com O1 - Hosts: 125.64.8.112 kao.gmwo06.com O1 - Hosts: 125.64.8.112 444.gmwo07.com O1 - Hosts: 116.252.185.15 ru.update365.us O1 - Hosts: 116.252.185.15 ad.update365.us O1 - Hosts: 207.46.232.182 popmails.net O1 - Hosts: 203.208.37.99 3.goodhh.com O1 - Hosts: 220.181.37.55 down.rwixr.com O1 - Hosts: 160.79.42.52 www.xdj2008.com O1 - Hosts: 63.175.76.152 www.revtr.cn O1 - Hosts: 219.133.40.91 qq.ljsll.com O1 - Hosts: 203.208.35.102 www.aassccwe.cn O1 - Hosts: 209.132.177.50 973.aksjd11.com O1 - Hosts: 209.132.177.50 974.aksjd11.com O1 - Hosts: 209.132.177.50 971.aksjd11.com O1 - Hosts: 209.132.177.50 975.aksjd11.com O1 - Hosts: 72.14.235.104 user1.12-39.net O1 - Hosts: 72.14.235.147 www.infomt.net O1 - Hosts: 192.150.18.101 ata1.sysions.net O1 - Hosts: 192.150.18.101 ata2.sysions.net O1 - Hosts: 192.150.18.101 ata3.sysions.net O1 - Hosts: 192.150.18.101 ata4.sysions.net O1 - Hosts: 193.120.42.226 8nnnnn99.cn O1 - Hosts: 24.39.54.34 www.haoaoao.cn O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [HBService] explore.exe O20 - AppInit_DLLs: aaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhl y.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dll H Bmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa . dllHBmhly.dll After selecting them for removal with Hijackthis, reboot your pc normally. Next I'd like you to load gmer, hit the scan button and provide the entire logfile here please. I am going to examine this executable in closer detail. I haven't learned much from the executable itself. Although something is still present on your PC, most likely... So, were going to try something different to kill this off for you. First, I want you to go here and download sysclean: http://www.trendmicro.com/download/dcs.asp You will need to download two additional files, one for viruses and the other for spyware. Instructions for which ones to download are found here: http://www.trendmicro.com/ftp/products/tsc/readme.txt After doing all of this, please post back your results; including the logfile that will be left behind by sysclean.
  10. Hi Guys, got this from usenet; Passing the information along. I had Malwarebyte's Anti-Malware installed on my Win2000ProSP-4 PC. While looking at it I noticed that on the second tab (from the top left with the program open) it had a button for 'Test Protection' or similar. It also had two more buttons that said Register and Purchase, I believe. I decided to click on the 'Test Protection' button and immediately the PC rebooted. I tried several times to reboot into W2k (I have a dual boot 98se-2kPro system, but just after the MS music would start playing for the Desktop (not showing yet), it would again reboot. I tried several times and that was as far as it would get. I booted into 2k SafeMode and ran Anti-Malware in a quick scan mode and it found nothing. I then rebooted into Normal mode and it still would get almost to the Desktop and then reboot. I even tried to revert to the last 'successful config' or similar and it still wouldn't work. I finally went into SafeMode and uninstalled the Anti-Malware program and then rebooted into Normal mode and it booted fine. Any idea why this would happen and why Anti-Malware would have a button like that could cause such a problem? Thanks, Buffalo PS: At least there should have been a warning or something to make users aware that 'clicking that button' may result in your PC becoming inoperable if you haven't purchased and registered the required module. I am very leery of trying that program again as it has had several false alarms. I will probably just stick with SAS (paid), but someday I may try Anti-Malware again. I am always experimenting. with something or another.
  11. Lets head to the Other Tools Tab. There you will see an icon for File Assassin. Click run tool, then select that offending file and reboot as requested. Then scan again and post a fresh hjt log as well as a fresh MBAM log, Please be sure you update to the latest defs before scanning.
  12. Hi There Welcome to the forums. Please let us know how you do regarding that annoying program.
  13. Hi there, Please zip the offending files as FPcheck1.zip and upload it to uploads.malwarebytes.org We'll get this fixed!
  14. Strange, MBAM is still detecting things and reporting that you aren't taking any action. Please! Allow mbam to remove anything it finds, and reboot your pc into normal mode. Repeat this until MBAM finds nothing else. Ok?
  15. Hi Kay. Your logfile appears to be clean. That error message is normal if your running it from Windows Vista.
  16. I don't quiet understand why you aren't following my instructions. Okay.. One last try at this... 1. Make sure your PC is in normal mode. 2. Start MBAM, Update it 3. Select Quick Scan 4. Remove selected items (This is extremely important!) 5. Reboot your PC normally (Your computer absolutely must get to the windows is shutting down screen, It has got to be able to save current settings) 6. Scan your PC again with MBAM, post this log as well as a fresh log from hijackthis.
  17. MBAm has to be able to scan, and properly restart your machine. Please try this again, and after rebooting, post a fresh mbam log. We can't do much to cleanup with hijackthis until various files are killed. Hence the need for a succesful shutdown and restart. Feel free to check for an updated database beforehand.
  18. Hi Cmoney.. The files are trojan.onlinegames components, except for two which are legitimate... I need you to update mbam via it's update button, perform a quick scan, allow it to remove items, reboot after running the program into normal mode. Open mbam again, scan again and post that log file, along with a fresh hijackthis log AFTER running mbam twice, please.
  19. Give me a bit of time to process these, and I'll go from there with guidance. The dlls that are too big to attach here, please zip them as cmoneysamples.zip and upload it here uploads.malwarebytes.org
  20. Hmm, You still have some possible trojans present. Have you installed additional software since we started? Please dont install programs unless I ask you too.... I need you to upload the following files: C:\WINDOWS\System32\dllcache\qxchost.exe C:\WINDOWS\System32\comuidsg.dll C:\WINDOWS\System32\lweurqhx.dll C:\WINDOWS\system32\NMBgMonitor.exe C:\WINDOWS\system32\msCMTSrvc.exe I assume you can open task manager now?
  21. You must allow the machine to start in normal mode when mbam wants to perform a restart. You did not do this with your hijackthis log. Please go ahead, select remove and reboot your computer normally. I will require new logs from mbam and hjt in normal mode.
  22. I've been analyzing supposed "codecs" which seem to create the a.exe I've seen mentioned here. It puts a little balloon window up telling me I need some antivirus, I have a security problem... (*grin* If I do this, firefox takes me to a website that insists I run the setupblah exe file... Anyhow, it's spreading via codec downloads alot lately.
  23. Excellent. Go ahead and allow MBAM to remove the selected items to quarantine and lets see how your computer does. After rebooting, post a fresh hijackthis log and mbam log please.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.