Jump to content

CWB

Honorary Members
  • Posts

    2,404
  • Joined

  • Last visited

Everything posted by CWB

  1. hey gammo , i had to take care of some things . i rebooted the machine and dragged the notepad file into the combofix icon on the desktop . it ran but the notepad file did not "disappear" as one would normally expect it to do ... ok ? i was not prompted for anything but the system did a reboot on it's own (while i was getting a cup of coffee --- it figures --- after rebooting i clicked on my Admin account when my desktop opened the log-on music was stuttering , the screen was dim and then it went BSOD (full page of crap) for two seconds then rebooted ... the dos screen gave me the "normal" options ... i selected "restart windows normally" ... the logon screen came up (eventually) , i logged in and all looks ok ... except i cannot find the log file on the C drive or inside the combofix program folder (maybe i missed it) . where to from here ? ps ... maybe i should quit drinking coffee ?
  2. i tried ... i am working between my main comp and the laptop that is infected . i created the notepad file and transfered it to the infected machine . after dragging/dropping the notepad file into the the combofix icon a window pops up : "illegal operation attempted on a registry entry marked for deletion" also ... if i attempt to open the notepad program itself the same message pops up . if i try to open the notepad file , the same message .
  3. sorry about that ... i posted attached the new log before i realized that you had replied asking me not to .
  4. update : i was not sure if you wanted me to run combo fix again ... i ran it again and allowed it to access the internet ... it updated to a new version . all was running well . a message popped up saying that "PEV.CFXXE has stopped running" ... is this ok ? new combofix log attached .
  5. hello gammo , i was able to run TDSSK . it stopped "defogger" . i shut down the resident shield in AVG . i attempted to run "combo fix" ... it stopped during loading and a message popped up saying some files could not be created . the machine choked . i restarted the machine and the avg resident shield was disabled . i ran combofix again ... it did load ... but ... the firewall pinged me about "combofix-download.cfxxe" wanting to access the internet ... i ignored it . while i was typing this , combofix kicked in and ran ... without asking for the "recovery console" . it completed it's operations , restarted the machine and is generating a log report and also displayed "do not run any programs until combofix has finished" . it has now been 15 minutes and the blue "console window" is still displaying the last message and a firewall message has popped up : "PEV.CFXXE" is trying to access the internet . of course , i am ignoring it (blocked) . i have not attached any log files as i do not know if they would be valid at this point . what's next ? larry ps ... i noticed that the programs i have placed on the desktop (tdss , defogger , dds , etc .) have a four colored "security shield" icon on them . is this ok ? pps ... combofix just finished generating the log file .
  6. hello , yet *another* friends laptop ... a little background : three bogus "anti" programs were installed . two copies of "avg" (they were old and/or of dubious integrity/origin) . a couple of known malware programs were installed (ie : sweet IM) . these were removed with "revo unistaller pro" along with the old copies/installs of "avg" . the rest of the above were removed to the best of my abilities with MB , a fresh install (safe mode) of avg IS and spybot SD . each program found some items and removed them . symptoms of remaining infection(s) are : firefox : selective browser redirect/hijack ... certain google (integrated search box) searches produce redirected addresses clearly visible at the bottom of the browser ... the same happens if the google page is brought up manually . some surfing is normal . IE : the integrated search box produces a "IE has to be shut down ..." when clicked on . when restarted is asks to add search providers (almost like a fresh install sequence) , none can be added . some surfing is normal . i have run the requested "i'm infected ..." programs and defogger is still "open/running" (as per instructions) and did not prompt for a reboot . many thanks in advance . larry Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4505 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18882 8/30/2010 8:42:10 AM mbam-log-2010-08-30 (08-42-10).txt Scan type: Quick scan Objects scanned: 142721 Time elapsed: 7 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ------------------------------------------------------------------------ DDS (Ver_10-03-17.01) - NTFSx86 Run by admin at 8:48:53.63 on Mon 08/30/2010 Internet Explorer: 8.0.6001.18882 Microsoft
  7. the slow comp link is a good read . i see many comps that have a lot of icons down in the tray and stuff running/listed in task manager ... people are their own worst enemy sometimes . :D thanks for all your help and it has been a pleasure working with you . take care and if i don't see you in the future i'll see you in the pasture . CWB
  8. thanks for the links ... i will be sending them to several individuals . i tried running the combofix unistaller both ways ... three times each ... no go . i shut the machine down and restarted ... then i ran ComboFix /uninstall ... it worked . :) i think i might know why the machine is a bit slow at the windows logon page . i have avira set to load at the start and then (as i understand it) look at the files as/before they are loaded ... this will slow things down a bit . the machine is a bit short on ram as well ... more ram and a decent video card should help the horse to pull the wagon . what is next ?
  9. good morning/afternoon/evening , again , thank you for all your help with this problem . interesting articles (again) . yes , i absolutely agree (and for the benefit of and fair warnings to those reading this thread) that the average "end user" should not be playing around in the registry and so-forth . step by step instructions of/for manually deleting specific entries when instructed by a competent individual or set of instructions is another matter . i am by no means an "expert" and the registry is a place i go to with a large amount of caution . by "end user" i mean (for lack of better terms and trying to be as nice as i can) 98% of the people using windows . no slams against anyone , just the truth . hey , just because you can drive a car does not mean that you know how to overhaul the engine . /end of clarification back to it ... i tried running the ComboFix /uninstall . it would not run . it asks for an "alpha numeric entry" . could this be from the renaming of the file ? defogger was loaded to the desktop and run ... seems to be ok . ps ... do you know of a listing/site of bogus/fake mal/scum/viriware (etc) that i could show to my friends in order to educate them (better known as : scare the daylights out of 'em) ? :)
  10. so far no ugly monsters have reared their heads . all looks well . i have cleaned out some old junk and registry entries (little reg cleaner and Ccleaner) and brought windows up to date ... no red flags . i did notice that the windows start up/log on page is sometimes slow to respond and sometimes it is fast ... weird .
  11. scanned and rebooted . i noticed "1 hidden file" ?
  12. after enabling avira it shows that the automatic updates were/are disabled ... originally this was enabled . is this from the clean out procedures perhaps ? checking IE and FF google search results using terms that were redirected before ... ok . i can even access windows updates . checking IE and FF direct address entry ... addresses are no longer redirected . windows updates is communicating ... it is asking to install a new active x for the upgraded version of updates ... normal . things look ok ... however ... that is only an assumption .
  13. finished ... rather quickly ... no glitches .
  14. pykyl.com = 0/40 usesiboh._dl = 0/40 myfuj.reg = 0/41 ps ... there is no problem with removing any files/programs/etc that are not needed .
  15. the article about viewpoint was interesting ... foistware = ransomware = hostageware . :) i used revo uninstaller pro ... very complete in "cleanup" . the MB run did not prompt me for anything .
  16. borislav , i had to reboot the machine for it to work . i am sending the fresh dds logs as you requested ... defogger is/was not running . CWB
  17. hey boris , defogger is still "running" , sitting there . after running gmer , saving the logs and closing the program ... the machine will not find my flash drive (used to transfer the logs (etc) to/from the infected machine . the comp is doing as it did before ... showing an hourglass when i attempted to open/transfer the log files ... choked . what now ?
  18. hi borislav , i do have a question about "defogger" that i mentioned ... it does not produce a call for a reboot ... is this ok ? if it is ok then i am at a point to run the rest of the sequence and post more logs . thanks CWB
  19. hello and thanks for the help ahead of time , a little background information : the comp i am trying to get rid of the nasties on/in had two other people (at least !) happen to it , the trail is long (sigh) . there were a few known (to myself) scum/mal/foist and other bald-faced bogus "anti" programs , as well as old legitimate anti programs , located in/on three accounts . some of these items were uninstalled or otherwise removed by various means . one account has been eradicated and i created an account ; "mine" to work from/through , this was done just to get the machine hitting on four cylinders . :) . a/my previous post about this is here (not an actual work in progress , just a query) : http://forums.malwarebytes.org/index.php?s...mp;#entry273942 a major symptom is a redirect of FF and IE when using the results from the embedded google search bar . directly entering an address such as "dslreports.com" takes me to the site with no problems . the windows update and other "windows" searches (directly or by google result) produces the redirect . here is a small results sample for reference : tazinga.com asklots.com alltheservices.com productsontv.com freecollegefinancing.com linkbuzzers.com (this one had a bunch of bounce-throughs) crossforclosure.com the machine will not boot into the safe mode , a blue screen blurb about "unistalling any new drives , searching for viri (duhhh) , etc , comes up after (?) the minimal software/driver set is loaded (i do not know if this runs to completion) . i performed the first two items in the procedure listed elsewhere here (with no problem in running them) and after running "defogger" i pressed "ok" but was not prompted to reboot the machine (i waited for 30 minutes) and the machine ran very slowly (virtually choked) . at this point i did a hard restart on the machine and performed the initial sequence from the top again . currently the defogger disable/re-enable box is on the screen showing the "disable" button in bold . in each case , no error log was generated . i do have a couple of previous logs from other runs that i can post if need be . these are the latest logs to this point (until more is known about the issue with defogger) : Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4245 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/27/2010 5:44:28 AM mbam-log-2010-06-27 (05-44-28).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 196147 Time elapsed: 56 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -------------------------------------------------------- Avira AntiVir Personal Report file date: Sunday, June 27, 2010 05:57 Scanning for 2270810 virus strains and unwanted programs. The program is running as an unrestricted full version. Online services are available: Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : mine Computer name : D1ZFW6B1 Version information: BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00 AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 18:37:38 AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04 LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 00:33:04 LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49 VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36 VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:27:49 VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:37:42 VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:37:42 VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:29:03 VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 21:09:00 VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 21:09:06 VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 21:09:07 VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 21:09:07 VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 21:09:07 VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 21:09:07 VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 21:09:07 VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 21:09:07 VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 21:09:08 VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 21:09:09 VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 21:09:09 VBASE016.VDF : 7.10.8.135 152064 Bytes 6/21/2010 21:09:10 VBASE017.VDF : 7.10.8.163 432128 Bytes 6/23/2010 21:09:11 VBASE018.VDF : 7.10.8.164 2048 Bytes 6/23/2010 21:09:11 VBASE019.VDF : 7.10.8.165 2048 Bytes 6/23/2010 21:09:11 VBASE020.VDF : 7.10.8.166 2048 Bytes 6/23/2010 21:09:12 VBASE021.VDF : 7.10.8.167 2048 Bytes 6/23/2010 21:09:12 VBASE022.VDF : 7.10.8.168 2048 Bytes 6/23/2010 21:09:12 VBASE023.VDF : 7.10.8.169 2048 Bytes 6/23/2010 21:09:12 VBASE024.VDF : 7.10.8.170 2048 Bytes 6/23/2010 21:09:12 VBASE025.VDF : 7.10.8.171 2048 Bytes 6/23/2010 21:09:12 VBASE026.VDF : 7.10.8.172 2048 Bytes 6/23/2010 21:09:13 VBASE027.VDF : 7.10.8.173 2048 Bytes 6/23/2010 21:09:13 VBASE028.VDF : 7.10.8.174 2048 Bytes 6/23/2010 21:09:13 VBASE029.VDF : 7.10.8.175 2048 Bytes 6/23/2010 21:09:13 VBASE030.VDF : 7.10.8.176 2048 Bytes 6/23/2010 21:09:13 VBASE031.VDF : 7.10.8.190 129024 Bytes 6/25/2010 21:09:14 Engineversion : 8.2.4.2 AEVDF.DLL : 8.1.2.0 106868 Bytes 6/25/2010 21:09:25 AESCRIPT.DLL : 8.1.3.33 1356155 Bytes 6/25/2010 21:09:24 AESCN.DLL : 8.1.6.1 127347 Bytes 6/25/2010 21:09:23 AESBX.DLL : 8.1.3.1 254324 Bytes 6/25/2010 21:09:25 AERDL.DLL : 8.1.4.6 541043 Bytes 6/25/2010 21:09:23 AEPACK.DLL : 8.2.2.5 430453 Bytes 6/25/2010 21:09:22 AEOFFICE.DLL : 8.1.1.0 201081 Bytes 6/25/2010 21:09:21 AEHEUR.DLL : 8.1.1.38 2724214 Bytes 6/25/2010 21:09:20 AEHELP.DLL : 8.1.11.6 242038 Bytes 6/25/2010 21:09:17 AEGEN.DLL : 8.1.3.12 377204 Bytes 6/25/2010 21:09:16 AEEMU.DLL : 8.1.2.0 393588 Bytes 6/25/2010 21:09:16 AECORE.DLL : 8.1.15.3 192886 Bytes 6/25/2010 21:09:15 AEBB.DLL : 8.1.1.0 53618 Bytes 6/25/2010 21:09:15 AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 18:03:38 AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 18:03:35 AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 22:47:40 AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 18:35:46 AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 18:39:51 AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 18:22:13 AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 15:53:30 SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 18:57:58 AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 21:38:56 NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 20:41:00 RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20 RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 20:14:29 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, D:, Process scan........................: on Extended process scan...............: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR, Start of the scan: Sunday, June 27, 2010 05:57 Starting search for hidden objects. HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist [NOTE] The registry entry is invisible. The scan of running processes will be started Scan process 'avscan.exe' - '66' Module(s) have been scanned Scan process 'msdtc.exe' - '42' Module(s) have been scanned Scan process 'dllhost.exe' - '47' Module(s) have been scanned Scan process 'vssvc.exe' - '50' Module(s) have been scanned Scan process 'avcenter.exe' - '101' Module(s) have been scanned Scan process 'svchost.exe' - '36' Module(s) have been scanned Scan process 'dlcdcoms.exe' - '24' Module(s) have been scanned Scan process 'ctfmon.exe' - '27' Module(s) have been scanned Scan process 'avgnt.exe' - '52' Module(s) have been scanned Scan process 'DLACTRLW.EXE' - '30' Module(s) have been scanned Scan process 'igfxpers.exe' - '23' Module(s) have been scanned Scan process 'hkcmd.exe' - '22' Module(s) have been scanned Scan process 'ehmsas.exe' - '21' Module(s) have been scanned Scan process 'ehtray.exe' - '39' Module(s) have been scanned Scan process 'Explorer.EXE' - '96' Module(s) have been scanned Scan process 'wscntfy.exe' - '18' Module(s) have been scanned Scan process 'alg.exe' - '35' Module(s) have been scanned Scan process 'dllhost.exe' - '61' Module(s) have been scanned Scan process 'mcrdsvc.exe' - '29' Module(s) have been scanned Scan process 'svchost.exe' - '41' Module(s) have been scanned Scan process 'svchost.exe' - '41' Module(s) have been scanned Scan process 'ehSched.exe' - '50' Module(s) have been scanned Scan process 'ehRecvr.exe' - '45' Module(s) have been scanned Scan process 'DLCDserv.exe' - '54' Module(s) have been scanned Scan process 'svchost.exe' - '36' Module(s) have been scanned Scan process 'sched.exe' - '46' Module(s) have been scanned Scan process 'spoolsv.exe' - '57' Module(s) have been scanned Scan process 'svchost.exe' - '34' Module(s) have been scanned Scan process 'svchost.exe' - '34' Module(s) have been scanned Scan process 'svchost.exe' - '172' Module(s) have been scanned Scan process 'svchost.exe' - '40' Module(s) have been scanned Scan process 'svchost.exe' - '53' Module(s) have been scanned Scan process 'avshadow.exe' - '26' Module(s) have been scanned Scan process 'avguard.exe' - '54' Module(s) have been scanned Scan process 'lsass.exe' - '60' Module(s) have been scanned Scan process 'services.exe' - '27' Module(s) have been scanned Scan process 'winlogon.exe' - '76' Module(s) have been scanned Scan process 'csrss.exe' - '14' Module(s) have been scanned Scan process 'smss.exe' - '2' Module(s) have been scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Master boot sector HD1 [iNFO] No virus was found! Master boot sector HD2 [iNFO] No virus was found! Master boot sector HD3 [iNFO] No virus was found! Master boot sector HD4 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Boot sector 'D:\' [iNFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '410' files ). Starting the file scan: Begin scan in 'C:\' Begin scan in 'D:\' <Backup> End of the scan: Sunday, June 27, 2010 06:38 Used time: 41:07 Minute(s) The scan has been done completely. 7074 Scanned directories 182208 Files were scanned 0 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 0 Files were moved to quarantine 0 Files were renamed 0 Files cannot be scanned 182208 Files not concerned 3392 Archives were scanned 0 Warnings 0 Notes 490068 Objects were scanned with rootkit scan 1 Hidden objects were found again , many thanks in advance . CWB
  20. thanks for the howdy . i only run one full time resident anti-viri program . the others (anti-mal/scum/crapware) are/were run as adjuncts . i'll get after posting in the correct section asap . thanks again , CWB
  21. hello , i recently took on a comp that a few "others" happened to . the owners and *who ever* installed bogusware ... the list was fair sized and included 3 copies of anti-mal/viri programs and god-knows what else . i installed/ran malwarebytes , changing the file extensions as was suggested in the self help . this cleaned out a bunch of crap . two other legit anti-mal/viri programs were run and cleared out some stuff ... subsequent re-scans of all come up ok . i was/am still getting redirects in both IE and FF ... a look with hijackthis showed about 24 of those bogus random lettered entries ... i deleted those and a couple of other items and they have not returned . yeah , i should have saved a list of them ... still , the redirects persist but it seems to only happen through a google search (i have only tried the google search bar) and then selecting a result , typing in a url takes me to several sites with no problems . in IE , a partial list of the places i wind up at (some after four bounces/redirects) : tazinga.com asklots.com alltheservices.com productsontvdirect.com freecollegefinancing.com linkbuzzers.com (one of those in a string of bounce throughs) crossforclosure.com FF produces similar results . i am hoping that someone will recognize the symptoms and perhaps there is a fix in already in place , before going the full route .
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.