Jump to content

defogger disable log

rdana55

By rdana55
in Resolved Malware Removal Logs

 Share

Recommended Posts

rdana55

rdana55

Posted
Posted

Defogger ran fine i guess, after finished, no restart asked for. went to disable re-enable box again.

defogger_disable by jpshortstuff (28.11.09.2)

Log created at 20:32 on 11/01/2010 (HP_Administrator)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Link to post
Share on other sites
rdana55

rdana55

Posted
  • Author
Posted
Hi,

Can you run Malwarebytes now? If so, please post the Malwarebytes log in your next reply.

Still unable to run it...even the random name generated one. i get a 70(3,0) error. Waiting for the Microsoft Level II call back. This forum seems a bit beyond my ability and this bug is pretty tough. May have to do a system recovery.

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this: mbamrandom.jpg

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the malwarebytes log together with a new HijackThislog.

In case you're having problems with above instructions, let me know.

Link to post
Share on other sites
rdana55

rdana55

Posted
  • Author
Posted
Hi,

Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this: mbamrandom.jpg

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the malwarebytes log together with a new HijackThislog.

In case you're having problems with above instructions, let me know.

I'm trying to put this information in the correct place. My system is clean again, I had tried a random named malwarebytes and it still wouldn't run. The IT guys at my offfice recommended "combo fix" then to run malwarebytes. The combo fix did the trick, though as it was loading pop-ups kept showing up saying the file was infected and wouldn't run. Well it did and seems to have fixed the issues. Next i ran the quick malwarebyte scan and lastely the full malware bytes scan.

I've attached four logs: the malware just prior to infection, then the comb fix log, then the short malware log and lastly the full malware log scan. Malware removed more things it seems after the combo fix.

Oh yeah and i purchased the malwarebytes product, it now runs all the time.

I'm not sure of the relationship between malwarebytres, Combo fix and also the superantispyware (my IT guys also recommended it) but i notice all are available at the combofix.org website.

Thanks for your help.

Combo_Fix_log.txt

mbam_log_2010_01_06__05_31_20_.txt

mbam_log_2010_01_14__21_10_56_.txt

mbam_log_2010_01_15__01_04_42_.txt

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

If malwarebytes was able to run, then it would have taken care of this all as well. Good you purchased malwarebytes now, it will now protect you against these malicious installers as well and block them before they can get executed.

Btw, the developer of Combofix also works for mbam :)

Anyway, I see Malwarebytes took out the leftovers that were still present in the combofix log:

Files Infected:

C:\WINDOWS\system32\kawenola.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\vamodimu.dll (Trojan.Vundo.H) -> No action taken.

We still have to delete some orhaned registry leftovers, but we can use Combofix for that...

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Driver::

wjdpjyyr

NetSvc::

rbgipjrm

Reglock::

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]

Registry::

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]

"Appinit_Dlls"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"=-

"NoActiveDesktopChanges"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites
rdana55

rdana55

Posted
  • Author
Posted
Hi,

If malwarebytes was able to run, then it would have taken care of this all as well. Good you purchased malwarebytes now, it will now protect you against these malicious installers as well and block them before they can get executed.

Btw, the developer of Combofix also works for mbam :)

Anyway, I see Malwarebytes took out the leftovers that were still present in the combofix log:

Files Infected:

C:\WINDOWS\system32\kawenola.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\vamodimu.dll (Trojan.Vundo.H) -> No action taken.

We still have to delete some orhaned registry leftovers, but we can use Combofix for that...

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Done......during the process i noticed it said it could not find a /system32/combofix file of some type. Anyway it seems to have run ok. I'm attaching the combofix.txt.

So do you think i'm clean? what are the orphaned registery leftovers?

thanks again

ComboFix.txt

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites
rdana55

rdana55

Posted
  • Author
Posted
Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Okay...i did that. I guess it uninstalled combofix. Why did i want to do that? I kind of thought I was cleaned up and ok. Although one of the "symptoms" was I was unable to go to a restore point while i was infected. I've not looked into that. If i run combofix again in the future should i use the one i dropped the CFScript into?

thanks

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

Combofix is a tool that cannot be used without supervision, so that's why I asked you to uninstall it.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :)

Link to post
Share on other sites
rdana55

rdana55

Posted
  • Author
Posted
Hi,

Combofix is a tool that cannot be used without supervision, so that's why I asked you to uninstall it.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :)

WOW!!...Thanks so much, I'll do all of that and thanks again!!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.