nobbie Posted June 6, 2010 ID:263114 Share Posted June 6, 2010 Can anyone tell me how to delete these files plsMalwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4172Windows 5.1.2600 Service Pack 3 (Safe Mode)Internet Explorer 8.0.6001.1870207/06/2010 00:01:04mbam-log-2010-06-07 (00-01-04).txtScan type: Quick scanObjects scanned: 129066Time elapsed: 7 minute(s), 59 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 10Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_DRVFLTIP (Rogue.UnVirex) -> No action taken.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DrvFltIp (Rogue.UnVirex) -> No action taken.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
nobbie Posted June 7, 2010 Author ID:263272 Share Posted June 7, 2010 Hi i'm looking for any help pls as im unable to use my pc as it wont let me access the internet but when i scan it comes up with about 11 backdoor.bot virses Link to post Share on other sites More sharing options...
Blade81 Posted June 7, 2010 ID:263604 Share Posted June 7, 2010 Hi,Let MBAM delete its findings.Download DDS and save it to your desktop from here or here or here.Disable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt[*]Save both reports to your desktop. Post them back to your topic.Download GMER here by clicking download exe -button and then saving it your desktop:Double-click .exe that you downloadedClick rootkit-tab, uncheck files option and then click scan.Don't check Show All box while scanning in progress!When scanning is ready, click Copy.This copies log to clipboardPost log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Link to post Share on other sites More sharing options...
nobbie Posted June 8, 2010 Author ID:263926 Share Posted June 8, 2010 Here.....Attach.txtDDS.txt Link to post Share on other sites More sharing options...
nobbie Posted June 8, 2010 Author ID:263934 Share Posted June 8, 2010 And here thank you ....rsp0zj71.zip Link to post Share on other sites More sharing options...
Blade81 Posted June 8, 2010 ID:263972 Share Posted June 8, 2010 Hi,Seems that you attached zipped GMER program instead of posting its log. Please post the log. Link to post Share on other sites More sharing options...
nobbie Posted June 8, 2010 Author ID:264057 Share Posted June 8, 2010 Hope this is rightscan2.txt Link to post Share on other sites More sharing options...
nobbie Posted June 8, 2010 Author ID:264065 Share Posted June 8, 2010 latest scanmbam_log_2010_06_08__17_31_36_.txt Link to post Share on other sites More sharing options...
Blade81 Posted June 8, 2010 ID:264081 Share Posted June 8, 2010 Hi,Yes, that's correct one. Thank you.Please visit this webpage for download links, and instructions for running ComboFix tool:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure you read this guide carefully first.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, linkRemember to re-enable them afterwards.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system:C:\ComboFix.txtNew dds log.A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use. Link to post Share on other sites More sharing options...
nobbie Posted June 8, 2010 Author ID:264182 Share Posted June 8, 2010 Hiscan2.txtDDS2.txtlog.txt Link to post Share on other sites More sharing options...
Blade81 Posted June 9, 2010 ID:264422 Share Posted June 9, 2010 Hi,Are you aware of Spysure keylogger presence? Link to post Share on other sites More sharing options...
nobbie Posted June 9, 2010 Author ID:264448 Share Posted June 9, 2010 Yes i am was used to catch someone cheating Link to post Share on other sites More sharing options...
Blade81 Posted June 9, 2010 ID:264632 Share Posted June 9, 2010 MBAM likely alarmed some parts of that program. If it's ok I can provide instructions for removing Spysure. If not then I don't see anything else there. Link to post Share on other sites More sharing options...
nobbie Posted June 9, 2010 Author ID:264737 Share Posted June 9, 2010 Please do i did try to unistall it but it would not let me... Link to post Share on other sites More sharing options...
Blade81 Posted June 10, 2010 ID:264993 Share Posted June 10, 2010 Hi again,Open notepad and copy/paste the text in the quotebox below into it:DirLook::c:\windows\system32\folderDriver::ashprotspyserviceDrvFltIpFile::c:\windows\system32\DrvFltIp.sysc:\windows\system32\ashprot.sysFolder::c:\documents and settings\All Users\Application Data\spysureSave this asCFScriptA word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exeThen post the resultant log.Uninstall old Adobe Reader versions and get the latest one (both 9.3 and update 9.3.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...Updating Java:Download the latest version of Java Runtime Environment (JRE) 6 Update 20.Click theDownload button to the right.Select Windows on platform combobox and check the box that says:Accept License Agreement. Click continue.The page will refresh.Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.Check any item with Java Runtime Environment (JRE or J2SE) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.Download ATF (Atribune Temp File) Cleaner Link to post Share on other sites More sharing options...
nobbie Posted June 10, 2010 Author ID:265363 Share Posted June 10, 2010 Hicombofix1.txt Link to post Share on other sites More sharing options...
nobbie Posted June 10, 2010 Author ID:265397 Share Posted June 10, 2010 hiAttach3.txtDDS3.txtkasp.txt Link to post Share on other sites More sharing options...
Blade81 Posted June 11, 2010 ID:265561 Share Posted June 11, 2010 Hi,Open notepad and copy/paste the text in the quotebox below into it:Folder::c:\windows\system32\folderSave this asCFScriptA word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exeThen post the resultant log.How's the system running now? Link to post Share on other sites More sharing options...
nobbie Posted June 11, 2010 Author ID:265706 Share Posted June 11, 2010 yes it does seem to run faster ....log3.txt Link to post Share on other sites More sharing options...
Blade81 Posted June 11, 2010 ID:265803 Share Posted June 11, 2010 Good. Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.THESE STEPS ARE VERY IMPORTANTLet's reset system restoreReset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.1. Turn off System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK.2. Reboot.3. Turn ON System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.NOTE: only do this ONCE,NOT on a regular basisNow lets uninstall ComboFix:Click START then RUNNow copy-paste Combofix /uninstall in the runbox and click OKPlease download OTC and save it to desktop.Double-click OTC.exe.Click the CleanUp! button.Select Yes when the Begin cleanup Process? prompt appears.If you are prompted to Reboot during the cleanup, select Yes.The tool will delete itself once it finishes, if not delete it by yourself.Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.UPDATING WINDOWS AND INTERNET EXPLORERIMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.Make your Internet Explorer more secureThis can be done by following these simple instructions:From within Internet Explorer click on the Tools menu and then click on Options.Click once on the Security tabClick once on the Internet icon so it becomes highlighted.Click once on the Custom Level button.Change the Download signed ActiveX controls to PromptChange the Download unsigned ActiveX controls to DisableChange the Initialize and script ActiveX controls not marked as safe to DisableChange the Installation of desktop items to PromptChange the Launching programs and files in an IFRAME to PromptChange the Navigate sub-frames across different domains to PromptWhen all these settings have been made, click on the OK button.If it prompts you as to whether or not you want to save the settings, press the Yes button.Next press the Apply button and then the OK to exit the Internet Properties page.The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.hosts file:Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok[*]Run Secunia vulnerability check here and fix its findings.Just a final reminder for you. I am trying to stress these two points.UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.Make sure all of your security programs are up to date.Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.Once again, please post and tell me how things are going with your system... problems etc.Have a great day,Blade Link to post Share on other sites More sharing options...
nobbie Posted June 12, 2010 Author ID:266136 Share Posted June 12, 2010 Hi blade many thanks for your help did a scan and nothing showed up many thanks again.RdgsAnthony Link to post Share on other sites More sharing options...
Blade81 Posted June 12, 2010 ID:266140 Share Posted June 12, 2010 You're welcome Link to post Share on other sites More sharing options...
Recommended Posts