 |  |  |  |  |  |  |  |
Trojan Problem
Thread Solved |
•
•
Join Date: Aug 2003
Posts: 9,759
Reputation: 
Solved Threads: 511
the virus alert by the date and be removed in control panel under ,Regional and language setting ,in there go to customize and time and you will see it there just choose one of the other time settings
Fallen Heroes Song ,
http://www.youtube.com/watch?v=-RfXBB0BRHY
Going with the Flow ,but the water is low and the rocks are big
http://www.youtube.com/watch?v=-RfXBB0BRHY
Going with the Flow ,but the water is low and the rocks are big
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Main problem, caper, is to get any exes to run. Most sys ones do, but not sfc.exe, and not so far any tool exes I have suggested. It's fun.... may be a simple blacklist at work, but it is not started via the methods that hijackthis lists.
Weasel.. combofix: rename the desktop icon to MyCF55.exe, then dclick it. Remember to turn off net connection, firewall, system defence and AV first. If it runs you may find that it has timed out, in which case it will tell you so & delete itself, > dl a fresh copy.
[system defence? the sort of thing that comes with, say, Comodo - it would drive you nuts as CF tries to install and run]
Weasel.. combofix: rename the desktop icon to MyCF55.exe, then dclick it. Remember to turn off net connection, firewall, system defence and AV first. If it runs you may find that it has timed out, in which case it will tell you so & delete itself, > dl a fresh copy.
[system defence? the sort of thing that comes with, say, Comodo - it would drive you nuts as CF tries to install and run]
Last edited by gerbil; Oct 4th, 2008 at 10:24 am.
Deep, deep in the woods, but walking about.
•
•
Join Date: Nov 2007
Posts: 64
Reputation:
Solved Threads: 7
Junior Poster in Training
use this software to get rid of restrictive policies
Dial-A-Fix
it will get rid of the block task manager and most other restrictive policies
Dial-A-Fix
it will get rid of the block task manager and most other restrictive policies
Last edited by comlor; Oct 6th, 2008 at 3:49 am.
**Please be detailed in your questions. Let us know what you have tried, the exact details of your problem**
**Try to help yourself 1st. You will get more respect from posters if you attempt to help yourself before posting questions**
**Try to help yourself 1st. You will get more respect from posters if you attempt to help yourself before posting questions**
•
•
Join Date: Oct 2007
Posts: 52
Reputation:
Solved Threads: 0
Junior Poster in Training
I will try that when I get out of work this evening. Thanks for the help guys.
•
•
Join Date: Oct 2007
Posts: 52
Reputation:
Solved Threads: 0
Junior Poster in Training
Great news. I renamed combofix and its working. So currently I am running combofix. Should I run any of the other files too when it finishes?
I have attatched the log file.
I have attatched the log file.
Last edited by weasel7711; Oct 7th, 2008 at 8:26 am.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Ah, nice, weasel.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.
Good. Now drag the CFScript.txt icon onto the Combofix icon [mycmbfx.exe] on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Please now run sfc /scannow
You should now be able to update MBAM and run it also; post the log.
There should be no need to run the other scans.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.
Killall::
File::
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00Good. Now drag the CFScript.txt icon onto the Combofix icon [mycmbfx.exe] on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Please now run sfc /scannow
You should now be able to update MBAM and run it also; post the log.
There should be no need to run the other scans.
Last edited by gerbil; Oct 7th, 2008 at 9:42 am.
Deep, deep in the woods, but walking about.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Weasel, don't use that previous script - I missed one file to delete, so use this modified version instead. The vundo infection there appears to have rootkit capabilities. I should also point out that your friend has had a keylogger trojan on his sys and so it is important that he changes important passwords and bank accounts that he may have accessed from the computer.
The new CFScript.txt:
The new CFScript.txt:
Killall::
File::
C:\WINDOWS\system32\aKUBdMoq.ini2
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUMENTS and SETTINGS\ADMINI~1\LOCALS~1\Temp\catchme.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00 Deep, deep in the woods, but walking about.
•
•
Join Date: Oct 2007
Posts: 52
Reputation:
Solved Threads: 0
Junior Poster in Training
OK it seems like everything is working great now. After I ran combofix and SDFix the taskmanager was enabled and explorer stopped committing suicide repeatedly.
I ran MBAM twice. First time I ran it it found a bunch of malware, so I have attatched the logs from before i cleaned and after I cleaned, and then the third log from when I ran it a second time once I restarted.
I ran MBAM twice. First time I ran it it found a bunch of malware, so I have attatched the logs from before i cleaned and after I cleaned, and then the third log from when I ran it a second time once I restarted.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Weasel, could you post the combofix log also? C:\combofix.txt
And the SDFix log; it's saved into the SDFix folder as Report.txt.
And the SDFix log; it's saved into the SDFix folder as Report.txt.
Last edited by gerbil; Oct 7th, 2008 at 11:38 pm.
Deep, deep in the woods, but walking about.
 |
Similar Threads
- Trojan Problem - Hijackthis log posted (Viruses, Spyware and other Nasties)
- Probable Trojan Problem (Viruses, Spyware and other Nasties)
- Possible trojan problem: Hijack this log (Viruses, Spyware and other Nasties)
- wdm.dll backdoor.trojan (Viruses, Spyware and other Nasties)
- Trojan Problem (Viruses, Spyware and other Nasties)
Other Threads in the Windows NT / 2000 / XP Forum
- Previous Thread: Strange File in Win XP
- Next Thread: Reading guide line
| Thread Tools | Search this Thread |
Latest Windows NT / 2000 / XP Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for Windows NT / 2000 / XP
.net 3.5 3daccelertion 64bit 2007 2010 a.exe activedirectory address alaris android apache application appstore arm automatically black blue boot bsod canonical chinese codeplex combofix computerfreezes cursor deployment desktop desktops domain downloads drive eartlink error explorer fax firefox fonts format framework freeze gadgets home install intel internet laptop latitude linux mac markshuttleworth microsoft mobile monitor netbooks nvidia open opensource operatingsystems options osinstallationproblem palm partition patch port printer program proxy raid rds reformat remotedesktop remotedesktopconnection repair replacingraiddrive retrieve screen server. sharepoint simplifiedchinese sitetositevpn slowperformance sp1 studios ubuntu unreadable update upgrade videodrivers virtual virus volume vpn vulnerability window windows windows7 windowsxp xp xpde
