 |  |  |  |  |  |  |  |
Trojan Problem
Thread Solved |
•
•
Join Date: Aug 2003
Posts: 9,639
Reputation: 
Solved Threads: 500
the virus alert by the date and be removed in control panel under ,Regional and language setting ,in there go to customize and time and you will see it there just choose one of the other time settings
Linux boot cd http://www.knopper.net/knoppix/index-en.html
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Main problem, caper, is to get any exes to run. Most sys ones do, but not sfc.exe, and not so far any tool exes I have suggested. It's fun.... may be a simple blacklist at work, but it is not started via the methods that hijackthis lists.
Weasel.. combofix: rename the desktop icon to MyCF55.exe, then dclick it. Remember to turn off net connection, firewall, system defence and AV first. If it runs you may find that it has timed out, in which case it will tell you so & delete itself, > dl a fresh copy.
[system defence? the sort of thing that comes with, say, Comodo - it would drive you nuts as CF tries to install and run]
Weasel.. combofix: rename the desktop icon to MyCF55.exe, then dclick it. Remember to turn off net connection, firewall, system defence and AV first. If it runs you may find that it has timed out, in which case it will tell you so & delete itself, > dl a fresh copy.
[system defence? the sort of thing that comes with, say, Comodo - it would drive you nuts as CF tries to install and run]
Last edited by gerbil; Oct 4th, 2008 at 10:24 am.
Deep, deep in the woods, but walking about.
•
•
Join Date: Nov 2007
Posts: 64
Reputation:
Solved Threads: 7
Junior Poster in Training
use this software to get rid of restrictive policies
Dial-A-Fix
it will get rid of the block task manager and most other restrictive policies
Dial-A-Fix
it will get rid of the block task manager and most other restrictive policies
Last edited by comlor; Oct 6th, 2008 at 3:49 am.
**Please be detailed in your questions. Let us know what you have tried, the exact details of your problem**
**Try to help yourself 1st. You will get more respect from posters if you attempt to help yourself before posting questions**
**Try to help yourself 1st. You will get more respect from posters if you attempt to help yourself before posting questions**
Great news. I renamed combofix and its working. So currently I am running combofix. Should I run any of the other files too when it finishes?
I have attatched the log file.
I have attatched the log file.
Last edited by weasel7711; Oct 7th, 2008 at 8:26 am.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Ah, nice, weasel.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.
Good. Now drag the CFScript.txt icon onto the Combofix icon [mycmbfx.exe] on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Please now run sfc /scannow
You should now be able to update MBAM and run it also; post the log.
There should be no need to run the other scans.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.
Killall::
File::
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00Good. Now drag the CFScript.txt icon onto the Combofix icon [mycmbfx.exe] on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Please now run sfc /scannow
You should now be able to update MBAM and run it also; post the log.
There should be no need to run the other scans.
Last edited by gerbil; Oct 7th, 2008 at 9:42 am.
Deep, deep in the woods, but walking about.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Weasel, don't use that previous script - I missed one file to delete, so use this modified version instead. The vundo infection there appears to have rootkit capabilities. I should also point out that your friend has had a keylogger trojan on his sys and so it is important that he changes important passwords and bank accounts that he may have accessed from the computer.
The new CFScript.txt:
The new CFScript.txt:
Killall::
File::
C:\WINDOWS\system32\aKUBdMoq.ini2
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUMENTS and SETTINGS\ADMINI~1\LOCALS~1\Temp\catchme.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00 Deep, deep in the woods, but walking about.
OK it seems like everything is working great now. After I ran combofix and SDFix the taskmanager was enabled and explorer stopped committing suicide repeatedly.
I ran MBAM twice. First time I ran it it found a bunch of malware, so I have attatched the logs from before i cleaned and after I cleaned, and then the third log from when I ran it a second time once I restarted.
I ran MBAM twice. First time I ran it it found a bunch of malware, so I have attatched the logs from before i cleaned and after I cleaned, and then the third log from when I ran it a second time once I restarted.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Weasel, could you post the combofix log also? C:\combofix.txt
And the SDFix log; it's saved into the SDFix folder as Report.txt.
And the SDFix log; it's saved into the SDFix folder as Report.txt.
Last edited by gerbil; Oct 7th, 2008 at 11:38 pm.
Deep, deep in the woods, but walking about.
 |
Similar Threads
- Trojan Problem - Hijackthis log posted (Viruses, Spyware and other Nasties)
- Probable Trojan Problem (Viruses, Spyware and other Nasties)
- Possible trojan problem: Hijack this log (Viruses, Spyware and other Nasties)
- wdm.dll backdoor.trojan (Viruses, Spyware and other Nasties)
- Trojan Problem (Viruses, Spyware and other Nasties)
Other Threads in the Windows NT / 2000 / XP Forum
- Previous Thread: Strange File in Win XP
- Next Thread: Reading guide line
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Windows NT / 2000 / XP Posts
- Today's Posts
- Unanswered Threads
.net 64bit 2007 2010 a.exe activedirectory address android apache appstore automatically black blue bsod bulletin canonical chinese chkdsk codeplex combofix cursor deployment deployments desktop dns drive dual eartlink error explorer fax features fontmanagers format framework freeze hardware home internet interoperability laptop laptops lcd linux login mac markshuttleworth memory microsoft monitor motionle1600 netbooks novell nvidia open opensource operatingsystems options oracle osinstallationproblem osx palm partition printer program proxy reformat remotedesktop repair replacingraiddrive retail retrieve screen security sharepoint simplifiedchinese sitetositevpn slowperformance sp3 spyware studios technology ubuntu uninstall update upgrade videodrivers videogames virus vista visual vpn win win32/heur windows windows7 windowsxp windowsxpnotstartingup. xp xpde
