Ad:

Windows NT / 2000 / XP Discussion Thread
Marked Solved
Views: 6475

You are currently viewing page 4 of this multi-page discussion thread; Jump to the first page

Oct 4th, 2008

Re: Trojan Problem

the virus alert by the date and be removed in control panel under ,Regional and language setting ,in there go to customize and time and you will see it there just choose one of the other time settings

caperjack

Team Colleague

Reputation Points: 1056

Solved Threads: 792

I hate 20 Questions

Offline

12,723 posts
since Aug 2003

Permalink

Oct 4th, 2008

Re: Trojan Problem

Main problem, caper, is to get any exes to run. Most sys ones do, but not sfc.exe, and not so far any tool exes I have suggested. It's fun.... may be a simple blacklist at work, but it is not started via the methods that hijackthis lists.
Weasel.. combofix: rename the desktop icon to MyCF55.exe, then dclick it. Remember to turn off net connection, firewall, system defence and AV first. If it runs you may find that it has timed out, in which case it will tell you so & delete itself, > dl a fresh copy.
[system defence? the sort of thing that comes with, say, Comodo - it would drive you nuts as CF tries to install and run]

Last edited by gerbil; Oct 4th, 2008 at 10:24 am.

gerbil

Reputation Points: 239

Solved Threads: 296

Industrious Poster

Offline

4,169 posts
since May 2005

Permalink

Oct 6th, 2008

Re: Trojan Problem

use this software to get rid of restrictive policies

Dial-A-Fix

it will get rid of the block task manager and most other restrictive policies

Last edited by comlor; Oct 6th, 2008 at 3:49 am.

comlor

Reputation Points: 10

Solved Threads: 7

Junior Poster in Training

Offline

64 posts
since Nov 2007

Permalink

Oct 6th, 2008

Re: Trojan Problem

I will try that when I get out of work this evening. Thanks for the help guys.

weasel7711

Reputation Points: 10

Solved Threads: 0

Junior Poster in Training

Offline

82 posts
since Oct 2007

Permalink

Oct 7th, 2008

Re: Trojan Problem

Great news. I renamed combofix and its working. So currently I am running combofix. Should I run any of the other files too when it finishes?

I have attatched the log file.

Attached Files

ComboFix.txt (10.3 KB, 12 views)

Last edited by weasel7711; Oct 7th, 2008 at 8:26 am.

weasel7711

Reputation Points: 10

Solved Threads: 0

Junior Poster in Training

Offline

82 posts
since Oct 2007

Permalink

Oct 7th, 2008

Re: Trojan Problem

Ah, nice, weasel.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

(Toggle Plain Text)

Killall::

File::
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00

Good. Now drag the CFScript.txt icon onto the Combofix icon [mycmbfx.exe] on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Please now run sfc /scannow
You should now be able to update MBAM and run it also; post the log.
There should be no need to run the other scans.

Last edited by gerbil; Oct 7th, 2008 at 9:42 am.

gerbil

Reputation Points: 239

Solved Threads: 296

Industrious Poster

Offline

4,169 posts
since May 2005

Permalink

Oct 7th, 2008

Re: Trojan Problem

Weasel, don't use that previous script - I missed one file to delete, so use this modified version instead. The vundo infection there appears to have rootkit capabilities. I should also point out that your friend has had a keylogger trojan on his sys and so it is important that he changes important passwords and bank accounts that he may have accessed from the computer.
The new CFScript.txt:

(Toggle Plain Text)

Killall::

File::
C:\WINDOWS\system32\aKUBdMoq.ini2
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUMENTS and SETTINGS\ADMINI~1\LOCALS~1\Temp\catchme.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00

gerbil

Reputation Points: 239

Solved Threads: 296

Industrious Poster

Offline

4,169 posts
since May 2005

Permalink

Oct 7th, 2008

Re: Trojan Problem

OK it seems like everything is working great now. After I ran combofix and SDFix the taskmanager was enabled and explorer stopped committing suicide repeatedly.

I ran MBAM twice. First time I ran it it found a bunch of malware, so I have attatched the logs from before i cleaned and after I cleaned, and then the third log from when I ran it a second time once I restarted.

Attached Files

	mbam-log-2008-10-07 (21-05-01).txt (3.1 KB, 9 views)
	mbam-log-2008-10-07 (21-05-24).txt (3.5 KB, 8 views)
	mbam-log-2008-10-07 (21-56-27).txt (845 Bytes, 10 views)

weasel7711

Reputation Points: 10

Solved Threads: 0

Junior Poster in Training

Offline

82 posts
since Oct 2007

Permalink

Oct 7th, 2008

Re: Trojan Problem

Weasel, could you post the combofix log also? C:\combofix.txt
And the SDFix log; it's saved into the SDFix folder as Report.txt.

Last edited by gerbil; Oct 7th, 2008 at 11:38 pm.

gerbil

Reputation Points: 239

Solved Threads: 296

Industrious Poster

Offline

4,169 posts
since May 2005

Permalink

Oct 8th, 2008

Re: Trojan Problem

Attached Files

log.txt (27.8 KB, 12 views)

weasel7711

Reputation Points: 10

Solved Threads: 0

Junior Poster in Training

Offline

82 posts
since Oct 2007

Previous
1
2
3
Page 4
5
Next

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Windows NT / 2000 / XP Forum Timeline: Strange File in Win XP

Next Thread in Windows NT / 2000 / XP Forum Timeline: Reading guide line

DaniWeb Message

Cancel Changes

User Name
Password