Looks okay, except that I do not know this one:
O4 - HKLM\..\Run: [Recorder.exe] [INSTALLDIR]Recorder.exe
...check the file's properties if you don't know it.
gerbil 216 Industrious Poster
gerbil 216 Industrious Poster
Hello, pjf, this should restore your desktop icon functions.
Copy these downloads into the pc. They fit on a floppy.
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
==Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
gerbil 216 Industrious Poster
Hello, nd..
I see in this SMF log [an option 1 scan pass] -Scan done at 8:46:25.52, Fri 11/02/2007
...these entries:
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\bxsbang.dll FOUND !
C:\WINDOWS\movctrlswd.dll FOUND !
C:\WINDOWS\ocgrep.dll FOUND !
-but I don't see a log from option 2 [a cleaning pass] which would have deleted them.
SMF is a tool which should not be run multiple times - if set to clean and it finds no infection it breaks your desktop.
I think that last SMF log you posted could be the result of your setting some spyware guard with one of your tools which sets entries in your hosts file to block bad sites... in this case thousands of them. SMF could not handle it.
-anyway the log is incomplete.
Please remove that spyware hosts file guard and run SMF option 1 again and post the log, only that log.
gerbil 216 Industrious Poster
"LOL - the Mercedes forums are full of stuff about those two parts!"
Oh Boy!! that tickles me!! hehe....
Moby Dick. You read that to stay awake. Oh dear...
gerbil 216 Industrious Poster
Fair enough..... it is used a lot for hidden page content.... don't you know, it's mostly advertising.
gerbil 216 Industrious Poster
Hiya, caperjack.... yeah, they can be a pest, I will admit, especially if you're using the copy function. Amazing how often the selection you want ends on one of those critters.
I use FF also, look under tools, options, content tab, javascript check box [not java...], but you knew where it was, didn't you?... too late, I posted already.
Newspapers are a conspiracy to get us interested in stuff that normally would not bother us - this is a big world, they try desperately to make it like it 's all just down the road a bit. I just cannot get involved in a bus falling off a cliff in Nicaragua....
Books? there is another world in books....
gerbil 216 Industrious Poster
There is always a way. Or two....
1] don't mouse-over them - they are pretty obvious to see. Usually.
2]because they use javascript, disable that in your browser. But you might miss it.
That is about it. Try not to use your pointer as a reading aid, books n newspapers don't have em.... if the mouse-over is very brief they should not respond.
gerbil 216 Industrious Poster
Did you miss this one or did it come back?:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://frontier.myway.com/
Fix it also; post that SMF log too....
gerbil 216 Industrious Poster
You can do all this in safe mode:
Run Smitfraudfix option2.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://frontier.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://frontier.myway.com/
O2 - BHO: MSVPS System - {64DE95E5-0A25-4DD9-A472-97BC1D419101} - C:\WINDOWS\movctrlswd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {2106BEDE-F5E8-4DE8-A081-A7E5EAD1529B} - (no file)
Good. Delete this file [SMF should have done it already..]:
C:\WINDOWS\movctrlswd.dll
Next delete the MyWay files/folder in Program Files.
Post that log, and a fresh hijackthis log from normal mode.
gerbil 216 Industrious Poster
Hello again, lofti. It all looks good now; just tidy up by fixing these two entries with hijackthis:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
This is very important though [as pointed out by HBK...]:
==Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.3 is current....
Do that and you should be free to roam safely again.
Cheers, g.
gerbil 216 Industrious Poster
I do like the look of that run, Lofti. Could I have a fresh hijackthis log to check and to tidy things up with, please?
gerbil 216 Industrious Poster
G'day,Lofti,
a couple of your Folder Options settings have been changed: in an Explorer window go Tools, Folder Options, View and
-select Show hidden files and folders,
-uncheck Hide extensions for known file types,
Apply n OK.
Good. Now rename C:\WINDOWS\SYSTEM32\windrv.sbak.sys to windrv.sys -it appears safe.
That Combofix log does not look right, and I see why - all my fault, a spelling [syntax, really] error in that text file I gave you. Delete it [it has a time stamp added now].
Here is the corrected one, save it as CFScript.txt alongside Combofix as before and drag it onto it:
If Combofix does not run correctly and produce a log you will need to dl a fresh copy.
__________________________________________________________
File::
C:\WINDOWS\SYSTEM32\onhubpoy.dll
C:\WINDOWS\SYSTEM32\pkdbuhby.dll
C:\WINDOWS\SYSTEM32\mfifmgfc.dll
C:\WINDOWS\SYSTEM32\gtnkrroc.dll
C:\WINDOWS\SYSTEM32\rgpkrjxi.dll
C:\WINDOWS\SYSTEM32\hddfkcbv.dll
C:\WINDOWS\SYSTEM32\orgwjmte.dll
C:\WINDOWS\SYSTEM32\pmnnopn.dll
C:\WINDOWS\browser.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E992732-295F-4987-8BE3-16FAC1639198}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"580eaae6"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pkdbuhby]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00
__________________________________________________________
My apologies.....
gerbil 216 Industrious Poster
Hi, lofti [k, that's the last play on your name, I promise], you have a tough pest there, and a part of it changes its name whenever your sys is restarted so if you have turned off your machine since you last posted some of this may not work, but we can rerun later.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -ie a folder or your desktop.
__________________________________________________________
Files::
C:\WINDOWS\SYSTEM32\onhubpoy.dll
C:\WINDOWS\SYSTEM32\pkdbuhby.dll
C:\WINDOWS\SYSTEM32\mfifmgfc.dll
C:\WINDOWS\SYSTEM32\gtnkrroc.dll
C:\WINDOWS\SYSTEM32\rgpkrjxi.dll
C:\WINDOWS\SYSTEM32\hddfkcbv.dll
C:\WINDOWS\SYSTEM32\orgwjmte.dll
C:\WINDOWS\SYSTEM32\pmnnopn.dll
C:\WINDOWS\browser.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E992732-295F-4987-8BE3-16FAC1639198}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"580eaae6"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pkdbuhby]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00
__________________________________________________________
Good. Now drag CFScript.txt onto Combofix [drag the icons if on your desktop, or the filenames if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Please browse to :
C:\WINDOWS\SYSTEM32\windrv.sys -rename it to windrv.sbak.
Go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination.
All done? Post the combofix log with a fresh hijackthis scan log plus the virus scan result.
gerbil 216 Industrious Poster
Mmm.. that is nice, ablrider.
Unfortunately, lofti's malware is protected and tougher. I'll work on it tonight, loft, in about 5hrs or so.
gerbil 216 Industrious Poster
Lo, lofti..
....you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
May I ask, had you already fixed some entries in your hijackthis log? I ask because some things I was expecting to see in the tools' logs are not there....?
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
==Please start hijackthis, -select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [580eaae6] rundll32.exe "C:\WINDOWS\system32\vdwrcaiu.dll",b
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\ondsrngo.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
O20 - AppInit_DLLs: 22.dll
Good.
Dclick killbox to start it.
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-
C:\WINDOWS\system32\vdwrcaiu.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
C:\WINDOWS\SYSTEM32\ondsrngo.exe
C:\WINDOWS\SYSTEM32\22.dll
>In killbox, go File menu, choose Paste from clipboard.
Select "Delete on reboot", "Unregister dll before deleting" if available, click the "all files" button.
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.
=Okay, …
gerbil 216 Industrious Poster
Hello, lofti...
as Suspishio pointed out your sys is loaded, he has identified the culprits, more are hidden. I understand your trepidation - we can automate the removals if you wish....
Open a windows explorer folder, > tools > folder options > view, and
-press Show hidden files and folders
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]
It appears that you have …
gerbil 216 Industrious Poster
D'you see that? D'you see that?!! It actually went through! Wheee...!
But it popped up a new bak folder, albeit an empty one so let's delete that one and hope it finds no more:
Option 3 again, with this lonely entry to paste in:
C:\PROGRA~1\IBM\MYHELP~1\PLUGINS\BAK
And finally for neatness sake you can fix this entry with hijackthis:
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
And that should almost do it, sreddy.... this time post only the notepad produced by FindAwf, please.
gerbil 216 Industrious Poster
Whoops!! Use this set, NOT the previous one, sreddy, that one is bound to fail....
Sigh.
C:\Program Files\C4ebreg\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\VideoraiPodConverter\bak
C:\Program Files\Analog Devices\Core\bak
C:\Program Files\ATI Technologies\ATI.ACE\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Google\Google Talk\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\IBM\Personal Communications\bak
C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\ThinkPad\ConnectUtilities\bak
C:\Program Files\ThinkPad\Utilities\bak
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak
C:\Program Files\Common Files\Lenovo\Scheduler\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\IBM\SQLLIB\BIN\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Lenovo\PkgMgr\HOTKEY\bak
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\bak
gerbil 216 Industrious Poster
Hi, sreddy, that log is clean, so was the AVG scan.. [do you actually own IBM?.. cos you've got all their software there.. :)]
Ok, give option 3 one more shot with this set of folders to delete; if it fails then sorry, but it will come down to manual deletion. Automating it for you with a script would probably take just as long for me to write as for you to do them by hand...
C:\Program Files\C4ebreg\bak\c4ebreg.exe
C:\Program Files\C4ebreg\bak\isamtray.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\QuickTime\bak\QTTask.exe
C:\Program Files\VideoraiPodConverter\bak\VideoraiPodConverter.exe
C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\bak\CLIStart.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\Google\Google Talk\bak\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Talk\bak\googletalk.exe
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\IBM\Personal Communications\bak\tpam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak\VPTray.exe
C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
C:\Program Files\ThinkPad\ConnectUtilities\bak\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\bak\ACWLIcon.exe
C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe
C:\Program Files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\IBM\SQLLIB\BIN\bak\db2systray.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\bak\delayStart.exe
Good luck.
gerbil 216 Industrious Poster
A damsel in distress.... okay.
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and …
gerbil 216 Industrious Poster
Thank you for that, sreddy. Some of the google etc files have no bak files but are represented in the AWF scan. There may be something interfering with the cleanup. Run ATF cleaner again [instructions given again] and then use AVG AS - it will clean any AWF files it finds.
Please fix this entry with hijackthis:
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
==Download this temp file cleaner from [url]http://www.atribune.org/ccount/click.php?id=1[/url] --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==GET AVG antispyware 7.5 here.. [url]http://free.grisoft.com/doc/5390/lng/us/tpl/v5[/url]
or here.. [url]http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free[/url]
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file with a fresh hijackthis scan log please..
gerbil 216 Industrious Poster
Hello, sreddy, it appears that FindAWF is having problems.
It looks like you uninstalled the Google tools etc, and iTunes, but after the trojan had copied out some files...? To simplify the copying of the backed up files it would be good if you were to delete files and folders which you have uninstalled or deleted since the trojan copied them out of their normal directories. So...
Did you uninstall all of Google toolbar, Video Player, Google Talk?
Did you uninstall iTunes, Quicktime?
[what I am trying to say is that it appears that some trojan bak direcories are for files that no longer exist, which is not a problem, but means that we could simplify the process. Of course all those bak files in the last list I gave could be deleted manually, it would be tedious thougn.]
gerbil 216 Industrious Poster
sreddy, that last option 3 run barely worked; only a couple of folders were deleted. Could you try it again with this list please?
"C:\Program Files\C4ebreg\bak"
"C:\Program Files\C4ebreg\bak"
"C:\Program Files\iTunes\bak"
"C:\Program Files\QuickTime\bak"
"C:\Program Files\VideoraiPodConverter\bak"
"C:\Program Files\Analog Devices\Core\bak"
"C:\Program Files\ATI Technologies\ATI.ACE\bak"
"C:\Program Files\Common Files\Symantec Shared\bak"
"C:\Program Files\Google\GoogleToolbarNotifier\bak"
"C:\Program Files\Google\Google Talk\bak"
"C:\Program Files\Google\GoogleToolbarNotifier\bak"
"C:\Program Files\HP\HP Software Update\bak"
"C:\Program Files\IBM\Personal Communications\bak"
"C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak"
"C:\Program Files\Synaptics\SynTP\bak"
"C:\Program Files\Synaptics\SynTP\bak"
"C:\Program Files\ThinkPad\ConnectUtilities\bak"
"C:\Program Files\ThinkPad\ConnectUtilities\bak"
"C:\Program Files\ThinkPad\Utilities\bak"
"C:\WINDOWS\ime\IMJP8_1\bak"
"C:\WINDOWS\system32\dla\bak"
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak"
"C:\Program Files\Common Files\Lenovo\Scheduler\bak"
"C:\Program Files\Common Files\Real\Update_OB\bak"
"C:\Program Files\IBM\SQLLIB\BIN\bak"
"C:\Program Files\Java\jre1.6.0_02\bin\bak"
"C:\Program Files\Lenovo\PkgMgr\HOTKEY\bak"
"C:\WINDOWS\system32\IME\TINTLGNT\bak"
"C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\bak"
gerbil 216 Industrious Poster
It seemed to copy all the files back. Now this:
-option 3: start the program again, select to remove bak folders, into the text file that opens paste all the text between the lines:
_____________________________________________________________
"C:\sdwork\bak"
"C:\sdwork\bak"
"C:\Program Files\C4ebreg\bak"
"C:\Program Files\C4ebreg\bak"
"C:\Program Files\iTunes\bak"
"C:\Program Files\QuickTime\bak"
"C:\Program Files\VideoraiPodConverter\bak"
"C:\WINDOWS\system32\bak"
"C:\Program Files\Analog Devices\Core\bak"
"C:\Program Files\ATI Technologies\ATI.ACE\bak"
"C:\Program Files\Common Files\Symantec Shared\bak"
"C:\Program Files\Google\Google Talk\bak"
"C:\Program Files\Google\GoogleToolbarNotifier\bak"
"C:\Program Files\Google\Google Talk\bak"
"C:\Program Files\Google\GoogleToolbarNotifier\bak"
"C:\Program Files\HP\HP Software Update\bak"
"C:\Program Files\IBM\Personal Communications\bak"
"C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak"
"C:\Program Files\Synaptics\SynTP\bak"
"C:\Program Files\Synaptics\SynTP\bak"
"C:\Program Files\ThinkPad\ConnectUtilities\bak"
"C:\Program Files\ThinkPad\ConnectUtilities\bak"
"C:\Program Files\ThinkPad\Utilities\bak"
"C:\WINDOWS\ime\IMJP8_1\bak"
"C:\WINDOWS\system32\dla\bak"
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak"
"C:\Program Files\Common Files\Lenovo\Scheduler\bak"
"C:\Program Files\Common Files\Real\Update_OB\bak"
"C:\Program Files\IBM\SQLLIB\BIN\bak"
"C:\Program Files\Java\jre1.6.0_02\bin\bak"
"C:\Program Files\Lenovo\PkgMgr\HOTKEY\bak"
"C:\WINDOWS\system32\IME\TINTLGNT\bak"
"C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\bak\"
_____________________________________________________________
-close the text file and click Yes. Please post the contents of the notepad that opens.
gerbil 216 Industrious Poster
FindAWF -option 2:dclick the .exe to start the program, select to restore files, into the text file that opens paste in all the text between the lines:
_____________________________________________________________
"C:\sdwork\bak\issimsvc.exe"
"C:\sdwork\bak\w32main2.exe"
"C:\Program Files\C4ebreg\bak\c4ebreg.exe"
"C:\Program Files\C4ebreg\bak\isamtray.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\Program Files\VideoraiPodConverter\bak\VideoraiPodConverter.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\bak\CLIStart.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Google\Google Talk\bak\googletalk.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\Google Talk\bak\googletalk.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\IBM\Personal Communications\bak\tpam.exe"
"C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak\VPTray.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\ThinkPad\ConnectUtilities\bak\ACTray.exe"
"C:\Program Files\ThinkPad\ConnectUtilities\bak\ACWLIcon.exe"
"C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe"
"C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe"
"C:\Program Files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\IBM\SQLLIB\BIN\bak\db2systray.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe"
"C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"
"C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\bak\delayStart.exe"
_____________________________________________________________
-close the text file and click Yes. Please post the contents of the notepad that opens.
=Please uninstall via CP all old versions of Java.
gerbil 216 Industrious Poster
Please use hijackthis to fis this entry:
O15 - Trusted Zone: *.doginhispen.com
You have a trojan downloader that has replaced many of your system files with infected copies, so next...
==Please dl this file from http://noahdfear.geekstogo.com/FindAWF.exe
-dclick the .exe to start the program, type 1 and enter to start the process. Please post the contents of the notepad that opens.
gerbil 216 Industrious Poster
Hello, Sreddy, if you still need help could you start off with this, please?
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
And post a fresh hijackthis scan log also...
gerbil 216 Industrious Poster
G'day, lion.. I don't use IE7, I use IE6 only when forced to.... but folder options is part of Windows Explorer so if you do not have malware issues this reg file should fix that issue for you:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ Explorer]
"NoFolderOptions"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies \Explorer]
"NoFolderOptions"=-
__________________________________________________________
gerbil 216 Industrious Poster
Sorry, Aze, I let this one get by me first time round; fix it with hijackthis and then browse to and delete the file [a file of that name is, or should be, a video codec, and has no place as a BHO!]:
O2 - BHO: (no name) - {F6541F87-3C59-4858-999D-0778C26FE6E3} - C:\WINDOWS\system32\DivX.dll
Start hijackthis, select Scan Only, place a checkmark against that entry, and then press Fix Checked.
Say how things are afterward.
Actually, before you delete it it would be nice if you would have it scanned - fix the O2 entry then go to this web page http://virusscan.jotti.org/, either click browse and submit the file for examination or paste the pathname below into the window on that webpage..
C:\WINDOWS\system32\DivX.dll -and when it has been scanned delete it!!
Post the result.
gerbil 216 Industrious Poster
Hey, following the advice, feeding back and trusting is thanks enough.
Cheers.
"damn near" ??!! :) -if you wanna be more certain then this is a good scan, slow, but thorough. Run ccleaner first so we don't get to see the sites you visit..
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here if it shows up any problems [not cookies].
gerbil 216 Industrious Poster
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
==Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the …
gerbil 216 Industrious Poster
Great stuff... combofix removed those tough vundo files.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j7261231]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
__________________________________________________________
That's just a tidy-up. Things look good in those logs but could I see the log from the smitfraudfix run2 please [for my own satisfaction].
You could just post that and tap the Solved button if your sys feels fine.
gerbil 216 Industrious Poster
Nice! Tap the solved button, please?
gerbil 216 Industrious Poster
You should be fine then, jonaske. I imagine your other sweeps got the system.exe file but left the reg entry - that would explain combofix missing it. Sometimes it is assoc with rootkits.
Cheers.
gerbil 216 Industrious Poster
Not quite.. I was sure ComboFix would remove this one, but no, it did not pick it up. I am puzzled by that... So...
Fix this entry with hijackthis:
O4 - HKCU\..\Policies\Explorer\Run: [wlnlogon] C:\WINDOWS\System.exe
Browse to and delete the file:
C:\WINDOWS\System.exe
If it won't die use this deleter:
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
If the file deletes and that entry is not present on a fresh hijackthis log you should be clean. Say then how your sys is, whether it freezes or no. And thanks for the feedback on the Matrix .cab file entry.
Actually, would you run this rootkit scan... and post any positive results. Do not use your computer while it scans.
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
gerbil 216 Industrious Poster
I am adding this section now to save you time because of lag in post/reply.
If that Vundofix refinement works after the Combofix run some of this may be redundant, but perform the whole anyway:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {08A4D98A-864E-4BA2-998D-9C58EE7556C2} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {31657B86-01E9-43C8-A0C5-F02BE201455c} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {68218620-3D65-43F6-AD47-D38D84B5412A} - C:\WINDOWS\system32\ljjkheb.dll
O2 - BHO: (no name) - {9E7FA759-B446-4E57-AF42-A97A948B6CB3} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {9F0AD5E8-002F-4666-8F74-B5457C89FDD0} - C:\WINDOWS\system32\nxmjexch.dll
O2 - BHO: (no name) - {A8CE4D48-E68D-4FE4-89FE-300731C77148} - C:\WINDOWS\system32\nxmjexch.dll
O2 - BHO: (no name) - {B064D7DD-F68F-4D03-9C37-C86C2D72D4B7} - C:\WINDOWS\system32\nnsqqmqc.dll (file missing)
O2 - BHO: (no name) - {C3415EC8-E19C-4147-A819-604490CEF483} - C:\WINDOWS\system32\ssqrr.dll
O2 - BHO: (no name) - {E5D48306-2B38-4D8C-B74C-8C4F420E02F2} - C:\WINDOWS\system32\henclvoc.dll
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\gewhpgsa.dll",sitypnow
O20 - Winlogon Notify: ljjkheb - C:\WINDOWS\SYSTEM32\ljjkheb.dll
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O22 - SharedTaskScheduler: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-
C:\WINDOWS\system32\henclvoc.dll
C:\WINDOWS\system32\nxmjexch.dll
C:\WINDOWS\system32\ljjkheb.dll
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\gewhpgsa.dll
>In killbox, go File menu, …
gerbil 216 Industrious Poster
Cool. Now run the clean option with smitfraudfix:-
- Check that a Restore point has been made.
- Restart your computer in Safe Mode.
- Start Smitfraudfix as before and select #2 - Clean [type 2 and Enter].
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Restart in normal Windows and post here the text file which will appear on your screen, along with a new HT log.
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file].
Let's force the issue with those undeletable files. This is to check for any hidden support files:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick …
gerbil 216 Industrious Poster
Hi, I am sure you will be glad to know that one of your bits of malware is a backdoor worm.
For a start go to CP, add/remove pgms and uninstall AskBar Search Assistant.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Ask Toolbar …
gerbil 216 Industrious Poster
Jamlpr, please delete C:\vundofix.txt and run vundofix again!! until all files have been deleted. It may take a couple more passes. When all files that it detects have been deleted then you are finished with vundofix.
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
In the meantime fix these two with hijackthis, we'll get to all the others later.
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
Post vundofix, smitfraud log and a fresh hijackthis scan log also.
gerbil 216 Industrious Poster
Hi, jamlpr, that link is up - I suspect your hosts file may be blocking you, some malware make undesirable entries...
There are tools to fix it, try this:
==download HostsXpert from http://www.funkytoad.com/content/view/13/31/
-click Restore MS Hosts File button.
Some security applications, possibly also various malware, will lock your Hosts file [as a protection]. If HostsXpert is unable to restore your file check for applications which may have incidentally locked it. Lock/Unlock hosts exists in Zonealarm and Spybot S&D.
ZoneAlarm : look under firewall, advanced;
Spybot : click Tools,Hosts File, uncheck "Lock Hosts file read-only as protection against hijackers"
Or just...[ but a Spybot setting may over-ride this command....] do this:
Go Start, run, type cmd -press Enter. Paste this line into the window at the prompt, press Enter, close the window.
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS
-and then of course you can edit it manually [you may have to run the above command first]
A sample hosts file [mine]:-
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should …
gerbil 216 Industrious Poster
You say you've hit it with AV... but what about AS? The log is LOADED, and you have two resident AV services - that is not good, one is all you can run. Remove one now. You have a redirector, vundo, bunch of trojan/spywares...
Help? Okay...
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O17 - HKLM\System\CCS\Services\Tcpip\..\{14F6B734-BA66-426F-89D0-0FDE45917491}: NameServer = 85.255.116.40,
gerbil 216 Industrious Poster
Hello, Aneesah, looks like we got there!! You are looking clean to go.
Please keep in mind that you were infected by a backdoor trojan that may have allowed someone access to you computer.. whether they did or not is unknown.. I suggest you change passwords, esp if you use inet banking... email also....
One last thing to complete the job - Empty your recycle bin please.
Because you are clean now is the time to get SP2... it's a big dl [get the IT professional file from M$ and install yourself, don't follow the update auto installation path]. Or borrow a CD from a friend of the same type as your installation but which has SP2 on it .. eg OEM, or full retail version.
You must do it, cos without it you are a sitting duck. When you have it, or even now, get Spywareblaster... it's free. Delete combofix, vundofix, keep AVG AS... CCleaner.
Cheers.
gerbil 216 Industrious Poster
I'm only posting here cos Crunchie oughta be in bed asleep atm...
Give Vundifix a chance.. if it freezes restart it, try a few times, checking to see if you get a report. If it reports files and is unable to delete any, rerun it until it does.
And if you must do another AV scan, don't get AVG AV cos you already have a resident AV service - they will conflict. Instead may I suggest Panda Online Scan?
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here. I'm backing out now before the master returns...
gerbil 216 Industrious Poster
Oh dear...
Please delete the directory C:\qoobox and its contents.
Inside AVG AS remove all quarantined objects.
Let's stop these two services and remove them using same procedure as before:
O23 - Service: CHXPRTU - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\CHXPRTU.exe (file missing)
O23 - Service: PJ - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\PJ.exe (file missing)
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific services CHXPRTU and PJ - in each case rclick them, select properties. Write down the exact Service Names. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now.... and repeat for the other service name.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\CLSID\{2D2DE234-AB9F-4345-9D17-94FA78BA37E3}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= -
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mqxiaaaa]
__________________________________________________________
Start Killbox [note the different pathname loading method this time for multiple filenames],
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-
C:\WINDOWS\wksvr.exe
C:\WINDOWS\system32\ypmgewoo.dll
…
gerbil 216 Industrious Poster
Congratulations, Aneesah, you have a rootkit: c:\WINDOWS\system32\drivers\runtime2.sys, but we can fix that now we know it is there.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00
[-HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2]
[-HKLM\SYSTEM\CurrentControlSet\Services\runtime2]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"startdrv" = -
__________________________________________________________
==Fix these two with hijackthis:
O20 - Winlogon Notify: wzatyvah - C:\WINDOWS\SYSTEM32\iplaipl.dll
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\84.exe (file missing)
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
Paste this pathname into the textbox Full Path of File to Delete:
C:\WINDOWS\SYSTEM32\iplaipl.dll
Select "Delete on reboot", "Unregister dll before deleting", click the "all files" button.
Click the red and white X button, click Yes …
gerbil 216 Industrious Poster
Oh dear...
pately, please do not post in another's thread, you risk getting little or no attention, and it is just plain confusing at times.
Algis, sorry about that earlier post "I must see those vundofix and combofix logs!! Please!" - things do, of course, go mostly at the pace you decide normally, it was that intervening log of pately's that threw me - suddenly I was seeing a different computer.... anyway my impatient-sounding post was because of that and me doing other work.
I shall remind you of this later, now is not the time to update your Java but please now do go into CP > add/remove pgms and remove all the oldest versions of Java, keep only the latest [which is out of date!].
I note that Vundofix failed to run correctly... Combofix detected and cleaned some vundo files. Please delete C:\vundofix.txt and your copy of vundofix.exe.
Combofix also struggled. I just tested it on my pc - it took less than 3 minutes to complete, but my sys is clean.... Please delete combofix.txt and combofix.exe.
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip -unzip it to your desktop.
You must be in an Administrator-privileged account to run this procedure...
Okay, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Mqjehc] C:\Program Files\Ydvq\Pyywyd.exe
…
gerbil 216 Industrious Poster
I must see those vundofix and combofix logs!! Please!
gerbil 216 Industrious Poster
Errrk!
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post
that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your
desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Post the contents of C:\vundofix.txt, C:\Combofix.txt plus a new HijackThis log.
gerbil 216 Industrious Poster
Hello, Aneesah.. :)
..you must have been waiting. You can see from the AVG log that you had both a backdoor trojan and another trojan, plus a rootkit agent - theyhave been placed in quarantine. Delete all those quarantined entries in AVG AS.
Some more work:
System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not …
gerbil 216 Industrious Poster
Imran, you should run a good AntiSpyware to fix those things; try this, clean and then scan:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
==delete your copy of hijackthis and follow these instructions for a new copy and proper installation:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and …