It is probably the log that some installer makes and refers to when installing software, also may be used by an uninstaller. If you are concerned about malware run a scan.
Well, that is interesting behaviour, not at all what I expected. This is the file that concerned me.. it is a virus capable of spawning 100s of other files: C:\WINDOWS\system32\fokubino.dll It was initiated by these keys: O4 - HKUS\S-1-5-19\..\Run: [luwahejeso] Rundll32.exe "C:\WINDOWS\system32\fokubino.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [luwahejeso] Rundll32.exe "C:\WINDOWS\system32\fokubino.dll",s (User 'NETWORK SERVICE') MBAM would not touch them; I expected to see them listed in the Combofix report, but no. And they are gone from your last HJT log. All appears good with the logs now; i note that FF is working for you, how about IE? If that file, fokubino.dll is inside the Combofix quarantine at C:Qoobox would you please go to this web page http://virusscan.jotti.org/, click browse and submit it for examination [instructions are on the page]. Post any positive result. Then, go Start, Run.. combofix /u Diablo II. Dated, but I still love that game. It's the scenery [or some of it], the concepts. I don't think any other game has come close. The writers really researched mid-eastern history and mythology.
Ok, we shall try this, MBAM is blind to them for some reason. ==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe .....or this file: http://subs.geekstogo.com/ComboFix.exe -IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web! - to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply, with a fresh hijackthis log. A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Bit of infection still in there, so for a start: ==Please download Malwarebytes' Anti-Malware from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html or: http://www.besttechie.net/tools/mbam-setup.exe =Dclick that file, mbam-setup.exe, to install the application, -ensure that it is set to update and start, else start it via the icon, and UPDATE it. Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps. ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected. If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button. When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing. Post the Notepad log [it is also saved under Logs tab in MBAM].
MBAM can still be installed and updated without a connection. Using a flashdrive on another system, download & save the installer file from http://www.majorgeeks.com/Malwarebyt...are_d5756.html, then dl the latest updates file: http://www.gt500.org/malwarebytes/database.jsp , both to a thumbdrive. Run the installer, when it completes uncheck the Launch and Update boxes to finish. Next, dclick the mbam-rules.exe file, it will install into MBAM. Start MBAM via the icon and ... Finally, another HJT log plus your comments.
Do i agree that it is a painfully long process...? Yep, getting your sys setup back how you like it certainly is. So first, I wouild try system file checker... you know, Run.. sfc /scannow And then I would "reinstall" IE... Rclick Windows\inf\IE.inf, choose Install, point it to the i386 folder on the installation disk. Then i might consider a recovery. Might.
Dead is easy. But if you want to get it going.. and are not too fussed about what is on it, and have some form of boot disk available like Recovery Console... or can borrow an XP disk.... just use it to copy these files from Windows\repair to system32\config [you can do them one at a time, checking if the sys functions upon restart after each copy]. It is just wise to rename the original system32\config files first. security system sam software default. These files were the state of your registry when last you did a Repair or Installation of the OS. So using them should get things going, but later software installations etc will not be recognised, although data files will be intact. This, if saved as a batch file to your desktop, will do it all:
Dead is easy. But if you want to get it going.. and are not too fussed about what is on it, and have some form of boot disk available like Recovery Console... or can borrow an XP disk.... just use it to copy these files from Windows\repair to system32\config [you can do them one at a time, checking if the sys functions upon restart after each copy]. It is just wise to rename the original system32\config files first. security system sam software. These files were the state of your registry when last you did a Repair or Installation of the OS. So using them should get things going, but later software installations etc will not be recognised, although data files will be intact.
Most usually external, hails. And you do not say what connection you have from your modem, or whether your modem is internal.. ie a card. But if so, it would have a socket on it protuding to rear. So. Some modems use USB, or Ethernet cables, some offer both. If yours is USB, just plug it to any USB port. Ethernet is just like a slightly larger phone connector. Grounding yourself means occasionally touching the bare metalwork of the tower.
Hello, pete, I tend to agree with Kraai. In OE go Tools, Accounts, lclick the old account if it is there and Remove it. Then get email details from your new ISP [I'm thinking POP3 and SMTP URLS, whether authentication is necessary...], CLick Add button and use those details to create a new account. And that should pull emails from your ISP email account.
"safe mode just gives me a black screen and safe mode in each corner of monitor" ...that sounds like Safe mode, alright, but without Explorer running, cos you should see maybe a few of your icons there, plus the Start button. So at the blinking prompt, type: explorer.exe -and press enter. When you have an av service installed browsers go through it into the net... the av serves as a browser proxy, and a firewall would show that the av service was actually accessing the net, not the browser. sounds like Vipre didd not correctly uninstall. Have a look at what the pink angelcake wrote: http://getsatisfaction.com/sunbeltsoftware/topics/cannot_uninstall_vipre Gawd. Read the whole thread... the orange angelcake gives this piece of software to automate the procedure: http://www.sunbeltsoftware.com/ihs/cs&vclean.exe
Josh... services.exe... go into system32 and rename any services.exe you find there, say to servicesA.exe and so on. The real services.exe will be replaced in a few seconds by Windows File Protection System from a copy in cache. You will only be able to delete the renamed ones after a restart. There should be none in c:\Windows\ services.exe should be run by the System, not by a User...?! But first, get hold of MBAM, and run it after renaming those files. ==Please download Malwarebytes' Anti-Malware from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html or: http://www.besttechie.net/tools/mbam-setup.exe =Dclick that file, mbam-setup.exe, to install the application, -ensure that it is set to update and start, else start it via the icon, and UPDATE it. Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps. ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected. If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button. When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing. Post the Notepad log [it is also saved under Logs tab in MBAM].
MBAM can still be installed and updated without a connection. Using a flashdrive on another system, download & save the installer file from http://www.majorgeeks.com/Malwarebyt...are_d5756.html, then dl the latest updates file:
Okay. It does look like a few keys in registry are not being cleaned, and Windows Security is picking up on them. More worrying is the inability to run anti-malware scans, loss of restore points. Let's try a couple in safe mode as an initial check: ==Please download Malwarebytes' Anti-Malware from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html or: http://www.besttechie.net/tools/mbam-setup.exe =Dclick that file, mbam-setup.exe, to install the application, -ensure that it is set to update and start, else start it via the icon, and UPDATE it. Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps. ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected. If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button. When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing. Post the Notepad log [it is also saved under Logs tab in MBAM].
MBAM can still be installed and updated without a connection. Using a flashdrive on another system, download & save the installer file from http://www.majorgeeks.com/Malwarebyt...are_d5756.html, then dl the latest updates file: http://www.gt500.org/malwarebytes/database.jsp , both to a thumbdrive. Run the installer, when it completes uncheck the Launch and Update boxes to finish. Next, dclick the mbam-rules.exe file, it will install into MBAM. Start MBAM via the …
You possibly have some sort of proprietary file system software in there, or something like U3 which permits you to run special sware from your thumbdrive. The U3 host files, for example, are hidden, but can be removed if not wanted, freeeing up the space they take. You should find the correct tool to do this at the website of the sware installed. And again, it might just be the file system software without which your thumbdrive becomes a nice addition to your rubbish bin. But maybe I am way off-beam with all this.
Good-oh. You might try running the correct removal tool from this site, and then attempt to reinstall KIS. http://support.kaspersky.com/faq/?qid=208279463 Good luck. And please come back if that does not solve your problem.
Is that a program? It looks like a webpage to me... and even if it uses ActiveX it won't appear in installed pgms list. But you may make shortcuts to such pages on your desktop... just check that in desktop properties you have not set the sys to regularly clean little-used shortcuts [it will run every 60 days].
Roz, do you have an antivirus service installed [just the one...]? I assume that BIOS runs at normal speed [say, 10 secs to where it commences Windows loading]?------ And then windows takes forever loading? Try to start in Safe mode; watch the drivers scrollling by on the black screen - should be too fast to read. Do you reach the final Safe mode screen in just a minute or so? You might try disconnecting any USB devices, your modem/router also, and then try a restart.
..or perhaps you installed the AV into an infected system, or perhaps you have become infected with some malware which your AV does not detect. Tell which AV you uninstalled.
Which AV. Some, eg, Norton, AVG, require a special uninstaller tool to be run. The slowness is most likely due to a confused AV installation - all file activity, traffic is monitored by the AV.
My fingers... I write with a pen and there is absolutely NO confusion with their and there. I type, and it's a 50-50 chance it gets set down correctly. How can that be? Does typing use a different part of the brain, or what? Course, some of my fingers are speed freaks an hit he keys outa turn, and that doesn't help. AVG fights to the end.. yep. Most AV's [all?] interactively scan files as they are opened for use, so you will get a notice, and the file will be frozen until you reply. Avast works like that. I don't do regular scanning at all now. Windows FW for XP only checks incoming streams... basically if something was not requested then it is ignored, not even acknowledged. If it wants to get out, no interference from the FW, and that is a big weakspot. Vista's FW is different, but it appears to not learn, so it is a pest. Comodo will learn if you use it correctly. And it can wee people off in half an hour... you gotta appreciate what it is doing for you, learn about it and accept that you must use it as a tool. Good luck wiv it.
"I downloaded Avast last night and ran that too,"... if it was the antivirus service, I do hope you uninstalled AVG8 first. Please do not try to run more than one AV service; non-installing scanners are okay to combine... eg online scans. Or your sys will be unpredictably cranky. I used AVG8 for a while, decided there must be better out there and switched to Avast. things seem better, but I cannot quantify that. Most trojans like to call out, otherewise their is not much point to them [most are written as income earning exercises, paid by advertising, ppl being fooled into paying for rubbish sware] and a good firewall will trap that behaviour. Comodo [you can install only the firewall by choice, not the whole AV/AS/FW package] but it is a very busy thing, drives some folks nuts with its checking/querying - you gotta LIKE being asked things... Kerio... maybe ZoneAlarm.. maybe. Comodo is THE best. If a virus lifts a finger, your AV should warn you. It aint, so it's not. Be cool.
That is okay, claire. Vacfix.exe is a part of Smitfraudfix, which I think you have? You can delete it [SMF] when you have finished with it. I don't have a very high opinion of Adaware right now... Where did Spybot find the Win 32 cryptor trace, and what file name was it, please?
Interesting behaviour by AVG.... let's clear your System Restore Points [that is where it is hiding, but it cannot do anything unless you use an infected restore point..] System Restore Points Clearance: == you do this by toggling System Restore Off then On again. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK. Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!! Now see if AVG finds any more of them. You may remove those two UAC...log files from spybot's quarantine.
Hello, Claire, I take it that Gmer successfully killed that driver, C:\WINDOWS\system32\drivers\UACfkilrnjhdrdagis.sys? These files seem to have been missed, pretty harmless on their own, but you may as well clean up. Delete them manually. Are there any other system32\UAC*.* files?
C:\WINDOWS\system32\UACmuoeronpqfuaikt.dat C:\WINDOWS\system32\UACuvogtblhqghkhtt.log C:\WINDOWS\system32\UACghcwpnnatbjtxvv.log C:\WINDOWS\system32\UACpxwwsboyebokuvf.log mm.. I see that a couple of them were caught by Spybot. Now clean with this feller... it's neat to keep: ==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way. Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked. Select the Cleaner icon, press Run Cleaner. Run CCleaner in any other Accounts. [For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..] And off you go. Cheers.
You still have a hefty vundo infection there, JR. ==Please download Malwarebytes' Anti-Malware from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html or: http://www.besttechie.net/tools/mbam-setup.exe =Dclick that file, mbam-setup.exe, to install the application, -ensure that it is set to update and start, else start it via the icon, and UPDATE it. Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps. ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected. If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button. When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing. Post the Notepad log [it is also saved under Logs tab in MBAM]. Finally, a fresh hijackthis scan log, please.
Re the iexplore.exe permissions, you wrote "i think it was under System Tools - Process Explorer". Sorry? Process Explorer is a pgm from Winternals [sysinternals]. I really need to know the registry key you took the permissions from. Was it this one - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer]? All I know about permissions is that you navigate to the particular key in registry [run regedit.exe], rclick it, choose Permissions, and uncheck any Deny boxes [Deny overrides Allow]. Hope that helps.
Hello, Claire... gee, but days off go quickly.... Who needs inlaws, really? They come around, drink all your beer, get crisps crumbs under the sofa cushions.... and the blokes are even worse. Right, we must kill the driver of that rootkit; this is it: C:\WINDOWS\system32\drivers\UACfkilrnjhdrdagis.sys In Normal Mode, start Gmer; after the preliminary scan reject the full scan. Select the Rootkit/Malware tab and uncheck all but Services. Scan and then highlight that driver C:\WINDOWS\system32\drivers\UACfkilrnjhdrdagis.sys Rclick and choose Delete Service, agree. Reboot and rerun Gmer as above, delete any other services [ie, .sys files] identified as a rootkit. Reboot. Good. Now Update and run MBAM -it should be able to identify and clean the unprotected malware files now: Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps. ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected. If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button. When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing. Post the Notepad log [it is also saved under Logs tab in MBAM].
Hello, claire. Yep, as i suspected there was a rootkitinvolved in preventing MBAM and hijackthis from running. It will be simple enough to fix. But first, the GMER log also shows its source... you must get rid of the crack/keygen shown in the log before I can help you further. I don't like to be a boor, but it is site policy -we cannot be seen to be assisting people to circumvent copyright/ownership of software. So do that.. come back clean and i can help. Anyway, with the source of the rootkit still active and present on your sys it would just reinfect you. And I'm on a couple of days off atm. By the way, I imagine the iexplore.exe you see running and restarting all the time is actually the real and uncorrupted M$ version of Internet Explorer [that is its .exe], it is just that the malware files hidden by the rootkit are using it to go out onto the web. So give it back its permissions.
Hello, Claire... go into Safe Mode, kill the iexplore.exe if it is running, rename MBAM.exe to MAMBO.exe, see if it will run as that. Rename hijackthis.exe also, try to run it. If you cannot run those, then perhaps a check for rootkits is called for... Download gmer.zip from http://www.majorgeeks.com/GMER_d5198.html -dclick on gmer.zip and unzip the file to its own folder or to your desktop. -disconnect from the Internet and close all running programs including those in the system tray (bottom righthand corner ). -dclick Gmer.exe to start it; uncheck Sections, IAT/EAT, use remaning default settings [ensure your system drive (C: ?) is the only drive checked] just click the Scan button and wait for the scan to finish (do not use your computer during the scan). -click on the Copy button - this will copy the results to the clipboard. Open Notepad and paste into it. The result - please zip it and post as an attachment via Go Advanced.
"I have already removed the older version of Norton using the Windows "Add or Remove Programs"" -use the Norton removal tool specific to that old installation. They publish it for a reason.
"ps. we can't install any software on our pc's." Oh? Then can you write something yourself? I don't mean with a pencil and paper... Anyway, it may be laborious, but if you can't install sware then maybe you could investigate the - tree - cmd. Yeah... and if you think that will do then use Properties in the cmd window to... oh, heck, rclick the top blue? border of the cmd window. There you will find in Properties many options to alter the display of the cmd window to suit. And then you can screenshoot the thing, or use the Edit option to select and copy which gives you an editable listing. Go crazy.
"So I need a 'snapshot' of all file access from when I click the 'Update' icon in AVG up to 3 or 4 seconds later when the denied access message comes up. I can't seem to get this type of 'snapshot' in Process monitor" You are kidding... or else you do not know how to use the tool. ProcMon will, if you so wish, log everything that happens from & to whenever you wish, including from as the kernal loads. And you can split out the file accesses with one click.
Good-oh, glad you are clean. But believe me on the RECYCLER/Recycle Bin thing... they are parts of the whole. You could have deleted those S-...com files manually from RECYCLERs, and run CCleaner to clear the temp files. And it appears that I have told you how to hide files and make em undeletable by normal methods. The end of that secret.
The Recycle Bin is a composite of all RECYCLERs, and shows all the deleted files' names. But only if they are in those S- folders. You will not see any file that you dragged into a RECYCLER, you must look in that RECYCLER. Try it... drag in a text file, and then browse to it and open it with Word, or Open Office....
S-0-0-75-100020897-100014327-100022846-4120.com .COM??!! Yep, you found a pest, there should be no .com on the end of that S- folder name. :) Trust me, the Recycle Bin shows as RECYCLER in explorer partitions, one per partition [and if your sys is set to show it, Recycle Bin at the bottom of your folder view tree]. RECYCLERs contain maybe more than one S- folder, and the folder names are just S- numbers, but should NOT contain any VISIBLE files. So open all your RECYCLERs and delete any folders that you can [you cannot delete the one from the current day], but you can empty it. Rid your sys of those S-....com folders. Update and retry MBAM. Nice work. When you do a normal deletion the file is left on disk where it was and renamed, its position on disk marked as available; the new coded name plus old name are put into a RECYCLER folder; windows can then find it to restore it. But you cannot see it in that RECYCLER, normal third party software cannot either. eg photoshop, or a music player.... However the RECYCLER is just another folder, albeit a bit special. Nothing to stop you dragging files into it, and you can see those. And it is a place that can be used by malware for just that reason. Cos funnily enough, emptying the bin will not remove files you dragged into it, and looking in the Recycle Bin will not show …
The recycle bin is a strange place, and emptying it does not always work. Ask Bill Gates. It [they] may show in explorer as having 0 bytes, and in properties as anything up to many MBs... even after you just emptied the bin, or used tools to do it. Unhide Protected opSys files, open Recycle Bin, delete any S-1-.... folders. The RECYCLERs [each one] should come down to about 85 bytes if you check properties. And if I am on the wrong track still, let me know?
