bamajim

Volunteer Security Advisor
  • Content Count

    339
  • Joined

  • Last visited

Everything posted by bamajim

  1. indy666 The CFScript file didn't work. Did you save the CFScript file to your Desktop and drag it into Combofix? Please doulble check the name it was saved as, and check to make sure the items were copied and pasted into Notepad. 2. Are you fimilar with that program ProtectService ?
  2. indy666 2 Things: 1. Open NotePad (not wordpad). Copy and paste the following into Notepad File:: C:\WINDOWS\fmark2.dat C:\WINDOWS\f49f4daa.dat Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07b2fbbc-a8ff-11d9-bd06-000ce581fb3b}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9db6d614-708e-11d9-bc5a-f037e038276d}] Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop Using the Image as a reference, drag CFScript into ComboFix.exe You will be prompted to run Combofix again, Do so Following the same rules as indicated in my first post Then post the contents of the C:\ComboFix.txt log in your reply 2. You have a suspicious program and file Iwould like to look at Please go HERE Put Your Name, and LavaSoft HJT forum and In the file to submit box, click Browse. Locate the file C:\Program Files\ProtectService\ProtectService.exe In the comments tell them that I asked you to upload the file Then Select Send File.
  3. guskusy You may now remove/delete/uninstall the tools we used to clean your PC Now that your log is clean There are some final notes: Lets create a clean System Restore point the instructions are here Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6.u7. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u7-windowsi586-p.exe to install the newest version. Update your Anti Virus Software Use and maintain a Firewall Visit Microsoft's Windows Update Site Frequently for critical updates Backup your Important Documents and Files on a regular basis To a disc or a USB key, not your Hardrive You may want to read this article"So how did I get infected in the first place" by Tony Klein surf safe
  4. indy666 Please download Combofix and save to your desktop: Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the contents of the C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause the program to freeze/hang.
  5. quskusy It is possible, some of these infections can damage legit files. Once we are finished you mat want to address that issue with Firfox support Here. One more check Please perform an Ewido Online Malware Scan When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download. Click on Start Scan. after the scan completes it will produce a log for you, copy and paste the results of that scan as a reply to this thread If any infections are found, (After you save the logfile), Click on Remove Infections.
  6. indy666 1. We are going to use Killbox again 1) Double Click Killbox.exe to run it 2)Select "Delete on Reboot", and then select "All files". 3) Copy the file names below to the clipboard by highlighting them and pressing Control-C: c:\windows\kenny16.exe C:\WINDOWS\system32\846888\846888.dll C:\WINDOWS\system32\846888 4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard". 5) Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt. 2. Untill you decide on the purchase of an Anti Virus program, lets download and use this one. Its free. Go HERE and download and install AVG8 (Free version) Update it, and do a full system scan. Allow it to fix what ever it finds. Once Done; Reboot your PC ->> Rerun Hiajckthis and post a fresh Hijackthis log.
  7. indy666 We have a few new things to deal with here. Do you still have Killbox that we used earlier ? What are you using for a resident Anti Virus program ?
  8. indy666 You may now remove/delete/uninstall the tools we used to clean your PC Now that your log is clean There are some final notes: Lets create a clean System Restore point the instructions are here Update your Anti Virus Software Use and maintain a Firewall Visit Microsoft's Windows Update Site Frequently for critical updates Backup your Important Documents and Files on a regular basis To a disc or a USB key, not your Hardrive You may want to read this article"So how did I get infected in the first place" by Tony Klein surf safe
  9. indy666 How's your PC running now? One more check and I thinbk we are there Please perform an Ewido Online Malware Scan When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download. Click on Start Scan. after the scan completes it will produce a log for you, copy and paste the results of that scan as a reply to this thread If any infections are found, (After you save the logfile), Click on Remove Infections.
  10. indy666 1. Rerun Killbox At the main window Select Tools ->> Delete Temp Files At the next window uncheck XP Prefetch Leave the other boxes checked Select "Delete Selected Temp Files" Allow the tool to run. When it is finished (You will know that it is finished because the checks will disappear from the location boxes) Select "Exit" Then Select "Exit" again to close Killbox 2. Reset the desktop components Click Start ->> Control Panel ->> Display. Another window will open Under the Desktop tab Select Customize Desktop Another window will open Under the Web tab delete everything in the Web pages box except "My current Home Page" Then Select O.k.->> Then Apply ->> Then O.K. 3. Rerun Hijackthis (scan only) and place checks beside the following entries O21 - SSODL: fGjlXx - {34A88298-9E02-2832-6050-50B063EA441E} - C:\WINDOWS\system32\ycjkg.dll (file missing) Close all other open windows except Hijackthis and Select "Fix checked" Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
  11. indy666 We have a stubborn file there. 1. Please download the Killbox. 1)Save it to the desktop 2) Rt Click->>Extract all->.Extract it to your Desktop 3) Double Click Killbox.exe to run it 4)Select "Delete on Reboot", and then select "All files". 5) Copy the file names below to the clipboard by highlighting them and pressing Control-C: C:\WINDOWS\system32\ycjkg.dll 6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard". 7) Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt. 2. Reboot your PC ->> Rerun Hijackthis and post a fresh Hiajckthis log
  12. guskusky You are mwelcome. 1. Rerun Hijackthis (scan only) and place checks beside the following entries R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdhda.exe] C:\WINDOWS\system32\kdhda.exe O4 - HKCU\..\Run: [braviax] "C:\WINDOWS\system32\braviax.exe" O20 - AppInit_DLLs: karina.dat Close all other open windows except Hijackthis and Select "Fix checked" Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
  13. indy666 Again, with AdWatch disabled 1. Please download HostsXpert 4.0 - Hosts File Manager And Save it to your Desktop Rt Click Hoster.zip->>Extract all->>Extract it to your Desktop (or your C:\ drive) Open The Hoster folder->>Double Click HostsXpert.exe When the program Opens Click The "Restore MS Hosts File" button in the left pane. Then select "Restore Original Hosts" when prompted. Close the Hoster program when complete Note: If you were using a custom Hosts file you will need to replace any of those entries yourself. 2. Rerun Hijackthis (scan only) and place checks beside the following entries R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.srhqnvxmtgzzbwmqbnycax.biz/CL/s...nHhvFiaZ6Yv.asp R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...www.yahoo.co.uk R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet O1 - Hosts: xJþ ˆþ O1 - Hosts: þ  O1 - Hosts: à I0ˆ>000˜0˜0 0 0¨0¨0°0°0¸0¸0À0À0È0 È0Ð0Ð0Ø0Ø0à 0à 0è0è0ð0ð0ø0ø0 ˆ000˜0˜0 0 0¨0¨0°0°0¸0¸0À0À0È0 È0Ð0Ð0Ø0Ø0à 0à 0è0è0ð0ð0ø0ø0 O1 - Hosts: 0˜0˜0 0 0¨0¨0°0°0¸0¸0À0À0È0È0Ð0 Ð0Ø0Ø0à 0à 0è0è0ð0ð0ø0ø0 O2 - BHO: QXK Olive - {067E8B3C-B42B-401C-AC59-6A5E1C119E4D} - C:\WINDOWS\twmxbsqrotm.dll (file missing) O2 - BHO: (no name) - {1EC87554-ADF2-5994-8301-EA860759C8E7} - C:\PROGRA~1\GREY2C~1\gpl enc.exe (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: SuperBar - {DD9ED457-6D9E-4084-B6EE-F7C56EB06F23} - C:\Program Files\SuperBar\SuperBar.Dll (file missing) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: rafbsvnx - {55393806-FF55-4D17-A1A5-4549B8ECFCB1} - C:\WINDOWS\rafbsvnx.dll (file missing) O4 - HKLM\..\Run: [seekCdromTwoLong] C:\Documents and Settings\All Users.WINDOWS\Application Data\Bend camp seek cdrom\build show.exe O4 - HKLM\..\Run: [WindowsXP Module] C:\WINDOWS\DirectX3D.exe O4 - HKLM\..\Policies\Explorer\Run: [systemManager] C:\WINDOWS\system32\settecalphadisc.exe O21 - SSODL: fGjlXx - {34A88298-9E02-2832-6050-50B063EA441E} - C:\WINDOWS\system32\ycjkg.dll Close all other open windows except Hijackthis and Select "Fix checked" Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
  14. jerojero We have a hidden loader. The file appears under a different name every time you reboot is why you cannot find it. Please download Combofix and save to your desktop: Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the contents of the C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause the program to freeze/hang.
  15. core112 Your log is clean. To answer your question about how you got infected, it could have been by a number of things, some of which is mentioned in the article at the bottom of my notes. The Infection you had is known as Vundo. Once it gets in it multiplies as a fast rate and it can be difficult to remove. Did you have UAC disabled? You may now remove/delete/uninstall the tools we used to clean your PC Be sure to re-enable any protection tools that we disabled during the cleaning process. Now that your log is clean There are some final notes: Lets create a clean System Restore point To create a Clean System Restore Point in Vista Click Start (the Vista icon) ->> All Programs ->> Accessories ->> System Tools ->> System Restore The System restore Window will open. Select Open System Protection Another window will open, Hilite The C:\ Drive in the window Then Select Create. Yet another window will open type in todays date 05262008 (or what ever you would like to remind you of this Restore Point) in the Create a restore point window. Then Select Create. Windows will then create a restore point. Once done you will receive notification that a System Restore point has been Created. Close all the open widows and you are done. Update your Anti Virus Software Use and maintain a Firewall Visit Microsoft's Windows Update Site Frequently for critical updates Backup your Important Documents and Files on a regular basis To a disc or a USB key, not your Hardrive You may want to read this article"So how did I get infected in the first place" by Tony Klein surf safe
  16. core112 Excellent. Good work so far Avenger did take them out even though we had no log to work with. Lets take one more look to be sure there is nothing lurking. Please perform an Ewido Online Malware Scan When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download. Click on Start Scan. after the scan completes it will produce a log for you, copy and paste the results of that scan as a reply to this thread If any infections are found, (After you save the logfile), Click on Remove Infections.
  17. core112 You are welcome. We are going to have to do the bulk of this manually since there are few tools to work on your version (64 bit) of Vista. Rerun TempFix again, and post a fresh TempFix log so I can see how many files are left. We we finish, in closing I will give you some prevention suggestions.
  18. core112 That didn't go as planned. Your log shows you are running a 32-bit version of Vista but some of the folders are shared indicating a 64-bit version. Which one is you main OS? Again with adwatch disabled We are going to have to some of this manually, so please be patient, it will take a few runs to remove it all. Using Windows Explorer Rt Click the Start Buttton (The Vista Icon) ->> Explore, and you will see the "tree' of file folders in the left side of the window. Click on the ">" next to any folder name to expand its contents Locate and Delete the following files C:\Windows\SysWow64\cbXNHApm.dll C:\Windows\SysWow64\awtsQGxW.dll C:\Windows\SysWow64\hjqwkdha.dll Note Also The file names in Vista are arranged in columns in the folders, so the file names will appear in one column and the file extension will be listed under the file type column. Example cbXNHApm will appear in the name column and .dll will appear in the type column Close windows Explorer 2. Rerun Hijackthis (scan only) and place checks beside the following entries O2 - BHO: (no name) - {08BED96E-5A7D-42E7-9049-D2FB4978BEBC} - C:\Windows\SysWow64\cbXNHApm.dll O2 - BHO: (no name) - {09E723B8-A334-41BA-B25F-0C4AE71747CE} - C:\Windows\SysWow64\awtsQGxW.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {7F4B9F07-ED0D-4860-ADAD-529B79E788B0} - (no file) O2 - BHO: (no name) - {FD5BD703-86C0-4F3C-89AB-E82B3C7E6051} - C:\Windows\SysWow64\hjqwkdha.dll Close all other open windows except Hijackthis and Select "Fix checked" Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
  19. guskusky You are most welcome Rerun Hijackthis and post a fresh Hiajckthis log
  20. guskusy Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  21. indy666 Better. Now see if MBAM will run and post the results please.
  22. Core112 You got a pretty good dose there. Again making sure Adwatch is disabled: 1. Please download The Avenger by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop (How to extract (decompress) zipped or compressed files, help in the link here: ) 2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C): Files to delete: C:\Windows\System32\6f10fa7c-.txt C:\Windows\System32\awtrOGAt.dll C:\Windows\System32\awtsQGxW.dll C:\Windows\System32\awtsRjhf.dll C:\Windows\System32\awtsTLFw.dll C:\Windows\System32\awttrRlK.dll C:\Windows\System32\BKjkknpo.ini C:\Windows\System32\BKjkknpo.ini2 C:\Windows\System32\BLmoWvut.ini C:\Windows\System32\BLmoWvut.ini2 C:\Windows\System32\BLVuCJjl.ini C:\Windows\System32\bYoolkJy.dll C:\Windows\System32\byXNfDWQ.dll C:\Windows\System32\byXRlMfD.dll C:\Windows\System32\cbXNHApm.dll C:\Windows\System32\cbXPiFvU.dll C:\Windows\System32\cbXPiFyv.dll C:\Windows\System32\cbXQjHBS.dll C:\Windows\System32\cbXRiFxw.dll C:\Windows\System32\cbXRJYoO.dll C:\Windows\System32\ddcbAtUm.dll C:\Windows\System32\ddcBstSI.dll C:\Windows\System32\ddcCSJyA.dll C:\Windows\System32\ddcYpppp.dll C:\Windows\System32\efcBusqn.dll C:\Windows\System32\efcCsqpM.dll C:\Windows\System32\efCvwWnl.dll C:\Windows\System32\fccaAqol.dll C:\Windows\System32\fccYpMfc.dll C:\Windows\System32\geBqPJCu.dll C:\Windows\System32\geBqRjge.dll C:\Windows\System32\geBSlkJA.dll C:\Windows\System32\hgGAPiij.dll C:\Windows\System32\hgGxVmLE.dll C:\Windows\System32\hgGywTlI.dll C:\Windows\System32\hjqwkdha.dll C:\Windows\System32\IlTwyGgh.ini C:\Windows\System32\IlTwyGgh.ini2 C:\Windows\System32\jkkHASkK.dll C:\Windows\System32\jkkHAttR.dll C:\Windows\System32\jkkIXnnN.dll C:\Windows\System32\khfCrQKE.dll C:\Windows\System32\khfFVLDv.dll C:\Windows\System32\khfFVMeE.dll C:\Windows\System32\khfGvstR.dll C:\Windows\System32\KlRrttwa.ini C:\Windows\System32\ljJASmlM.dll C:\Windows\System32\ljJCuVLB.dll C:\Windows\System32\ljJCvVOh.dll C:\Windows\System32\ljJDSIyV.dll C:\Windows\System32\mlJArsqQ.dll C:\Windows\System32\mlJCRljJ.dll C:\Windows\System32\mlJDsRjI.dll C:\Windows\System32\MpqsCcfe.ini C:\Windows\System32\nnnliFWP.dll C:\Windows\System32\nnnnKcBu.dll C:\Windows\System32\opNfdEWM.dll C:\Windows\System32\opnkkjKB.dll C:\Windows\System32\opnNFWqQ.dll C:\Windows\System32\opnnnnOI.dll C:\Windows\System32\pmnljHyY.dll C:\Windows\System32\pmnmJdBs.dll C:\Windows\System32\ppppYcdd.ini C:\Windows\System32\ppppYcdd.ini2 C:\Windows\System32\QqsrAJlm.ini C:\Windows\System32\QqsrAJlm.ini2 C:\Windows\System32\QWDfNXyb.ini C:\Windows\System32\QWDfNXyb.ini2 C:\Windows\System32\qYxbLRqr.ini C:\Windows\System32\qYxbLRqr.ini2 C:\Windows\System32\rqRiHbYq.dll C:\Windows\System32\rqRkkjhe.dll C:\Windows\System32\rqRLbxYq.dll C:\Windows\System32\RttAHkkj.ini C:\Windows\System32\RttAHkkj.ini2 C:\Windows\System32\ssqnoLDW.dll C:\Windows\System32\ssqOEWMf.dll C:\Windows\System32\ssqRKecb.dll C:\Windows\System32\SYIjkUtv.ini C:\Windows\System32\SYIjkUtv.ini2 C:\Windows\System32\tuvSMcay.dll C:\Windows\System32\tuvTjigg.dll C:\Windows\System32\tuvTnKbX.dll C:\Windows\System32\tuvTnNFV.dll C:\Windows\System32\tuvWomLB.dll C:\Windows\System32\uBcKnnnn.ini C:\Windows\System32\uBcKnnnn.ini2 C:\Windows\System32\uCJPqBeg.ini C:\Windows\System32\uCJPqBeg.ini2 C:\Windows\System32\uRlKeefc.dll C:\Windows\System32\urqOHBrp.dll C:\Windows\System32\urqRiFwx.dll C:\Windows\System32\vDLVFfhk.ini C:\Windows\System32\vDLVFfhk.ini2 C:\Windows\System32\VFNnTvut.ini C:\Windows\System32\VFNnTvut.ini2 C:\Windows\System32\vtUkjIYS.dll C:\Windows\System32\vtUkKdef.dll C:\Windows\System32\vtUoLCSL.dll C:\Windows\System32\wuwebv.dll C:\Windows\System32\wvUkJdEt.dll C:\Windows\System32\WxGQstwa.ini C:\Windows\System32\WxGQstwa.ini2 C:\Windows\System32\xxyAtSiH.dll C:\Windows\System32\xxyawwur.dll C:\Windows\System32\xxywTKAQ.dll C:\Windows\System32\yAtsRKdD.dll C:\Windows\System32\yayaYspP.dll C:\Windows\System32\yayvTnkK.dll C:\Windows\System32\yv12vfw.dll C:\Windows\System32\YyHjlnmp.ini C:\Windows\SysWow64\cbXNHApm.dll C:\Windows\SysWow64\awtsQGxW.dll C:\Windows\SysWow64\hjqwkdha.dll Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, start The Avenger program by clicking on its icon on your desktop. Select Load Script Select Paste from Clipboard The information should now appear in the Open window Select Execute Answer Yes When prompted "Are you sure you want to execute the current script?" 4. The Avenger will automatically do the following: It will Restart your computer. On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please copy/paste the content of c:\avenger.txt into your reply
  23. Core112 Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable AdWatch: Look to see if there is the Ad-Watch icon in the system tray. If so, right click on it and choose *settings* and then under the *General Settings* Tab, turn off (red x) the option for "load Ad-Watch at Startup". Next go to the *Status* tab in the left menu of Ad-Watch. Turn OFF (red x) the Regshield. Close that window when done then right-click the Ad-Watch icon once more from the system tray and choose *Close Ad-Watch*. 1. Go HERE and download TempFix. Save it to your Desktop (but do not run it yet) 2. Reboot into Safe Mode This can be done by Restart your PC, and after it starts, but before you see the Windows Splash screen Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices) Use your arrow keys and select Safe Mode and then Enter 3. Rt Click TempFix.zip ->> Extract all ->> And extract it to your Desktop Additional help on extracting zip files can be found HERE Open the TempFix Folder. Rt Click TempFix.vbe ->>Select Open Then Open to confirm. As the program runs, it will appear that nothing is happening. When the program is fnished it will produce a log for you C:\TempFix.txt Copy and paste the contents of that log in your reply. Note: if your root drive is something other thatn C:\ then the log will default to your designated root drive 4. Then reboot your PC into Normal Windows Mode->> Rerun Hijackthis and post a fresh Hiajckthis log. As well as the C:\TempFix.txt log