sari

Members
  • Content Count

    105
  • Joined

  • Last visited

Posts posted by sari


  1. Chrissie,

    That looks good. Just a little clean up, and you should be ready to go.

    Follow these steps to uninstall Combofix and tools used in the removal of malware

    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      CF_Cleanup.png

    You can also delete the smitfraudfix program we installed at the beginning.

    Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

    Turn OFF System Restore.

    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.

    Restart your computer.

    Turn ON System Restore.

    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check Turn off System Restore.
    • Click Apply, and then click OK.

    System Restore will now be active again.

    Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

    Automatic Updates for Windows

    • Click Start.
    • Select Settings and then Control Panel.
    • Select Automatic Updates.
    • Click Automatic (recommended)
    • Choose a day and a time when you know the computer will be on and connected to the internet.
    • Click Apply then OK.

    In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 7). Once downloaded, install it and then Reboot your computer.

    It is most important that you also uninstall older versions of Java.

    • Click Start, Control Panel, Add/Remove Programs.
    • Delete all Java updates except Java 6 Update 7

    The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

    1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
    2. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
    3. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
    4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    5. ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    6. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
    8. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

    To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

    sari


  2. Chrissie,

    That looks better - I'm going to have you run an online virus scanner just as a final check.

    Please do an online scan with Kaspersky WebScanner

    Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure the following is checked.
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases

    [*]Click on My Computer under Scan.

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Please post this log in your next reply.

    Upgrading Java:

    • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
    • Click on Continue.
    • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.(Vista users, right cklick on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")


  3. Chrissie,

    It looks like those runs cleaned up a lot of the issues.

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    O21 - SSODL: genadmui - {16824F4F-3B2B-AF53-C6C2-098B56D7403C} - C:\Program Files\gehndkd\genadmui.dll

    Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Please remove these entries from Add/Remove Programs in the Control Panel(if present):

    genadmui

    Please note any other programs that you dont recognize in that list in your next response

    Please delete these folders using Windows Explorer(if present):

    C:\Program Files\gehndkd

    After that, Reboot.

    Please post a new hijackthis log.


  4. Chrissie,

    First, I want to verify that what you're dragging looks like this:

    RC1-4.gif.

    Second, let's delete your version of Combofix and download a newer one.

    Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Link 1

    Link 2

    Link 3

    **Note: It is important that it is saved directly to your desktop**

    Once it's saved, drag the recovery console to it again, and report back here.

    Thanks,

    sari


  5. Chrissie,

    I would really like for the recovery console to be installed. While I don't anticipate that we'll need it, there are still a number of infected files present. Would you please try dragging the recovery console file over to Combofix again? If you're asked to accept any EULAs by Microsoft, please accept them - it's a just a license agreement for the recovery console software. Once you've completed that, re-run combofix and post the log.

    Thanks,

    sari


  6. Chrissie,

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    2. Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt

    New HijackThis log.

    sari


  7. Chrissie,

    Hi, and welcome to Besttechie.

    Please download SmitfraudFix (by S!Ri) to your Desktop.

    Double-click SmitfraudFix.exe

    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

    Please copy/paste the content of that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

    http://www.beyondlogic.org/consulting/proc...processutil.htm

    sari


  8. cirobest,

    Welcome to Besttechie. I apologize for the wait - I hope you're still checking. You have something called Lop, and I can help you with it.

    Disable your Avast anti-virus; you'll re-enable it after the scan

    Download Lop S&D < here

    Double-click Lop S&D.exe

    Choose the language, then choose Option 1 (Search)

    Wait till the end of the scan

    Post the log which is created: (%SystemDrive%\lopR.txt)

    sari


  9. samuel3838,

    Please download Deckard's System Scanner (DSS) and save it to your Desktop.

    • Close all other windows before proceeding.
    • Double-click on dss.exe and follow the prompts.
    • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

    Thanks,

    sari


  10. Panda08,

    You had an infection called Wareout, that redirects your browser to other sites and generally interferes with how your PC runs. Most viruses, spyware, etc., interfere with the performance of the PC, so I'm not surprised yours was running much faster after that - it was the primary infection on your PC.

    I'd like you to follow some directions to install what's called the Recovery Console. This isn't to clear up anything you have; it's more of a safety measure. We're seeing more cases of nasty viruses that can prevent PCs from booting up, and having this installed could help you out in the future.

    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System.

    Download the file & save it as it's originally named, next to ComboFix.exe.

    Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

    Please do not reboot your machine until we have reviewed the log.

    Once that's done, we'll clean up the tools we used and you can go on your way, malware-free!

    sari


  11. Panda08,

    1. Please open Notepad

    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Registry::

    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bae4c772-d259-11dc-a4eb-001636010070}]

    [-HKEY_CLASSES_ROOT\CLSID\{bae4c772-d259-11dc-a4eb-001636010070}]

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    CFScript.gif

    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

    • Combofix.txt
    • A new HijackThis log.

    Let me know how things are running.

    sari


  12. Panda08,

    It appears that you've been infected with a flash drive virus - these get into your computer by USB devices such as thumb drives. We have a little tool to run for that one.

    • 1 - Flash Drive Disinfector
      Download Flash_Disinfector.exe by sUBs from
    >here< and save it to your desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

    Now, to be sure that there's nothing else hiding, please do the following:

    Download ComboFix from Here or Here

    or Here

    to your Desktop.

    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

    Post the results from the combofix log.

    sari


  13. Panda08,

    That looks better. There are no visible signs of infection, but I'd like to have you run an online virus scan.

    Please do an online scan with Kaspersky WebScanner

    Click on Accept

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.

    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT

    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:

      • Extended (if available otherwise Standard)

      • Scan Options:

      • Scan Archives
        Scan Mail Bases

      [*]Click OK

      [*]Now under select a target to scan:

      • Select My Computer

      [*]This will program will start and scan your system.

      [*]The scan will take a while so be patient and let it run.

      [*]Once the scan is complete it will display if your system has been infected.

      • Now click on the Save as Text button:

      [*]Save the file to your desktop.

      [*]Copy and paste that information in your next post.

    Thanks,

    sari


  14. Panda08,

    You definitely still have some signs of infection in your log.

    Please download FixWareout from here:

    http://downloads.subratam.org/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

    The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.

    Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

    Thanks,

    sari


  15. samuel3838,

    I'm going to help answer some of your questions here.

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) <--------- why?? ******

    That line was part of Live Messenger. Did you uninstall it? If you did, then the file is no longer present on your PC, but the registry entry remains. This isn't malicious - it's just leftovers.

    I could offer more assistance for the filenames that look odd, but you'd have to re-enable them in msconfig so that I can see them - they don't show up in your hijackthis log if they're disabled from startup.

    What kind of popups are you getting?

    sari


  16. Marco,

    My turn to apologize for the delay - last week's holiday really put me behind.

    It's possible that since your anti-virus had expired, it wasn't up-to-date with definitions, and downloading a new one gave you more current protection. You definitely had some nasty files that the last round with combofix should have also cleared up.

    How is everything still running? No more popups or anything?

    sari


  17. Marco,

    That was helpful in finding some information. I have a different fix for you to run now.

    Open a new Notepad file, then "Copy/Paste" the text in the Codebox below into it (including the URL up top):

    http://www.besttechie.net/forums/index.php?showtopic=12807

    Collect::
    C:\WINDOWS\system32\tyekjvcbnm.exe

    Suspect::
    C:\WINDOWS\bnetunin.exe
    C:\WINDOWS\diabswun.exe

    File::
    C:\WINDOWS\system32\vcmon.exe

    Folder::
    C:\Program Files\Video Add-on

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "rsy32"=-
    "NapsterShell"=-

    Driver::
    Windows Security Manager

    Save this as CFScript.txt on your Desktop.

    CFScript.gif

    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    ComboFix will run.

    Additonally, ComboFix will generate the following files on your Desktop :

    • A zipped file on your desktop called Submit [Date Time].zip
    • And another file named - CF-Submit.htm

    ComboFix may need to reboot to finish its work. Let it.

    When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

    Next, a window will popup prompting you to "Submit Files for further analysis". Click "OK"

    Your system's browser will automatically respond by loading the CF-Submit.htm file and open a window :

    • Click the "Browse" button and locate the Submit [Date Time].zip file on your Desktop.
    • Click on the file to Select it.
    • Submit the file by clicking "OK"

    Once the file has been submitted, you may DELETE both files on your Desktop.

    Post the following reports/logs into your next reply:

    - Combofix.txt

    - A new HijackThis log

    Thanks,

    sari


  18. Marco,

    I've had a couple of experts look at this, and we're a little confused as to why it won't run, especially since it did before. I'm going to have you run a different program to see if it cleans anything up and shows us some additional information.

    Download ComboFix from Here to your Desktop.

    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

    Thanks,

    sari


  19. Marco,

    I have a couple of things for you to do.

    Please download Navilog1 by IL-MAFIOSO:

    http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

    * Extract its contents to the desktop.

    * Double click on navilog1.exe to install it on your computer.

    * When the installation is complete, the tool will start automatically.

    * If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.

    * Press E for English from the language Menu.

    * Type 1 in the next Menu to select Search and press Enter.

    * Wait for the Scan to finish (It may take a reasonable amount of time)

    * Press any key as requested .

    * A new document will be produced: fixnavi.txt.

    * Please copy/paste the contents of this report in your next reply.

    The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%

    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :

    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.

    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

    Now, it may be that the Activescan deleted part of your Combofix. Please download it again, then follow the directions below:

    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :

    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.

    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Please include the fixnavi.txt, the sdfix log, the smitfraudfix log, and a new hijackthis log in your reply.

    thanks,

    sari