sari

Members
  • Content Count

    105
  • Joined

  • Last visited

Everything posted by sari

  1. damian, Your log is clean now - how are things running? You'll have no sanity left after your twins are born! Congratulations on that! sari
  2. I'm going to ask the author of the program - I haven't seen this before.
  3. Marco, I just re-read my instructions and realized they're outdated. Smitfraudfix is an executable file - you should just be able to doubleclick on the icon to run it. Then you get a message about joedanger not being involved with the program, and are asked to press any key to continue. Is that what happens? What do you mean by your computer gets blocked? sari
  4. damian, Sorry about that. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O2 - BHO: (no name) - {2632CB6A-0A81-1938-807B-74129546BC9B} - C:\WINDOWS\System32\ekzwdgor.dll (file missing) O2 - BHO: (no name) - {D5F55E01-73FA-4DED-905A-96C1FCF615A1} - C:\WINDOWS\System32\pjdg.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O20 - Winlogon Notify: winpez32 - winpez32.dll (file missing) Now close all windows other than HiJackThis, then click Fix Checked. I have 2 teenage girls (and no sanity left). sari
  5. damian, I'm sure there are people that would say I'm no angel! My kids, especially. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. HJT Entries go here Now close all windows other than HiJackThis, then click Fix Checked. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Please post a new hijackthis log and let me know how things are running. sari
  6. marco, You had a new variant of smitfraud that the tool didn't get. I notified the developer and he updated it last night. I'd like you to delete your current version of smitfraudfix. Please download SmitfraudFix (by S!Ri) to your Desktop. You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Thanks, sari
  7. damian, That cleaned up a lot of nasty files. May I please see a new hijackthis log? Thanks, sari
  8. damian, Download ComboFix from Here or Here to your Desktop. Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall Thanks, sari
  9. damian, Hello, and welcome to Besttechie.net. Your log tells me that Spybot has been trying to delete files on reboot, but either you haven't rebooted or it's not been able to do so. I believe you also have a vundo infection. Please do the following for me: Go to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe, right click on it, and rename it to hjt.exe. Please scan again and post the new hijackthis log for me. Thanks, sari
  10. Marco, Hi, and welcome to Besttechie.net. You have a few problems in your log, so let's get you cleaned up. You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work. Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send If it wants to install an ActiveX component allow it Select either Home User or Company Click the big Scan Now button It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on My Computer to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. Please post the rapport.txt, the Activescan report, and a new hijackthis log in your reply. Thanks, sari
  11. Kohu, Your log is clean now. The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well. SpywareBlaster - Great prevention tool to keep nasties from installing on your system. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. [ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows. To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein. Thanks, sari
  12. happyheart, I'm sorry for the late reply. I've been busy this week. Your log is clean. I'm not sure about the Yahoo issue. I've done some research on that and haven't found anything at all about that issue. Is it still happening? My concern is that Spywarebot deleted some important files, and it may be necessary to repair your Windows installation.
  13. Kohu, The AVG scan seems to have taken care of your problems - there are only a few minor cleanup items in your log now. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode. Please delete these files using Windows Explorer(if present): C:\WINDOWS\ALCXMNTR.EXE After that, Reboot. Please post a new hijackthis log and let me know how things are running. Thanks, sari
  14. Ramesh, Hello, and welcome to Besttechie. I'm going to have you run a program called vundofix, which is written specifically to remove vundo. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Thanks, sari
  15. happyheart, Hello, and welcome to Besttechie. You do indeed still have infections, so I'm going to help you clean up. For the record, Spywarebot is not an application I would recommend - there are better ones out there, and Spywarebot is considered by many to be a rogue application, because it plays on the name of Spybot Search and Destroy. Please go to Uploadmalware to upload a suspicious file for analysis. Enter your username from this forum Copy and paste the link to this thread Browse for this filename: C:\WINDOWS\System32\vssrprxy.exe In the comments, please mention that I asked you to upload this file Click on Send File Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O4 - HKLM\..\Run: [yfdhyyrbwck] C:\WINDOWS\System32\aqoidi.exe O4 - HKLM\..\Run: [XfkLnlP4] C:\documents and settings\victoria summers\local settings\temp\XfkLnlP4.exe O4 - HKLM\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKLM\..\Run: [GzK] C:\documents and settings\victoria summers\local settings\temp\GzK.exe O4 - HKLM\..\Run: [AutoLoader7F7r1RIgZdaZ] "C:\WINDOWS\System32\vssrprxy.exe" /HideUninstall /PC="AM.WILD" O4 - HKLM\..\Run: [9a8954b8680d] C:\WINDOWS\System32\AC3API42.exe O4 - HKLM\..\Run: [7soX3FV] vssrprxy.exe O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Wryu.exe O4 - HKCU\..\Run: [MB77RPZqe] stcrsfr.exe O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode. Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Show Hidden Files * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. Please remove these entries from Add/Remove Programs in the Control Panel(if present): Weboffer Spywarebot Please note any other programs that you dont recognize in that list in your next response Please delete these folders using Windows Explorer(if present): C:\Program Files\SpywareBot C:\Program Files\Web Offer Please delete these files using Windows Explorer(if present): C:\WINDOWS\System32\aqoidi.exe C:\documents and settings\victoria summers\local settings\temp\XfkLnlP4.exe C:\documents and settings\victoria summers\local settings\temp\GzK.exe C:\WINDOWS\System32\vssrprxy.exe C:\WINDOWS\System32\AC3API42.exe C:\WINDOWS\System32\Wryu.exe stcrsfr.exe <--- You'll have to search for this file, but it may be in either c:\windows or c:\windows\system32 Hide Hidden Files * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Do Not Show hidden files and folders. * Check the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. After that, Reboot. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 1. Download ComboFix.exe using either of these links: * bleepingcomputer.com * techsupportforum.com 2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Thanks, sari
  16. hs_gram, Yes, please - I promise there's nothing malicious here, but because they're executable files, they sometimes get flagged. sari
  17. hs_gram, Hi, and welcome to Besttechie. I'm going to help you clean up your PC. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Thanks, sari
  18. Kohu, Hi, and welcome to Besttechie. You do indeed have a few different infections in your log. Let's get you cleaned up, and then I suggest you ban your brother from your computer. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Download AVG Anti-Spyware from HERE and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files. On the main screen select the icon "Update" then select the "Update now" link.Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. [*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. [*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine". [*]Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess: Lauch AVG Anti-Spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan along with a new hijackthis log. Please post the contents of C:\vundofix.txt, the AVG Anti-Spyware report, and a new HiJackThis log. Thanks, sari
  19. elearct, I'm sorry - since you had run the program, I assumed you would still have it on your desktop. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. From that point, you can follow the rest of the directions in my first post. sari
  20. elearct, Hello, and welcome to the Besttechie forums. You are indeed infected, so let's get you cleaned up. You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work. Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send If it wants to install an ActiveX component allow it Select either Home User or Company Click the big Scan Now button It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on My Computer to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. Please post the contents of rapport.txt, the Activescan report, and a new hijackthis log in your next post. Thanks, sari
  21. tman70, You can just delete the programs I had you download. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file) Now close all windows other than HiJackThis, then click Fix Checked. That's just a leftover, but no point in leaving it in there. I'm glad everything is good now - it's not fun thinking your PC is compromised like that. I'm glad I could be of assistance. sari
  22. sari

    Happy Birthday Jeff!

    Happy Birthday, Jeff!
  23. tman, Sure. I want to clear all the network equipment of any existing IP addresses.
  24. tman70, What we're going to do is reset your network information, especially your DNS servers. The following line appears to be redirecting you: O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74 If I look up that address, it appears to go to a company called Layered Tech, in Texas, but it actually resolves to a Brazilian address. This is what I'd like you to do. You may want to print these instructions, as I'm going to have you go offline for part of the fix. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74 O17 - HKLM\System\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer = 72.21.36.74 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer = 72.21.36.74 Now close all windows other than HiJackThis, then click Fix Checked. I'm going to want you to shut off your router and your PCs for a while - at least an hour. Before you do, however, I need you to do the following on each PC: Go to Start > Run and type cmd. Type ipconfig /flushdns and hit enter. Shut off your PCs. When you turn them back on, repeat the above command. Then type: ipconfig /renew That will get new network addresses for you. I know your PC is ok, but I'd rather clear them both and your router to be on the safe side. After you've done that, please post a new hijackthis log and let me know if you can access Paypal properly on your son's machine. Also, could you ask your son what files, if any, he deleted? I'd be curious to know if there was something he could pinpoint that might have been the source of this. If you have any questions about my instructions, please ask before you follow them. Thanks, sari
  25. tman, Several questions for you. 1) Is this computer networked, and do you have a router 2) Is Comcast your ISP? I have some things for you to try - I'm putting them together in a response right now. However, there is a suspicious IP address that might be the source of your issue. sari