Sponsored By

tj416

Members
  • Content count

    49
  • Joined

  • Last visited

About tj416

  • Rank
    Full Member
  • Birthday 04/16/91

Contact Methods

  • Website URL
    http://www.spywaretimes.com/
  • ICQ
    0
  1. Hi DocAlucard, Thanks for submitting the files! Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  2. Hi DocAlucard, CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES Please go here: The Spy Killer Forum Click on "New Topic" Put your name, e-mail address, and this as the title: "Trojan-Downloader.Win32.Delf.pa files" Put a link to this topic in the description box. Then next to the file box, at the bottom, click the browse button, then navigate to this file:C:\WINNT\g11046554.dll [*]Click Open. [*]Repeat the above two steps for these files too: C:\WINNT\SYSTEM32\pmnmnno.dll C:\WINNT\SYSTEM32\windpk32.dll C:\WINNT\system32\admparsek.dll C:\WINNT\system32\compstuic.dll [*]Click Post. Thank you!
  3. Hi lolocaust, Sorry for the delayed reply, I seemed to have missed this topic. Please post a fresh HijackThis log and I will have a look at it ASAP.
  4. Thanks everybody!! I had a great day
  5. Hi lolocaust, I'd like to see a fresh HijackThis log because a lot could have changed since my last post. Legacy 6.0 looks Ok to me. Is there any paticular reason that you think it is dangerous?
  6. Hi lolocaust, CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES Please go here: The Spy Killer Forum Click on "New Topic" Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\rcnoke\csrss.exe" Put a link to this Besttechie topic in the description box. Then next to the file box, at the bottom, click the browse button, then navigate to this file:C:\WINDOWS\system32\rcnoke\csrss.exe (If you can't find the file, skip this step and proceed to the next step) [*]Click Open. [*]Click Post. Then, download and run CWShredder: Download CWShredder. Save CWShredder.exe to a convenient location. Double-click on CWShredder.exe. Click "Fix ->" and click "OK" at the prompt. CWShredder will scan and clean your system of CWS files. Click "Next->" and then "Exit". Then, please download Brute Force Uninstaller. Unzip it to it’s own folder (c:\BFU) RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU). Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe In the scriptline to execute field copy and paste c:\bfu\p2pnetwork.bfu Press execute and let it do it’s job. Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Then, go to Add/Remove Programs and uninstall (if present): IST Service Then please run HijackThis, click Scan, and check the following: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.html F3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exe F3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exe O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exe O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe O15 - Trusted Zone: *.coolwebsearch.com Close all open windows and click Fix Checked. Then, reboot in Safe mode. To reboot in Safe mode: Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter. Then, delete this file: C:\WINDOWS\system32\454f66a6.exe Then, delete these folders (if present): C:\Program Files\ISTsvc C:\WINDOWS\system32\rcnoke Then, clean out temporary files: Start | Run | type cleanmgr | OK Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Click "OK" to remove them. Click "Yes" to confirm the deletion. Then, reboot (in the normal mode). Then, please go HERE to run Panda's ActiveScan Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on My Computer to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Then, open Hijackthis, click "Open the Misc Tools section" Next to "Generate StartupList log", place a check next to "List also minor sections" (full) and "List empty sections (complete). Then click "Generate StartupList log" Click "Yes" to the box that pops-up. Then copy and paste the notepad text that appears to this topic and also post your ActiveScan report and also a fresh HijackThis log in this thread.
  7. Hi lolocaust, Please post a fresh HijackThis log.
  8. Hi lolocaust, Let us try this again.... Please download MsnVirRem (Either zip or self extracting .exe), and save it to your desktop. Once in place, right click the zip file (or double click the exe), and extract the files to your desktop. It will create another folder called MsnVirRem DO NOT RUN ANYTHING IN IT YET Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. In the new MsnVirRem folder, that you should have on your desktop, double click MsnVir.bat and let it run its course. A DOS window should pop up, Let it run until it disappears. It will take time to scan your machine. After it disappears, reboot back into normal mode, and post a fresh HijackThis Log.
  9. Hi lolocaust, Post a HijackThis log.
  10. Hi lolocaust, Please download MsnVirRem (Either zip or self extracting .exe), and save it to your desktop. Once in place, right click the zip file (or double click the exe), and extract the files to your desktop. It will create another folder called MsnVirRem DO NOT RUN ANYTHING IN IT YET Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. In the new MsnVirRem folder, that you should have on your desktop, double click MsnVir.bat and let it run its course. A DOS window should pop up, Let it run until it disappears. It will take time to scan your machine. After it disappears, reboot back into normal mode, and post a fresh HijackThis Log and contents of C:\vundofix.txt in this thread using the "Add Reply" button.
  11. Hi lolocaust, Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  12. Hi ampshock, Don't forget to re-hide all files and folders. To re-hide all files and folders: Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading deselect "Show hidden files and folders". Check the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. To prevent re-infection in the future: I suggest you download Spyware Blaster to prevent the installation of Spyware in the first place. IE-Spyad puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all and I suggest you download it. Another excellent program I recommend is SpywareGuard. It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. I recommend that you read a thead titled So how do I get infected in the first place? by Tony Klein which informs you on how to tighten the security of your PC. Take care, TJ
  13. Hi ampshock, Your log looks clean. How is everything running?
  14. Hi ampshock, You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Go to Add/Remove Programs and uninstall (if present): winsupdater winupdates ISTsvc DNS Then, open HijackThis, run a scan and check these items: O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll O4 - HKLM\..\Run: [] winlog.exe O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto O4 - HKLM\..\Run: [aXRcE] C:\WINDOWS\xwwebhfa.exe O4 - HKLM\..\Run: [KmeOkbvF5] C:\WINDOWS\sudfpt.exe O4 - HKLM\..\Run: [KmeOkbvùõš/‚²‘ÆßfÃC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sudfpt.exe O4 - HKLM\..\Run: [ó# ë"h'þ9ÓœW3rÅ°WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sudfpt.exe O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto O4 - HKLM\..\RunServices: [] winlog.exe O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000140.exe O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked. Then, reboot in Safe mode. To reboot in Safe mode: Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter. You will need to configure Windows XP to show all files and folders. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Then, delete these files: C:\Program Files\Common Files\mc-58-12-0000140.exe C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe C:\Program Files\Common Files\Windows\services32.exe C:\Program Files\Common Files\services.exe C:\WINDOWS\xwwebhfa.exe C:\WINDOWS\sudfpt.exe Then, search for this file and delete it: winlog.exe Thesn, delete these folders: C:\Program Files\winsupdater C:\Program Files\winupdates C:\Program Files\ISTsvc C:\Program Files\DNS Then, clean out temporary files: Start | Run | type cleanmgr | OK Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Click "OK" to remove them. Click "Yes" to confirm the deletion. Then, reboot (in the normal mode) and post a fresh log in this thread.
  15. Hi ampshock, Since HijackThis does not scan the entire system and only certain areas are scanned to help diagnose the presence of undetected malware in some of the telltale places it hides. It is extremely important that you run a full system scan tool like an online virus scan, Ad-aware SE and Spybot S&D. I would like to START with those steps and finish the cleanup of strays or undetected items with HJT. I have provided instructions on how to run scans with a Online virus scanner, Ad-aware SE and Spybot S&D in this post. 1) Run one of these Online virus scanners: Housecall Panda RAV Anti-virus Online eTrust Anti-virus Scanner 2) Download, install, update and run a scan with Spybot S&D: Download and Install Spybot S&D, accepting the Default Settings. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it. Close ALL windows except Spybot S&D Click the button to ‘Search for Updates’ and then download and install all available Updates. Next click the button ‘Check for Problems’ When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window. Make certain there is a check mark beside all of the RED entries ONLY. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries. REBOOT to complete the scan and clear memory. 3) Download, install, update, configure and run a scan with Ad-aware SE: Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan. Close ALL windows except Ad-Aware SE. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window: In the ‘General’ window make sure the following are selected in green: Under Safety:Automatically save log-file Automatically quarantine objects prior to removal Safe Mode (always request confirmation) [*]Under Definitions: Prompt to update outdated definitions - set the number of days [*]Click on the ‘Scanning’ button on the left and select in green : Under Driver, Folders & Files:Scan Within Archives [*]Under Select drives & folders to scan: choose all hard drives [*]Under Memory & Registry: all green Scan Active Processes Scan Registry Deep Scan Registry Scan my IE favorites for banned URL’s Scan my Hosts file [*]Click on the ‘Advanced’ button on the left and select in green: Under Shell Integration:Move deleted files to recycle bin [*]Under Logfile Detail Level: (all green) include addtional object information DESELECT - include negligible objects information include environment information [*]Under Alternate Data Streams: Don't log streams smaller than 0 bytes Don't log ADS with the following names: CA_INOCULATEIT [*]Click the ‘Tweak’ button and select in green: Under ‘Scanning Engine’:Unload recognized processes during scanning Scan registry for all users instead of current user only [*]Under ‘Cleaning Engine’: Let Windows remove files in use at next reboot [*]Under Log Files: Include basic Ad-aware SE settings in logfile Include additional Ad-aware SE settings in logfile Please do not check: Include Module list in logfile [*]Click on ‘Proceed’ to save the settings. [*]Click ‘Start’ [*]Choose 'Perform Full System Scan' [*]DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. [*]Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. [*]If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window [*]Save the log file when it asks and then click ‘Finish’ [*]REBOOT to complete the removal of what Ad-Aware SE found. 4) Prepare in your reply: A fresh HijackThis log.