Jump to content

Nirvana

Trusted Malware Techs
  • Content Count

    162
  • Joined

  • Last visited

About Nirvana

  • Rank
    Member
  • Birthday 11/01/1963

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Profile Information

  • Location
    Milton Keynes, U.K.

Previous Fields

  • System Specifications:
    AMD Athlon, 1467MHz Memory 512MB RAM Video NVIDIA RIVA TNT2 Model 64/Model 64 Pro Internet MSIE 6.0 Windows XP SP2 Bulldogadsl 2.2 Mbps
  • Teams:
  1. Since this issue appears to be resolved, this topic will be closed.
  2. You're all clean now we're gonna purge System restore now to get rid of those remaining in System Volume Information. 1. On the Desktop, right-click My Computer. 2. Click Properties. 3. Click the System Restore tab. 4. Check Turn off System Restore. 5. Click Apply, and then click OK. 6. Restart the computer. 7. Follow steps 1 to 3 again, then uncheck Turn off System Restore tab. When you are sure you are clean create a restore point. To create a restore point: Single-click Start and point to All Programs. Mouse over Accessories, then System Tools, and select System Restore. In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button. Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done. You should also read Tony Klein's article on "How I got Infected in the First Place": http://castlecops.com/postlite7736-.html
  3. Ok, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Next, navigate to and delete the following: C:\!KillBox\ <-------- Delete the contents of this folder. C:\Documents and Settings\Peter.PETERS-COMPUTER\.housecall\Quarantine\ <-------- Delete the contents of this folder. C:\Documents and Settings\Peter.PETERS-COMPUTER\Desktop\My Folder\Cleanups\Protectors\backups\ <-------- Delete the contents of this folder. C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\gjhz.exe <-------- Delete this file. C:\Program Files\wmplayer\p.zip <-------- Delete this file. C:\Program Files\Jalmp\uninstall.exe <-------- Delete this file. C:\Program Files\Network\network.exe <-------- Delete this file. C:\WINDOWS\$NtServicePackUninstall$\telnet.exe <-------- Delete this file. C:\WINDOWS\Downloaded Program Files\popcaploader.dll <-------- Delete this file. C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56T0311NetInstaller.exe <-------- Delete this file. C:\WINDOWS\Downloaded Program Files\UWFX5_0001_NI530211NetInstaller.exe <-------- Delete this file. Same again for all of the following: C:\WINDOWS\emruqfbA.exe C:\WINDOWS\hh32SPorms.exe C:\WINDOWS\inst_adperform.exe C:\WINDOWS\ms030734576.exe C:\WINDOWS\ms646464.exe C:\WINDOWS\NDNuninstall6_38.exe C:\WINDOWS\NDNuninstall7_22.exe C:\WINDOWS\nsw.log:xgcnko:$DATA C:\WINDOWS\nts-32orhh.exe C:\WINDOWS\offun.exe C:\WINDOWS\pf78.exe/data0002 C:\WINDOWS\pf78.exe/data0003 C:\WINDOWS\pf78.exe/data0006 C:\WINDOWS\pf78.exe/data0007 C:\WINDOWS\pf78.exe C:\WINDOWS\pms111x.exe C:\WINDOWS\River Sumida.bmp:brcry: C:\WINDOWS\setuperr.log:ddxewo: C:\WINDOWS\SPhhhh.exe C:\WINDOWS\SPPE6464hh.exe C:\WINDOWS\SYSTEM32\awtsp.dll. C:\WINDOWS\SYSTEM32\bkauk.dat C:\WINDOWS\SYSTEM32\btxmvmrq.dll C:\WINDOWS\SYSTEM32\ddsvdjc.exe C:\WINDOWS\SYSTEM32\episgovq.dll C:\WINDOWS\SYSTEM32\isjqmhvu.dll C:\WINDOWS\SYSTEM32\jgddolvi.dll C:\WINDOWS\SYSTEM32\lacginib.dll C:\WINDOWS\SYSTEM32\msSP.exe C:\WINDOWS\SYSTEM32\pnopnia.dll C:\WINDOWS\SYSTEM32\pre2.exe C:\WINDOWS\SYSTEM32\rciacp.exe C:\WINDOWS\SYSTEM32\rjpabanu.dll C:\WINDOWS\SYSTEM32\rwemw.dll C:\WINDOWS\SYSTEM32\ssjfmjhn.dll C:\WINDOWS\SYSTEM32\synt.exe C:\WINDOWS\SYSTEM32\titno.exe C:\WINDOWS\SYSTEM32\vhdytrxj.dll C:\WINDOWS\SYSTEM32\wtqyqeud.dll C:\WINDOWS\SYSTEM32\xytrubee.dll C:\WINDOWS\telnet.exe C:\WINDOWS\unin101.exe C:\WINDOWS\uni_eh.exe C:\WINDOWS\winsysban8.exe If you have problems deleting any of the files listed, use Killbox as before. When you're done, reboot into normal mode and scan again with Kaspersky and HijackThis and give us two new logs and an update on the machine's behaviour.
  4. Fix this line again: O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\rciacp.exe reg_run See if this file is still present: C:\WINDOWS\system32\rciacp.exe If it is then delete it. Is that folder still gone? If so can you try to run Kaspersky again and see if you can post the log. If you still can't then e-mail it to me at kangaroopooATgmail.com ([email protected]). Post another logfile and let us know what problems remain, if you're still getting popups what is their nature?
  5. Download and run Ad-Aware. For best results follow the tutorial. Reboot your machine afterwards. See if that folder will stay deleted now and post another HijackThis log.
  6. Oops! Try here: http://www.ccleaner.com/ccdownload.asp
  7. Fix this one again using HijackThis: O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\rciacp.exe reg_run Next, download, unzip and launch the KillBox: http://www.downloads.subratam.org/KillBox.zip Select "Delete on Reboot". Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C C:\WINDOWS\wgtaojnA.exe C:\Program Files\outlook\outlook.exe C:\Program Files\Common Files\fmoq\fmoqm.exe C:\WINDOWS\system32\rciacp.exe C:\WINDOWS\system32\loader.exe Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually. Download: CCleaner from here Once installed, run CCleaner then tick the following: Next: click Options click the Advanced tab. Uncheck: "Only delete files older than 48 hrs", click Ok. Then click Run Cleaner (bottom right) then, when it finishes scanning click Exit. N.B. Run CCleaner on all user accounts on the p.c. Then scan with Kaspersky again and see if you can paste the log, if not you can attach it to your post, look for the 'file attachments' box below your reply box.
  8. Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked': R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe O4 - HKLM\..\Run: [gimmygames] c:\\gimmygames9.exe O4 - HKLM\..\Run: [] p2pnetworking.exe O4 - HKLM\..\Run: [wgtaojnA] C:\WINDOWS\wgtaojnA.exe O4 - HKLM\..\Run: [loader.exeSetup.exeR] C:\WINDOWS\system32\loader.exeSetup.exeR O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\rciacp.exe reg_run O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM\..\RunServices: [winlog] winlog.exe O4 - HKLM\..\RunServices: [] p2pnetworking.exe O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [fmoq] C:\PROGRA~1\COMMON~1\fmoq\fmoqm.exe Set Windows to show hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. You should reverse these settings when we have you cleaned up. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Navigate to and delete the following files: C:\windows\winsysban9.exe <-------- Delete this file. C:\WINDOWS\wgtaojnA.exe <-------- Delete this file. C:\Program Files\wmplayer\wmplayer.exe <-------- Delete this file. C:\Program Files\outlook\outlook.exe <-------- Delete this file. C:\Program Files\Common Files\VCClient\VCClient.exe <-------- Delete this file. C:\Program Files\Common Files\VCClient\VCMain.exe <-------- Delete this file. C:\Program Files\Common Files\fmoq\fmoqm.exe <-------- Delete this file. C:\WINDOWS\system32\p2pnetworking.exe <-------- Delete this file. C:\WINDOWS\system32\rciacp.exe <-------- Delete this file. C:\WINDOWS\system32\loader.exe <-------- Delete this file. C:\WINDOWS\system32\Setup.exe <-------- Delete this file. Use Start | Search to find and delete winlog.exe Boot back into normal mode. Please do an online scan with Kaspersky WebScanner Click on Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make sure that the following are selected:Scan using the following Anti-Virus database:Extended (if available, otherwise Standard) Scan Options:Scan ArchivesScan Mail Bases Click OK Now under select a target to scan:Select My Computer This program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post along with a new HijackThis log.
  9. O.K. We've gotten rid of one nasty, let's tackle the others: Please download VirtumundoBeGone from here: http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe Save it to your Desktop. Close all running programs (including your Internet Browser). Double-click VirtumundoBeGone.exe on the desktop. Follow the directions as indicated. Please note that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens. When it has finished, reboot and post the log that is created on your desktop called VBG.TXT in your next reply along with a new HijackThis log.
  10. Hi Peter. Please download Look2Me-Destroyer.exe by Atribune to your desktop. Close all windows before continuing. Double-click Look2Me-Destroyer.exe to run it. Put a check next to Run this program as a task. You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. Once it's done scanning, click the Remove L2M button. You will receive a Done Scanning message, click OK. When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. Your computer will then shutdown. Turn your computer back on. Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. If you receive a message from your firewall about this program accessing the internet please allow it. If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
  11. Because when you fix, you learn... No?
  12. You're welcome It's a good idea to Flush your System Restore after ridding yourself of malware: 1. On the Desktop, right-click My Computer. 2. Click Properties. 3. Click the System Restore tab. 4. Check Turn off System Restore. 5. Click Apply, and then click OK. 6. Restart the computer. 7. Follow steps 1 to 3 again, then uncheck Turn off System Restore tab. When you are sure you are clean create a restore point. To create a restore point: Single-click Start and point to All Programs. Mouse over Accessories, then System Tools, and select System Restore. In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button. Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done. To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad. SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts. More info and download is available at: SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html SpywareGuard: http://www.wilderssecurity.net/spywareguard.html IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free. More info and download is available at: IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm Click here to make sure that you have the latest patches for Windows. Click here to get the latest version of Internet Explorer. It's very important to keep your system up to date to avoid unnecessary security risks. You may also want to read Tony Klein's article on "How I got Infected in the First Place": http://forums.net-integration.net/index.php?showtopic=3051
  13. Cali, everything looks fine to me. If you're not having any issues you're good to go. If you are having issues, please specify....
  14. Does ZoneAlarm give you a warning that those files are trying to get access to the internet? What exactly is ZoneAlarm telling you? Is Ad-Aware finding anything?
  15. These files need to be deleted: C:\windows\ahadp.exe C:\windows\system32\angelex.exe C:\windows\system32\ap9n4qmo.exe wmiprvs.exe <-------- Check the spelling on this one wmiprvse.exe (with an 'e' on the end) is valid. Then scan with Ad-Aware again and have it fix anything it finds. Are you still having issues?
×
×
  • Create New...