Jump to content

Change Mode

essexboy

Trusted Malware Techs
  • Content Count

    752
  • Joined

  • Last visited

Everything posted by essexboy

  1. Now the best part of the day ----- Your log now appears clean :thumbsup: You may now delete Combofix and AVZ Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method: 1. Select Start > All Programs > Accessories > System tools > System Restore. 2. On the dialogue box that appears select Create a Restore Point 3. Click NEXT 4. Enter a name e.g. Clean 5. Click CREATE
  2. That looked good I will now run Combofix to ensure that I missed nothing Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop** Please, never rename Combofix unless instructed. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus
  3. Here we go lets see what this does AVZ FIX Double click on AVZ.exe Click File > Custom scripts Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end ) begin SetAVZGuardStatus(True); SearchRootkit(true, true); DeleteService('RPCHED'); StopService('RPCHED'); QuarantineFile('C:\Program Files\Intel\Intell.exe',''); QuarantineFile('C:\Program Files\Intel\Intell.DLL',''); QuarantineFile('c:\program files\intel\intell.exe',''); DeleteFile('c:\program files\intel\intell.exe'); DeleteFile('C:\Program Files\Inte
  4. Hi this seems to be a particularly hard bunny to get rid of So I would need initially to use AVZ to find some of the elements. Unfortunately you will not be able to upload the reports here and you will have to mail them to me. I will send my e-mail in a PM We will now do a deep search of your processes and files Download avz4.zip from here Unzip it to your desktop to a folder named avz4 Double click on AVZ.exe to run it. Run an update by clicking the Auto Update button on the Right of the Log window: Click Start to begin the update Note: If you recieve an error message, c
  5. Yep sure has - It is hard at the moment to find tools that will work in all areas of Vista that I would like Now the best part of the day ----- Your log now appears clean :thumbsup: Double click Winpfind once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that Winpfind wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself. Manually uninstall MBAM
  6. So if I understand right any time you google search you get an alert for malware ? Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Resul
  7. My apologies I forgot that you can not add attachments on this forum But the main areas I was after are covered with what I have so far - and still there is nothing evident Which is a concern as I can see all your drivers and dates, plus the services and there is nothing untoward If there was any of the malware I expected Combofix should have found it. So I will now need you to do an online scan Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This wil
  8. This is spooky still nothing evident, So I will run a malware tool then do a real deep search Download ComboFix from Here or Here to your Desktop. Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall THEN Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop. Close ALL OTHER PROGRAMS. Open the WinPFind35u f
  9. Hi there whatever it is (I think I know ) is trying to hide from me With Vista all programmes that I ask you to run MUST be run by right clicking the icon and selecting Run as Administrator Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
  10. Go for windows XP and do not select the destructive option ( you have to make a determined effort to do that though)
  11. Looks like we cross posted here The usb enclosure will work with any ATA/PATA drive into any machine that has a USB port Your e-machines recovery disc would probably not work due to driver issues. Try the F10 thing first and then think about the recovery discs next. Remember not to do a destructive recovery or you will lose all your photos etc..
  12. Hi Kristina, it looks like you can order a set of recovery discs from compaq online http://h10025.www1.hp.com/ewfrf/wc/documen...ocname=bph07143 Also there is a recovery partition on the disc (possibly) this page shows how it is done http://h10025.www1.hp.com/ewfrf/wc/documen...145#bph07145_cp You will need the standard recovery to preserve your files These options would probably negate the need to remove the hard drive Have a read and let me know what you think
  13. You will need a 3.5 if it is a desk top and it is a PATA / ATA drive - basically they are the same. If you have access to an XP disc you could use that with her Licence number to do a repair install They are called enclosures in the US http://www.compusa.com/applications/Search...p;sku=M501-1182 this is similar to the one I have Do you have a model number for the Compaq and I might be able to see how it is removed
  14. You need to take the drive out of her computer and put it in another one as a slave or an easier solution is to use a USB caddy. Here is a link for one to give you an idea. Prices stated are UK but it is about $2 to £1 http://www.morecomputers.com/extra.asp?pn=USB-HD3.5
  15. Do you have the XP CD disc ? As we could then do an inplace repair To slave the drive would mean removing it from the case and either placing the drive in a new computer or putting it in a USB caddy
  16. Can you access safe mode ? Can you use last known good ? Can you use system restore ? What stage did you get to in the fix when it started rebooting ? System restore will have preserved all start data up to and including the last restore point. Photo's and data will still be on disc
  17. Hi there let me see if I can help Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O4 - HKLM\..\Run: [ecedb8df] rundll32.exe "C:\WINDOWS\system32\cqntmauu.dll",b O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.0.cab Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. NEXT Please download the OTMove
  18. OK it looks like AWF could not repair those two files Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Both of those files are related to on board graphics extra controls and are not essential. SAS files found were allready quarantined So what can I say but ....................... Now the best part of the day
  19. Final bit for this one Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\Program Files\Messenger\bak C:\Program Files\QuickTime\bak C:\WINDOWS\SYSTEM32\bak C:\WINDOWS\SYSTEM32\bak C:\WINDOWS\SYSTEM32\dla\bak C:\Program Files\Common Files\Dell\EUSW\bak Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu. 1. Press 1 then Enter to scan for bak folders 2. Press 2 then Enter to
  20. One more after this as it is a tad tricky to remove Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\Program Files\Messenger\bak\msmsgs.exe C:\Program Files\QuickTime\bak\qttask.exe C:\WINDOWS\SYSTEM32\bak\hkcmd.exe C:\WINDOWS\SYSTEM32\bak\igfxtray.exe C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe C:\Program Files\Common Files\Dell\EUSW\bak\Support.exe Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You wi
  21. I have this thread set to notify, so when you reply I get an e-mail You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them. Download FindAWF.exe from here or here, and save it to your desktop. Double-click on the FindAWF.exe file to run it. It will open a command prom
  22. OK nothing visible there so ...... Download ComboFix from Here or Here to your Desktop. Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  23. I will stop it from starting (possibly) but I will probably need to find the driver that is running it first Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\YENLUO~1\LOCALS~1\Temp\winvsnet.exe" Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. THEN Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. When it has finis
  24. No if it is not there, it is not there I thought I had taken it out with winpfind You are good to go if you are now problem free
  25. ASP account is part of the .Net framework and no I have no idea why it does it as I have one on my system Winpfind does throw a hissy fit sometimes - it does the job and forgets to shut down, although so far only noticed on Vista and about one in twenty goes Just one final line to remove and you should be good to go Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - (no file) Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
×
×
  • Create New...