Jump to content


Trusted Malware Techs
  • Content Count

  • Joined

  • Last visited

Everything posted by FZWG

  1. On Kasperski AntiVirus, you can remove the program. It is not a good idea to run two AntiVirus programs, anyway. On AdAware, it is probably best to uninstall the program, and then re-install it. Sality damage to the program is hard to determine, and it may not do its job correctly. HijackThis, you can remove. The NetWatch program should also be available for XP. Your best bet for Network questions and help is the Networking forum: http://forums.pcpitstop.com/index.php?showforum=8 That is probably the case. W98 does not have the services which show up as O23 in a HijackThis log. Malware also uses services to infect a computer. For your printer problem, go to the following forum for help: http://forums.pcpitstop.com/index.php?showforum=3 Also, I do not respond to PMs. If you have a problem, post it in the appropriate forum instead.
  2. Sality spreads through Network shares, and infected files. So, if you have shared resources on a Network, beware. I am not certain about the exact source of Sality, but it is associated with certain URLs, and contacts certain domains. The fact that you run a system which is not kept updated leaves you out in the open like a magnet looking for metal shavings!!
  3. The HijackThis log appears clean, and the other reports do not show indications of Sality. Clean out the Restore Points, though. AdAware showed some malware in them also: Go to Start > Run< in the Open area type in (or copy): control sysdm.cpl,,4 Press: Enter Check the box: Turn off System Restore on all drives Click: Apply > OK Now, turn on System Restore by removing the check on: Turn off System Restore on all drives Click: OK ==== You can connect the computer back to its cable or telephone line, however, you must do the following: 1. Install an AntiVirus program. If McAfee was your previous AV program, you need to re-install it. Some of its files were affected, and it may not work properly. If you wish to use some other AV program, there are free ones: Grisoft’s AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php avast! 4 Home: http://www.avast.com/eng/avast_4_home.html AntiVir Personal Edition: http://www.free-av.com/ 2. Install a software Firewall. It provides the ability to restrict malevolent outgoing traffic from your computer. Some good free choices are: ZoneAlarm: http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za Sunbelt Kerio: http://www.sunbelt-software.com/Kerio.cfm OutPost: http://www.agnitum.com/products/outpostfree/download.php ==== 3. Now, head for the Microsoft Windows Updates website: http://update.microsoft.com/windowsupdate/...t.aspx?ln=en-us Even using an Antivirus and a Firewall does not prevent malware from getting through. Have your system scanned, and download/install all Critical Updates on offer. ==== Next, what you need to deal with is damage recovery. Panda disinfected all sorts of files, but after the exe's are disinfected, some programs may no longer work properly. You will need to reinstall them. ==== Good luck, wirosari!!
  4. Since you are using names of different regions of Indonesia (Menteng, Wirosari), are you the same person? There is no need to hide. It serves no purpse... As far as the information goes, take your time, and post the data as you are able to. I have a Doctor's appointment tomorrow morning, so cannot stay up late this evening. Also, probably will not be able to reply to whatever is posted until sometime in the afternoon. FZ
  5. How are things in Jakarta? Monday morning. If the computer was on during the weekend, the malware may have returned. Even if it was off, do the following: 1. Before you start the computer, unplug the cable or telephone line from the back of the computer. You do not want it connected to anything that gives an avenue to the Internet. Sality downloads information from a set of preconfigured URLs, and that is how it plants and executes all those files in: C:\Documents and Settings\TresnaTan\Local Settings\Temp\win*.exe 2. Start in Safe Mode, run the previously updated Kaspersky Anti-Virus 6.0, perform a full system scan, and disinfect every file it finds. If it produces a report, please provide it in your reply. 3. Now, restart the computer normally, but do not connect the cable or telephone line!! 4. Check system.ini once again to make sure nothing has changed. Provide its contents in you reply. 5. Go to the Desktop, and double click aalst.bat to make sure the values you removed from the following Registry key are still gone: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List To make sure, do a manual check also. 6. To remove any files (C:\Documents and Settings\TresnaTan\Local Settings\Temp\win*.exe0, you can use the batch file in Post #10 (clean.bat should still be on the Desktop), and then manually check they are gone, or just remove them manually. 7. Then, to see if a new Sality random.sys file was created (Earlier in the game it looked like: C:\WINDOWS\System32\drivers\rgoqmn.sys), please do the following: Go to Start > Run, and copy/paste the following in the Open area: C:\Windows\System32\drivers Up in the Menu bar, click View > Details Then in the right hand pane, double click Date Modified to arrange files by date from 2007 and down. Please provide the names of the .sys files created since January 2007. There should only be a few. 8. The random.sys also installed a system service with the service name and display name of: NdisFileServices32 Please go to Start > Run, copy/paste the following, one at a time, and click OK after each: sc stop NdisFileServices32 sc delete NdisFileServices32 9. Run HijackThis and Scan. 10. Also provide a StartupList as instructed in Post # 12 Provide the following: The Kasperski Anti-Virus 6.0 report The contents of the system.ini file The contents of the aalst.bat (Registry key) The names of any .sys files created since January 2007 A new HijackThis log A new StartupList Do not plug the cable or telephone line back to the computer!!!! Hopefully, you will have access to another computer. Connect with it, and provide the information requested.
  6. If you turn off the computer and turn it back on, go to Safe Mode (no networking). It appears that Sality does not like Safe Mode. Maybe that is why it disables the Safe Mode Registry keys. (I'm just guessing! ) ==== Do the following for now. I do not think we are dealing with a Rootkit, so do not run that type of program as previously instructed. I believe these entries: C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe are the ones that show under the following Registry key to bypass the Windows Firewall: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Please open Notepad (Start > Run, type in: notepad) Copy and paste all the information in blue below to it. regedit /e aalst.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" aalst.txt Go to File (upper menu bar), and select: Save as In the Save as prompt: Save in: use drop arrow to select Desktop File Name: aalst.bat Save as type: All Files Exit Notepad Go to the Desktop, and double click aalst.bat It generates a text file called aalst.txt. Copy the contents of aalst.txt to your reply. ==== Since the system.ini file still has the bogus entries, and a 'Disinfection failed' notice appears next to several of the online scanner entries, we can assume Sality prevails. What we eventually need to do is: 1. Restart the computer in Safe Mode with Networking, and download Kasperski Anti-Virus 6.0 This is not the online scanner!! http://www.kaspersky.com/trials?chapter=146481750 Make sure you update the program. When done, reboot to just Safe Mode (No networking!! We do not want Sality to have a connection available!). 2. Edit the system.ini file to get rid of: [MCIDRV_VER] DEVICEN1=95215658363 __h=18 __dr=12 [iDslow] IDVer32666=988281 IDMCI32=23846878ABA233 [iDslow32] MDCDID32=991140 3. Backup the Registry: Go to Start > Run, and type: Regedit On the left side, click and highlight My Computer Go to the File menu (at the top) Select: Export Save in: Desktop File Name: BackUp Save As Type: leave as Registration Files Click: Save Then go to File > Exit (This saves a backup copy of the Registry.) 4. Remove the bogus values under the Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List The bogus values will show as the following, and there will be several of them: C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe The win*.exe files may have changed. 5. In addition, the bogus files, like the one below, need removal with Killbox, or, Avenger with a ‘Files to Delete’ script. C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe 6. Disable your current AntiVirus program since it may not be compatible with Kaspersky Anti-Virus 6.0. 7. In Safe Mode, let Kaspersky perform a full system scan and disinfect every infected exe file it finds! ==== I get the impression that you are very computer knowledgeable, so, if you think you can do the above, press on. Since we appear to have a significant time difference, based on the times when you post, you can be working while I am sleeping, since that is what I plan to do very shortly (2:00AM here). If you do not want to proceed, sometime in the daylight morning hours I’ll prepare more detailed instructions for you with the information you provide from the aalst batch file. One last word. You are dealing with a bomb of a virus. I am doing this in good faith, but in a worse case scenario, trying to get rid of this infection may result in the loss of significant code in the system. I do not know if this will be the case, but there is risk involved, and it is up to you to decide what to do.
  7. I am assuming you only posted part of the report, but that is OK. You are dealing with the Sality virus, which can infect legit executables in your system. The damage it causes is extensive: http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=52797 Legit and necessary executables cannot be deleted like malware files. The executables need to be disinfected. However, it may happen that after the exe's are disinfected, some programs may no longer work. If you wish to do a format and install a clean Operating System ana the programs you use, it is a good idea. However, you can also press on and run another online scan with Kasperski, and provide its results. It has a good track record for this infection, and may pick up anything left over. The log produced should not be as large. The following is a link to several online scanners, including Kasperski: http://dir.yahoo.com/Computers_and_Interne...Virus_Scanners/ Also, please provide the contents of system.ini once again. Need to know if the disinfection had any effect on it.
  8. Well, here is a sign of Sality: [MCIDRV_VER] DEVICEN1=95215658363 Then, there is Troj/Spmbot-B: [iDslow] IDVer32666=988281 And whatever these are, maybe the same Spmbot-B: IDMCI32=23846878ABA233 [iDslow32] MDCDID32=991140 Editing system.ini is an option, but if the infection is active, there may be serious results... ==== If this ’thing’ is residing in memory, it may have the capability to disable any virus or spyware protection. So let’s go with online-scanners. However, boot to Safe Mode with Networking to download and use the scans: Panda ActiveScan: http://www.pandasoftware.com/products/ActiveScan.htm BitDefender Online Scanner: http://www.bitdefender.com/ Please post the results for both online scans. ==== Also download Clean.zip to the Desktop http://www.malekal.com/download/clean.zip, Right click and Extract In the Clean folder created, click on clean.cmd When the command window (black screen) opens, select Option 1, and press: Enter Allow the scan to complete, press any key, and post the contents of the Clean text in you reply. ==== Next, download RustBFix by ejvindh: http://www.uploads.ejvindh.net/rustbfix.exe Save it to the Desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you are asked to reboot the computer. The reboot will probably take a while, and perhaps 2 reboots are needed, but this happens automatically. After the reboot(s) 2 log files open: Avenger.txt and a Pelog.txt Please post both log files in your reply. ==== Also, click here to download AVG Anti Rootkit and save it to the Desktop. Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it. Click "I Agree" to agree to the EULA. By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta". Click "Next" to begin the installation then click "Install". It will then ask you to reboot now to finish the installation. Click "Finish" and your computer will reboot. After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on the Desktop. Click on the "Perform in-depth search" button to begin the scan. The scan will take a while so be patient and let it complete. When the scan is finished, click the "Save result to file" button. Save the scan results to the Desktop, and provide the AVG_AntiRootkit results in your reply. ==== One last item, can you install a software Firewall? Some good free choices are: ZoneAlarm: http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za Sunbelt Kerio: http://www.sunbelt-software.com/Kerio.cfm OutPost: http://www.agnitum.com/products/outpostfree/download.php In summary, need the following in your reply: The Panda ActiveScan results The BitDefender results The contents of the Clean report The RustBFix Avenger.txt and a Pelog.txt The AVG_AntiRootkit results
  9. Did not see what I was looking for... This infection may have an entry that hides in system.ini Please go to Start > Run, and type: System.ini Click: OK The System.ini file text is displayed. Please provide its contents in your reply. Also,need the results of SDFix.
  10. Looks as if this infection has an entry that hides, so, please do the following: Open HijackThis Click on Open Misc Tools Section Make sure that both boxes beside "Generate StartupList Log" are checked: --List all minor sections(Full) --List Empty Sections(Complete) Click: Generate StartupList Log Click Yes at the prompt. A text file opens. Please provide the entire contents of the StartupList. ==== Also, please post another AdAware report. ==== Also, download SDFix and save it to the Desktop. Right click the SDFix.zip folder Select: Extract All to extract it to its own folder on the Desktop. ~~~~ Start the computer in Safe Mode : -When the machine first starts again, tap the F8 key before Windows starts -You are presented with a Windows XP Advanced Options menu. -Select the option for Safe Mode using the arrow keys. -Press Enter to boot into Safe Mode. ~~~~ Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script. Type Y to begin the cleanup process. The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot. Press any key to restart the PC. When the PC restarts the SDFix will run again and complete the removal process It then displays Finished Press any key to end the script and load the Desktop icons. Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt. ~~~~ Please provide the StartupList, another AdAware report, and the contents of the SDFix Report.txt.
  11. Let's get rid of what is in this Temp folder: C:\Documents and Settings\TresnaTan\Local Settings\Temp Please launch Notepad, (Start > Run, type in: notepad) Copy/paste the blue text below to it: del %windir%\temp\*.* /f del C:\Documents and Settings\*\local settings\temp\*.* /f In Notepad, go to File (upper menu bar), and select: Save as In the Save as prompt: Save in: Desktop File Name: clean.bat Save as Type: All files Click: Save Exit out of Notepad. Next, on the Desktop, double click on clean.bat ==== To remove the bogus driver and file: 1. Please download The Avenger by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to the Desktop 2. Copy the blue text below by highlighting it and pressing (Ctrl+C): Files to Delete C:\WINDOWS\system32\wmdrtc32.dll Drivers to delete rgoqmn.sys 3. Now, start The Avenger program by clicking on its icon on the Desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which opens a new window titled "View/edit script" Paste the blue text copied into this window by pressing (Ctrl+V). Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted. 4. The Avenger automatically does the following:It restarts the computer, and in cases where the code to execute contains Drivers to Unload, the Avenger actually restarts the system twice. On reboot, it briefly opens a black command window on the Desktop, and this is normal. After the restart, it creates and opens a log file with the results of Avenger’s actions. This log file is located at C:\avenger.txt The Avenger also backs up all the files, etc., it deletes, and zips them and moves the zip archives to C:\avenger\backup.zip Please provide the content of C:\avenger.txt in your reply along with a new HJT log .
  12. Which files is it detecting??? Please run the AdAware program again, and post its Full System Scan results. Also, you are still in the hole...you have not installed SP1. If you do not, we are just doing this routine for exercise. You will be infected again, and again, and again, and again, and again, and again......
  13. HaxFix did its thing. Next, post the SuperAntiSpyware log, and a new HijackThis log when you can. By the way, you have some serious infections on that system as a result of not keeping Windows updated!! The malware has exploited the security holes in an unpatched version of XP and may be impossible to fix permanently. Please go to the Windows Update site and install Service Pack 1a followed by all available critical and security patches: http://www.microsoft.com/windowsxp/downloa...p1/default.mspx Reboot after applying the update.
  14. Please download HaxFix.exe Save it to the Desktop. Double click on haxfix.exe to install. Check: "Create a desktop icon" Click: "Next" When the installation is completed, make sure "Launch HaxFix" is checked. Click "Finish" A red "DOS window" opens with options:1. Make logfile 2. Run auto fix 3. Run manual fix E. Exit Haxfix Select option Option 2, Run auto fix by typing 2 and then pressing Enter Haxfix starts scanning the computer, and performs a reboot When finished, a logfile opens: haxlog.txt Please copy the contents of the logfile and provide them in your reply. (c:\haxfix.txt) ====Next, download SuperAntiSpyware Home Edition Free Version http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE Install the program Run SuperAntiSpyware and click: Check for updates Once the update is finished, on the main screen, click: Scan your computer Check: Perform Complete Scan Click Next to start the scan. Superantispyware scans the computer, and when finished, lists all the infections found. Make sure everything found has a check next to it, and press: Next Click Finish It is possible that the program asks to reboot in order to delete some files. Obtain the SuperAntiSpyware log as follows: Click: Preferences Click the Statistics/Logs tab Under Scanner Logs, double-click SuperAntiSpyware Scan Log It opens in your default text editor (such as Notepad) ==== Please post the contents of C:\haxfix.txt, the SuperAntiSpyware log, and a new HijackThis log.
  15. We need to find out if there is also a Rootkit involved. Please download GMER.zip (450kB) to the Desktop: http://gmer.net/files.php Right click the zipped file and select: Extract all Follow the Extracton Wizard prompts Start the program by double clicking: GMER.exe If a security warning appears, allow the program to run If GMER detects rootkit activity, you are prompted to scan immediately Click Yes to begin the scan If you are not prompted to Scan: In the Rootkit tab, make sure all the boxes on the right of the screen are checked, except for "Show All" Then, click the Scan button. Once the scan is done, click: Copy. ==== Please provide the contents of the GMER report in your reply.
  16. See if the following works: Go to Start > Control Panel Double-click User Accounts The accounts listed near the bottom specify whether the account is Limited Access or Computer Administrator. Is Computer Administrator assigned to the account that you log in with?
  17. FZWG

    HJT log

    Have a great Springtime!!
  18. FZWG

    HJT log

    turbodog, The HijackThis log appears clean. Use the computer for a day or two, and if you are not having malware problems, you are good to go! Take a good look at the following suggestions to remain malware free: Tony Klein’s article 'How Did I Get Infected In The First Place' http://forums.spywareinfo.com/index.php?showtopic=60955 Thank you for your patience, and performing the procedures requested. If you have any questions or comments, post back. Otherwise... Good luck, turbodog!!
  19. FZWG

    HJT log

    Please download VirtumundoBeGone: http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe * Save it to the Desktop * Close all running programs (including your Internet Browser) * Double-click VirtumundoBeGone.exe on the Desktop * Follow the directions as indicated This program may generate a "BLUE SCREEN OF DEATH". Do not be concerned. Just reboot if your system "jams". The VirtumundoBeGone log VBG.txt is found on the Desktop. ==== Looks as if you downloaded b]AVG Anti-Spyware[/b]: http://www.ewido.net/en/download/ Locate the icon on the Desktop and double-click it to launch the program. Now, update the definition files: On the main screen select Update, and then select the Update Now link. Next, select the Start Update button (The update starts and a progress bar shows the updates installed.) Once the update completes select: Scanner (the top of the screen) Select the Settings tab Once in the Settings screen click on: Recommended actions Select: Quarantine Under: Reports, select: Automatically generate report after every scan Un-Select: Only if threats were found Close AVG AS for now. ==== Run HijackThis, Scan Check box for: O2 - BHO: (no name) - {0e915e9d-0be8-426d-bc52-b2970fe81895} - C:\WINNT\system32\logelp.dll O20 - Winlogon Notify: logelp - C:\WINNT\SYSTEM32\logelp.dll Select: Fix checked ==== Reboot to Safe Mode : -Restart your computer. -When the machine first starts again, tap the F8 key before Windows starts -You are presented with a Windows XP Advanced Options menu. -Select the option for Safe Mode using the arrow keys. -Press Enter to boot into Safe Mode. ==== Search for and remove the following file (bold): C:\WINNT\system32\logelp.dll ==== Go to Start > Control Panel > Internet Options In the General tab, Temporary Internet Files, click: Delete Files When prompted, check: Delete all offline content You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.) Click OK Then, go to Start >Run and enter: cleanmgr Select the drive to clean: C:\ Check the following boxes and then press OK to remove: Temporary Files Temporary Internet Files RecycleBin Agree to the prompt to perform the action... ==== Still in Safe Mode, launch AVG AS once again Select: Scanner (at the top) Select the Scan tab Click on: Complete System Scan AVG AS begins the scanning process, and it may take a while. Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!! Once the scan is complete, AVG AS lists any infections found. It also automatically sets the recommended action. Click: Apply all actions AVG AS will then display: All actions have been applied Next select: Reports (at the top) Select: Save report as (lower left of the screen) Save the report to a text file in a location where you can find it! Close AVG AS. ==== Restart the computer. ==== Please post the VirtumundoBeGone log VBG.txt results in your reply, the AVG AS report, and a new HijackThis log.
  20. FZWG

    HJT log

    Please run HijackThis, Scan Check box for: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm O2 - BHO: (no name) - {0e915e9d-0be8-426d-bc52-b2970fe81895} - C:\WINNT\system32\logelp.dll O4 - HKLM\..\Run: [soundService] rundll32.exe "C:\WINNT\hgddcb.dll",setvm Do you know what this is: O4 - Startup: Keysel2.lnk = C:\desktop\dppsetc\Keysel2.exe If not, check box for it also. O20 - AppInit_DLLs: O20 - Winlogon Notify: logelp - C:\WINNT\SYSTEM32\logelp.dll Select: Fix checked ==== Restart the computer ==== Please download SmitfraudFix (by S!Ri) to the Desktop. http://siri.urz.free.fr/Fix/SmitfraudFix.zip Extract the files to the Desktop Open the SmitfraudFix folder and double-click smitfraudfix.cmd Only select option #1 - Search by typing 1 and press Enter This program scans large amounts of files on your computer, so please be patient while it works. When it is done, a log named rapport.txt is created, listing infected files (if present). ==== Also download FindAWF: http://noahdfear.geekstogo.com/FindAWF.exe Save the file to the Desktop Double-click: FindAWF.exe If a Security Alert shows, allow the program to run. When done, a text file awf.txt is produced. ==== Please post the contents the SmitFraudFix rapport.txt , the awf.text, and a new HijackThis log.
  21. FZWG

    HJT log

    turbodog, The version of HijackThis you are running is Beta, a product that is normally in its final stages of testing. Often, a Beta version of a product may contain minor bugs, so let’s work with final version 1.99.1 instead. Use Control Panel > Add/Remove Programs to remove HijackThis v2. Then, do a search and also delete any Folders or Files the program created. Next, install HijackThis v1.99.1: http://downloads.malwareremoval.com/HJTsetup.exe It installs to its own foder (C:\Program Files\HijackThis), makes an entry in the Start Menu, and also provides a Desktop shortcut: Click on the link Select: Save Save the program to the Desktop Double click HJTsetup.exe Follow the prompts Next, when HijackThis opens, select: Do a system scan and save a log file. When the scan is finished, please provide the contents of the HijackThis log in your reply, and I will be glad to assist you.
  22. Sometimes the best solution is to format and reinstall Windows. You will have the reassurance that the system is clean after you do. Take a good look at the following suggestions to remain malware free: Tony Klein’s article 'How Did I Get Infected In The First Place' http://forums.spywareinfo.com/index.php?showtopic=60955 Good luck, Fesselaj!!
  23. How is it going here? Any luck?
  24. Let’s go back to basics and delete bad services manually: Go to Start >Run, type in cmd Click: OK The MSDOS window is displayed. At the prompt type the following (including the quotes) and press Enter after each line: SC Stop "MicrosoftIE Updater21" SC Delete "Microsoft IEUpdater21" SC Stop MsUpdate6 SC Delete MsUpdate6 Exit Next, run HijackThis and remove files on reboot one by one: In HiJackThis, go to Config > Misc Tools > Delete a file on reboot In the Enter file to delete on reboot window, navigate to each of the files that follow Then, click: Open After you click Open, HiJackThis asks you if you want to restart the computer Click: Yes Files to delete on reboot: C:\WINDOWS\ddbxxw.dll C:\WINDOWS\system32\lsasss.exe <-Note the spelling: three 's' C:\WINDOWS\SYSTEM32\mfcelp.dll C:\Documents and Settings\All Users\Documents\Settings\partnership.dll C:\Documents and Settings\Andrew Fessel\ie_updater.exe C:\WINDOWS\System32\msnetax.dll ==== Restart the computer ==== Now, try to download ComboFix. ==== If the Internet connection is lost, Reset the Internet Protocol (TCP/IP). Go to Start >Run, type cmd Click: OK At the prompt type the following and press Enter after each line: netsh int ip reset C:\Resetlog.txt netsh winsock reset catalog Exit Restart the computer. Warning: Programs that access or monitor the Internet such as Antivirus, Firewall or proxy clients may be negatively affected when you run the netsh winsock reset command. If you have a program that no longer functions correctly after you use this resolution, reinstall the program to restore functionality.
  25. There is a RootKit involved! A RootKit is (in very basic terms) software intended to hide running processes, files or system data. It may modify parts of the operating system or install itself as a driver. Please download RustBFix by ejvindh: http://www.uploads.ejvindh.net/rustbfix.exe Save it to the Desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you are asked to reboot the computer. The reboot will probably take a while, and perhaps 2 reboots are needed, but this happens automatically. After the reboot(s) 2 log files open: Avenger.txt and a Pelog.txt Please post both log files in your reply. Aaflac will be back with you later.
  • Create New...