Jump to content

Change Mode

pskelley

Trusted Malware Techs
  • Content Count

    1,759
  • Joined

  • Last visited

Everything posted by pskelley

  1. Thanks for posting the feedback, some good information: Some good information for you: http://users.telenet.be/bluepatchy/miekiem...owcomputer.html http://www.microsoft.com/windowsxp/using/h...ps/mcgill1.mspx Here is some great information from experts in this field that will help you stay clean and safe online. http://users.telenet.be/bluepatchy/miekiem...prevention.html http://forums.spybot.info/showthread.php?t=279 http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14 http://www.bleepingcomputer.com/forums/topict2520.html http://
  2. Good job installing RC that may come in very handy in an emergency, a little Microsoft information: http://support.microsoft.com/kb/314058 http://support.microsoft.com/kb/307654 Remove combofix from your computer like this: Click START then RUN Now type or copy Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there. Clean those infected System Restore files like this: Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Cl
  3. Thanks for returning your information and the feedback, MBAM found some rouge junk but mostly infected System Restore files which are protected and will be cleaned shortly. Since all seems to be running as it should, this is the next bridge we must cross. I am sure you saw this: WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! http://www.bleepingcomputer.com/combofix/how-to-use-combofix Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combof
  4. Did you post a new HJT log after you ran SDFix? C:\Program Files\vzajrb <<< do you know what this program is? If not, remove it. Open notepad and copy/paste the text in the codebox below into it: File:: C:\WINDOWS\system32\gzqfevot.exe Folder:: C:\Documents and Settings\All Users\Application Data\zkpepqxy C:\Program Files\vzajrb Save this as CFScript Referring to the picture above, drag CFScript into ComboFix.exe. This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a
  5. Welcome to PCPitStop, please be aware that All advice given is taken at your own risk. Sorry for the wait, the logs are many, and the volunteers are few. When you reply, please use the "Add REPLY" button, not the Quote or New Topic buttons. I think you are infected and I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. A word of warning: Neither I nor sUBs are responsible for
  6. Topic is resolved and closed. Thanks...pskelley http://pcpitstop.com/about/supportus.asp If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
  7. No response since 5:13am Mon Jul 7 2008 closing the topic as resolved. Thanks
  8. Thanks for returning your information and the feedback. I will request that you do not quote my instructions, I know what I said and you can scroll back to the original if you need to read them or print them. I rarely deal with anyone who has a paid verion of AVG, and never with one that is showing two version of the program in the same HJT log so I will have to take your word that you know what you are doing and if you do not, refer you to Grisoft for instructions. Please update to the newest version located here: http://www.safer-networking.org/en/spybotsd15/index.html Update the
  9. Welcome to PCPitStop, please be aware that All advice given is taken at your own risk. Sorry for the wait, the logs are many, and the volunteers are few. When you reply, please use the "Add REPLY" button, not the Quote or New Topic buttons. Help me out here, you said this: My question is, I run the free version of AVG 8, I know little about the licensed version. I am wondering how you are running both: AVG7 and AVG8 at the same time. If you do not know, contact Grisoft tech support for an answer. Since you pay for your version tech support is available. This is almost always ca
  10. I Traci, this is a hard one to call but I believe we have cleaned junk, but if you read the information I posted at the start, reformat it the only way to be 100% positive with a backdoor trojan. http://netsecurity.about.com/od/frequently...faq_rootkit.htm http://www.google.com/search?hl=en&q=w...G=Google+Searchhttp://www.google.com/search?hl=en&q=R...amp;btnG=Search As you can see we are not talking about reinstalling the Operating System, hackers can hide their junk anywhere so the hard drive has to be wiped clean to be 100% sure. http://spyware-free.us/tutorials/reformat/
  11. Please do not quote my instructions, it is a waste of space and not necessary. If you wish to see what I said, scroll back to it. Your HJT log looks to be clean of malware here are a couple of things I see. 1) Optional removal > O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE See this > http://www.castlecops.com/startuplist-5306.html 2) C:\Program Files\Java\jre1.6.0_05\ <<< check Java for an update, see this: http://forums.spybot.info/showpost.php?p=1...amp;postcount=2 I would like to see you update and run Windows Defender and AVG 8, if all is well then you are goo
  12. Please don't do it now, wait until we are finished. Let's please fisish with our work, you can print this and do it once we know you are clean of malware, which should be very close now. SuperAntiSpyware file version 3.9.0.1008 file size 5.64 MB SAS is a valid program, and a good one. It is used a lot in malware removal because of the free trial. I am not seeing it in the uninstall list, so that might just be an icon, right click and delete it. I also do not see it in the HJT log anywhere. Uninstall list, and I see some challenges for you. I am after malware and security issu
  13. Potentially unwanted program RemAdm-procLaunch!171 Loction C:\327882R2FWJFW\PSexec.cfexe This is called a PUP and I have a feeling it is part of combofix, see the cfexe. sUBs tool is close to a miracle with all it does and since we are uninstalling, I think this will go with it. Let's wait and see. IE6...You can check here: http://support.microsoft.com/ I am under the impression that if you use it or not, you should update to the newest version. Hackers exploit old versions of program to infect you and things are especially dangerous at websites just now: http://www.google.com/
  14. Oops I missed the HJT log...sorry OK Traci, let me know if you get more information. I asked this: and I asked this: Please communicate when I request it. Let's move on until we get more information. Here is what I would like you to do now. MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) <<< could you tell me the reason you are still running Internet Explorer 6? 1) Remove C:\SDFix from your computer 2) Remove combofix from your computer like this: Click START then RUN Now type or copy Combofix /u in the runbox and click OK. Note the space betwee
  15. I need to know exactly what McAfee is showing you. Are you using a popup blocker? We have moved a load of malware off your computer. Post a new HJT log along with that information. Thanks
  16. Welcome to PCPitStop, please be aware that All advice given is taken at your own risk. Sorry for the wait, the logs are many, and the volunteers are few. When you reply, please use the "Add REPLY" button, not the Quote or New Topic buttons. We will try this first and see what happens. Follow the directions carefully and in the numbered order. http://www.castlecops.com/clsid-37438.html <<< see this, I'll remove this, if you want to take that chance, leave it. 1) How to make files and folders visible: Click Start > Open My Computer. Select the Tools menu and click
  17. This was the one I was worried about in the combofix log: 2008-06-30 00:04 . 2008-06-30 00:04 86,144 --a------ C:\WINDOWS\system32\drivers\bthusbb.sys That's the rootkit!! MBAM removed it on Reboot: Files Infected: C:\WINDOWS\system32\drivers\bthusbb.sys (Rootkit.Agent) -> Delete on reboot. I needed this information from you? And did not get it... Your HJT log is clean and it looks like the tools did their job. This is next before we remove the tools we used. I am sure you saw this: WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! http://www.bleepin
  18. Thanks for returning your information, let's clean and run one more scan and see where we are. Run Clean Manager http://spyware-free.us/tutorials/cleanmgr/ I think MBAM will remove the item and driver combofix is havng trouble with: C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete Download Malwarebytes' Anti-Malware to your Desktop http://www.besttechie.net/tools/mbam-setup.exe * Double-click mbam-setup.exe and follow the prompts to install the program. * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Ant
  19. Thanks for returning your information, read and follow all directions carefully. A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use. Remove any old copies of combofix before you proceed. Thanks to sUBs and anyone else who helped with this fix. It is important that it is saved directly to your Desktop Download ComboFix from Here to your Desktop Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post
  20. Hi Traci, I am not familiar with wireless, having never used it. I will have to assume if the computers were all on the same network it is very possible they are are infected but I can't be positive of that. You could ask your questions here: http://forums.pcpitstop.com/index.php?showforum=3 Where other users who have wireless could tell you. If you intend to clean the infected computer, isolate it from the rest of the network and then you can take it online long enough to download the tools you need to use. You may be able to do what you are suggesting, keep in mind some tools are l
  21. Welcome to PCPitStop, please be aware that All advice given is taken at your own risk. Sorry for the wait, the logs are many, and the volunteers are few. When you reply, please use the "Add REPLY" button, not the Quote or New Topic buttons. Your friend did not do you any favors: http://www.castlecops.com/tk54500-XTTBPos00.html http://forums.spybot.info/showthread.php?t=7344 You understand if you are accessing the internet in safe mode, you have absolutely no security running? I need to see the HJT log in normal mode, this is not going to be easy, but I am wiling to try as long
  22. Welcome to PCPitStop, please be aware that All advice given is taken at your own risk. Sorry for the wait, the logs are many, and the volunteers are few. When you reply, please use the "Add REPLY" button, not the Quote or New Topic buttons. I hate to be the bearer of bad news, but you have backdoor trojans on this computer as well as a Vundo infection. See these: http://www.prevx.com/filenames/X1141133265...TUYSZV.EXE.html http://www.greatis.com/appdata/d/r/rwwnw64d.exe.htm I believe, for your security, you need this information: A Backdoor is a software program that gives an atta
  23. Welcome to PCPitStop, please be aware that All advice given is taken at your own risk. Sorry for the wait, the logs are many, and the volunteers are few. When you reply, please use the "NEW REPLY" button, not the Quote or New Topic buttons. Looks like you are saying it's fixed, and you no longer have a problem. If that's the case, that's great. If you should still need help, post a HJT log in NORMAL mode and provide more information about your issue. Thanks
  24. Looks good, if you are having no malware issues, you are good to go. Great job with the complex instructions. I notice only Symantec leftovers: C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE http://basconotw.mvps.org/SymRem.htm Safe surfing Some good information for you: http://users.telenet.be/bluepatchy/miekiem...owcomputer.html http://www.microsoft.com/windowsxp/using/h...ps/mcgill1.mspx Here is some great information from experts in this field that will help you stay clean
  25. Thanks for the feedback, MBAM takes generally 30 to 60 minutes. Enjoy your weekend Phil
×
×
  • Create New...