Jump to content


Trusted Malware Techs
  • Content Count

  • Joined

  • Last visited

Everything posted by sUBs

  1. The above statement is a bit incorrect. Spyware is an even bigger menace. Unlike virii, which are mainly created by pranksters, spyware is driven by monetary gains. The scumbags responsible for this are well organized & financed/backed by big bucks. Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)Go to Start → Run → type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILESFrom Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tabClick once on the Internet icon so it becomes highlighted. Select Custom Level .Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html Microsoft Windows Update → http://www.windowsupdate.comVisit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROYDownload and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html AD-AWAREDownload and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html SPYWAREBLASTERSpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html IE-SPYADIE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows. http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: http://www.winpatrol.com/features.html To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved.
  2. Please show me a fresh Hijackthis log so that I may verify that you're clean.
  3. Try this.. Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot... In the popup box that appears, copy/paste in: C:/WINDOWS/System32/fixmfs.dll Click the Open button. Click YES when prompted to restart your computer.
  4. The file should be located in this folder - C:\Program Files\浩方对战平台 Are you still experiencing browser redirection to yin123.com?
  5. Sorry about that. I made an error with that script. By naming it CNSMin.zip I had it self delete itself. Please download this amended copy - It includes the files found by Ewido & Kaspersky. Like before, it shoul dbe run friom s/mode. These other files require manual deletions. The ?? are probaly Chinese writing: C:\WINDOWS\system32\explore.exe_????? F:\server back up\sinokingcomcn\DA«"IŽ¬_¬D.zip C:\Program Files\??????\y4h060717.exe
  6. C:\WINDOWS\ebaylink.exe - I cannot determine if this file is legit Please submit the file to this site → http://www.bleepingcomputer.com/submit-malware.php?channel=4 Please include a link to this topic in the message. ========== This is an entry from the combofix log. It's supposed to be a folder but strangely named with a single dot (.).Please take a look inside it & tell me what's inside ========== Please read this post completely before begining. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. * * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * * Please download ATF Cleaner - http://www.atribune.org/ccount/click.php?id=1 Download the file I have attached to this post - We shall be using it in Safe Mode Download Ewido Anti-Malware → http://www.ewido.net/en/download/ Install Ewido Anti-Malware Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files.On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. If you are having problems with the updater, you can use this link to manually update Ewidohttp://download.ewido.net/ewido-signatures-full-current.exe Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet. 'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. * * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * * 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the option to run Windows in Safe Mode. * * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools → Folder Options → View tab. Tick - 'Show hidden files and folder' Untick - 'Hide file extensions for known types' Untick - 'Hide protected operating system files' Click Yes to confirm & then click OK Locate and delete the following files/folders: (let me know if you fail to find/delete any) C:\WINDOWS\system32\adsimg01.dll C:\WINDOWS\system32\upswnzd11.exe * * * * * * Open up CNSMin.zip & doubleclick the file within. It shall produce a log for us. * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Click Exit on the Main menu to close the program. * * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * * Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner & select the Scan tab Click Complete System Scan to begin scanning. If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. ** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. * * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * * Establish an internet connection & perform an online scan with Internet Explorer at http://www.kaspersky.com/service?chapter=161739400 Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database:Extended Scan Options:Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh logs from: Fresh Hijackthis log taken just before replying Online Scan Log from CNSMin.bat Ewido Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
  7. Hello I'm sUBs. I shall try to help you rid the machine of this Chinese adware. First off, I shall require you to generate an uninstall list Launch HijackThis & go to Config > Misc Tools - Open Uninstall Manager Click the Save List button & post the the resultant log here. Please highlight any entries that looks suspicious to you Note: There may be some entries in Chinese. If you read Chinese, kindly translate them ======= 1. Download this file using either of these links http://download.bleepingcomputer.com/sUBs/combofix.exe http://www.techsupportforum.com/sectools/combofix.exe 2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • Create New...