Dan

Members
 View Profile  See their activity

  • Content Count

    742

  • Joined

  • Last visited

 Content Type 

Posts posted by Dan

  2. Not Sure What's Going On Here But...

    in Malware Removal

    Posted · Edited by Danny

    Hi,

    • Please go HERE to run Housecall.
    • Note: you must use Internet Explorer, other browsers will not work.
    • Under "Scan your PC", please click Scan now. It's free!
    • Select your location and click the Go button.
    • Click the red magnifying glass button.
    • Select Complete Scan.
    • Please be patient while Housecall downloads.
    • Please allow the ActiveX Control and when prompted click install
    • Put a check next to My Computer
    • Leave the following checked:
      • Scan for Spyware
        Check security vulnerabilities

      [*]Click the Next button.

      [*]It will download the latest scan engine and pattern files.

      [*]When the definitions have been downloaded, the scan will start.

      [*]After it's done scanning it will take you to the summary page.

      [*]Click the Next button.

      [*]Click the drop-down to choose delete or remove on each bad guy found, if you receive a prompt click OK.

      [*]Click the Next button to move onto the recovery (final) portion of the scan.

      [*]After everything has been removed, please click the show button on everything.

      [*]Highlight all the of text and press CTRL + C to copy the text.

      [*]Please post the contents into your next reply.

    Danny :thumbsup:

  4. Had A Trojan

    in Malware Removal

    Posted

    Go to Start > Run and type "Services.msc" (without quotes) then hit Ok

    Scroll down and find the below services:

    Remote Packet Capture Protocol v.0 (experimental)

    When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

    Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

    rpcapd

    Click OK.

    It should pull up information about the service, then ask if you want to reboot. Click YES.

    Post a new HiJackThis log after it reboots and let me know if you received any error messages.

  12. Hjthislog

    in Malware Removal

    Posted

    Hi,

    This log is clean :). It seems like you don't have an anti-virus or firewall. Please look at these tools that will protect your computer:

    • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
    • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
    • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
    • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
    • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

    To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

    Danny :thumbsup:

    Hi,

    Please download HijackThis from http://www.besttechie.net/tools/HijackThis.exe

    After downloading, you have place it into a permanent folder such as "C:\HJT". To do this:

    * Navagate to your C:\ drive.

    * Right click inside of the C:\ drive

    * A menu with the choice "New" will pop up

    * Hover over "New" and select "Folder" from the sub-menu that pops up.

    * Rename the Folder HijackThis

    * Drag HijackThis into the new folder.

    Next, open HijackThis, and click the "Scan" button. Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet!

    Now click the 'Save Log' button.

    Post the contents of that log as a new topic in the Malware Removal Forum

    Of of the Staff will review your log and help you out.

    dk :)

    Hi,

    Please download HijackThis from http://www.besttechie.net/tools/HijackThis.exe

    After downloading, you have place it into a permanent folder such as "C:\HJT". To do this:

    * Navagate to your C:\ drive.

    * Right click inside of the C:\ drive

    * A menu with the choice "New" will pop up

    * Hover over "New" and select "Folder" from the sub-menu that pops up.

    * Rename the Folder HijackThis

    * Drag HijackThis into the new folder.

    Next, open HijackThis, and click the "Scan" button. Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet!

    Now click the 'Save Log' button.

    Post the contents of that log as a new topic in the Malware Removal Forum

    Of of the Staff will review your log and help you out.

    dk :)

  13. Another Science Project

    in Open Chat

    Posted

    Hey Dave,

    My mind hasn't "processed all of the info yet, but from the last bmp, it looks like it might not work. I'll ask my teacher, but I don't think that it will be able to work. I think I need to have the brick stick up on a string through it.

    Attached is what I think I need. If I could, should I get it to wrap around your idea?

    JDoors, I don't wanna cheat :( I NEED a good grade on this, but thanks,

    Danny :thumbsup:

    _2.bmp

  14. Hijack Log

    in Malware Removal

    Posted

    Ok, Try this:

    Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

    • Click the Free Trial link under to "SpySweeper" to download the program.
    • Install it.
    • Once the program is installed, it will open.
    • It will prompt you to update to the latest definitions, click Yes.
    • Once the definitions are installed, click Sweep Now on the left side.
    • Click the Start button.
    • When it's done scanning, click the Next button.
    • Make sure everything has a check next to it, then click the Next button.
    • It will remove all of the items found.
    • Click Session Log in the upper right corner, copy everything in that window.
    • Click the Summary tab and click Finish.
    • Paste the contents of the session log you copied into your next reply, as well as a new HijackThis log.

    Danny :thumbsup:

  17. Had A Trojan

    in Malware Removal

    Posted

    Hi,

    We have a few things left to do.

    Open HijackThis, click the Scan button, and check the following item:

    O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\ksdhu.dll (file missing)

    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

    Close all windows except HijackThis, and click the "Fix Checked" button.

    Reboot and post a new log.

    Danny :thumbsup:

  18. Had A Trojan

    in Malware Removal

    Posted

    Hi,

    Open HijackThis, click the "Scan" buttonn, and check the following items:

    O4 - HKLM\..\Run: [Kub121D] C:\documents and settings\owner\local settings\temp\Kub121D.exe

    O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

    O4 - HKLM\..\Run: [Media Access] C:\PROGRA~1\MEDIAA~1\MediaAccK.exe

    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

    O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\System32\ZQInContextactx1.exe

    O4 - HKLM\..\Run: [sys03418770551] C:\WINDOWS\sys03418770551.exe

    O4 - HKLM\..\Run: [ms04187705514] C:\WINDOWS\ms04187705514.exe

    O4 - HKCU\..\Run: [redx.exe] C:\Documents and Settings\Owner\Application Data\System Restore\redx.exe

    O4 - HKCU\..\Run: [mc-110-12-0000122.exe] C:\WINDOWS\System32\mc-110-12-0000122.exe

    O4 - HKCU\..\Run: [fran-super.exe] C:\WINDOWS\System32\fran-super.exe

    O4 - HKCU\..\Run: [ventbb.exe] C:\WINDOWS\System32\ventbb.exe

    O4 - HKCU\..\Run: [VB1.exe] C:\Documents and Settings\Owner\Application Data\System Restore\VB1.exe

    O4 - HKCU\..\Run: [setup75.exe] C:\WINDOWS\System32\Setup75.exe

    O4 - HKCU\..\Run: [ZQInContextactx1.exe] C:\WINDOWS\System32\ZQInContextactx1.exe

    Close all windows except HijackThis and click the "Fix Checked" button.

    Locate the following files/folders and delete them:

    C:\WINDOWS\System32\ZQInContextactx1.exe << This file

    C:\WINDOWS\System32\Setup75.exe << This file

    C:\Documents and Settings\Owner\Application Data\System Restore << This folder

    C:\WINDOWS\System32\ventbb.exe << This file

    C:\WINDOWS\System32\fran-super.exe << This file

    C:\WINDOWS\System32\mc-110-12-0000122.exe << This file

    C:\WINDOWS\ms04187705514.exe << This file

    C:\WINDOWS\sys03418770551.exe << This file

    C:\WINDOWS\System32\ZQInContextactx1.exe << This file

    C:\WINDOWS\bxxs5.dll << This file

    C:\PROGRA~1\Media Access << This folder

    C:\WINDOWS\System32\IEHost.exe << This file

    C:\documents and settings\owner\local settings\temp\Kub121D.exe << This file

    Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

    • Click the Free Trial link under to "SpySweeper" to download the program.
    • Install it.
    • Once the program is installed, it will open.
    • It will prompt you to update to the latest definitions, click Yes.
    • Once the definitions are installed, click Sweep Now on the left side.
    • Click the Start button.
    • When it's done scanning, click the Next button.
    • Make sure everything has a check next to it, then click the Next button.
    • It will remove all of the items found.
    • Click Session Log in the upper right corner, copy everything in that window.
    • Click the Summary tab and click Finish.
    • Paste the contents of the session log you copied into your next reply, as well as a new HijackThis log.

    Danny :thumbsup:

  19. Another Science Project

    in Open Chat

    Posted

    Well, the other one didn't go so well. It landed on its side and went caput! Oh well...For this one:

    Materials:

    • Curugated Cardboard Strips, no longer then 6" no wider then 1"
    • Any Adhesive - NO TAPE

    Goal: To build a structure to support a brick :surrender:

    Restrictions:

    1. Cannot glue strips together vertically
    2. Device must 16" minimum
    3. Max Weight: 150 g.
    4. Need Paperwork - 5 different ideas, with 5 different descriptions

    So, If you guys could help me, that'd be great!

    Also, I have a thread at G2G: http://www.geekstogo.com/forum/index.php?showtopic=78054

    Danny :thumbsup:

  20. Had A Trojan

    in Malware Removal

    Posted

    Hi,

    Before we begin:

    I recommend that you uninstall Morpheus. This P2P program is considered to have spyware in the older versions, and would be better replaced by a different one.

    Check here for more info.

    Next, open HijackThis, click the "Scan" buttonn, and check the following items:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

    O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsh7.dll

    O4 - HKLM\..\Run: [Kub121D] C:\documents and settings\owner\local settings\temp\Kub121D.exe

    O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

    O4 - HKLM\..\Run: [Media Access] C:\PROGRA~1\MEDIAA~1\MediaAccK.exe

    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

    O4 - HKLM\..\Run: [sys02141877055] C:\WINDOWS\sys02141877055.exe

    O4 - HKLM\..\Run: [ms05877055141] C:\WINDOWS\ms05877055141.exe

    O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\System32\ZQInContextactx1.exe

    O4 - HKLM\..\Run: [ms04187705514] C:\WINDOWS\ms04187705514.exe

    O4 - HKLM\..\Run: [ms06770551418] C:\WINDOWS\ms06770551418.exe

    O4 - HKLM\..\Run: [win3208055141877] C:\WINDOWS\win3208055141877.exe

    O4 - HKLM\..\Run: [win3207705514187] C:\WINDOWS\win3207705514187.exe

    O4 - HKLM\..\Run: [sys01514187705] C:\WINDOWS\sys01514187705.exe

    O4 - HKLM\..\Run: [sys09551418770] C:\WINDOWS\sys09551418770.exe

    O4 - HKCU\..\Run: [redx.exe] C:\Documents and Settings\Owner\Application Data\System Restore\redx.exe

    O4 - HKCU\..\Run: [zqactx1.exe] C:\Documents and Settings\Owner\Application Data\System Restore\zqactx1.exe

    O4 - HKCU\..\Run: [mc-110-12-0000122.exe] C:\WINDOWS\System32\mc-110-12-0000122.exe

    O4 - HKCU\..\Run: [fran-super.exe] C:\WINDOWS\System32\fran-super.exe

    O4 - HKCU\..\Run: [ventbb.exe] C:\WINDOWS\System32\ventbb.exe

    O4 - HKCU\..\Run: [VB1.exe] C:\Documents and Settings\Owner\Application Data\System Restore\VB1.exe

    O4 - HKCU\..\Run: [setup75.exe] C:\WINDOWS\System32\Setup75.exe

    O4 - HKCU\..\Run: [ZQInContextactx1.exe] C:\WINDOWS\System32\ZQInContextactx1.exe

    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...Bridge-c106.cab

    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0008.exe

    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

    O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab

    O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://mrsupergames.aavalue.com/toolbars/msg/msg-toolbar.cab

    O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\ksdhu.dll (file missing)

    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

    Close all windows except HijackThis and click the "Fix Checked" button.

    Next, please enable viewing of hidden files as follows:

    1) Go to My Computer, and click on the "Tools" menu

    2) Click "Folder options"

    3) Select the "View" tab

    4) Make sure "Show hidden files and folders" is selected

    5) Make sure "Hide extensions for known file types" is unchecked

    6) Make sure "Hide protected operating system files (recommended)" is unchecked

    Locate the following files/folders and delete them:

    C:\WINDOWS\System32\Setup75.exe << This file

    C:\Documents and Settings\Owner\Application Data\System Restore << This folder

    C:\WINDOWS\System32\ventbb.exe << This file

    C:\WINDOWS\System32\fran-super.exe << This file

    C:\WINDOWS\System32\mc-110-12-0000122.exe << This file

    C:\WINDOWS\sys09551418770.exe << This file

    C:\WINDOWS\sys01514187705.exe << This file

    C:\WINDOWS\win3207705514187.exe << This file

    C:\WINDOWS\win3208055141877.exe << This file

    C:\WINDOWS\ms06770551418.exe << This file

    C:\WINDOWS\ms04187705514.exe << This file

    C:\WINDOWS\System32\ZQInContextactx1.exe << This file

    C:\WINDOWS\ms05877055141.exe << This file

    C:\WINDOWS\sys02141877055.exe << This file

    C:\WINDOWS\bxxs5.dll << This file

    C:\PROGRA~1\MEDIAA~1 << This folder

    C:\WINDOWS\System32\IEHost.exe << This file

    C:\documents and settings\owner\local settings\temp\Kub121D.exe << This file

    Please download AproposFix from here:

    http://swandog46.geekstogo.com/aproposfix.exe

    Save it to your desktop but do NOT run it yet.

    Then please reboot your computer in Safe Mode by doing the following:

    1) Restart your computer

    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

    3) Instead of Windows loading as normal, a menu should appear

    4) Select the first option, to run Windows in Safe Mode.

    Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

    When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

    Danny :thumbsup:

  22. Almost Resolved (htj Included)

    in Malware Removal

    Posted

    Hi,

    Yes it would be safe to remove Weatherbug. Some consider it spyware, and it is an optional to remove.

    ---------------

    We have a couple of last steps to perform and then you're all set.

    First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View tab.
    • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
    • CHECK the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.

    Next, let's clean your restore points and set a new one:

    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

    1. Turn off System Restore.

    On the Desktop, right-click My Computer.

    Click Properties.

    Click the System Restore tab.

    Check Turn off System Restore.

    Click Apply, and then click OK.

    2. Restart your computer.

    3. Turn ON System Restore.

    On the Desktop, right-click My Computer.

    Click Properties.

    Click the System Restore tab.

    UN-Check Turn off System Restore.

    Click Apply, and then click OK.

    System Restore will now be active again.

    Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

    • SpywareBlaster to help prevent spyware from installing in the first place.
    • SpywareGuard to catch and block spyware before it can execute.
    • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

    You should also have a good firewall. Here are 3 free ones available for personal use:

    and a good antivirus (these are also free for personal use):

    It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

    To keep your operating system up to date visit

    monthly. And to keep your system clean run these free malware scanners

    weekly, and be aware of what emails you open and websites you visit.

    To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

    Have a safe and happy computing day!

    Danny :thumbsup:

    Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

    If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

    Everyone else please begin a New Topic.

  24. Hijack Log

    in Malware Removal

    Posted

    Please print these instructions out for use in Safe Mode.

    First, Please go Start --> Control Panel --> Add Remove Progams. Uninstall ISTSVC.

    Please download VundoFix.exe to your desktop.

    • Double-click VundoFix.exe to extract the files
    • This will create a VundoFix folder on your desktop.
    • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    • You will first be presented with a warning.
      It should look like this
      VundoFix V2.15 by Atri
      By using VundoFix you agree that you are doing so at your own risk
      Press enter to continue....
    • At this point press enter one time.
    • Next you will see:
      Please Type in the filepath as instructed by the forum staff
      and then press enter:
    • At this point please type the following file path (make sure to enter it exactly as below!):
      • C:\WINDOWS\system32\byxut.dll

      [*]Press Enter to continue with the fix.

      [*] Next you will see:

      Please type in the second filepath as instructed by the forum

      staff then press enter:

      [*]At this point please type the following file path (make sure to enter it exactly as below!):

      • C:\WINDOWS\system32\tuxyb.*

      [*]Press Enter to continue with the fix.

      [*]The fix will run then HijackThis will open, if it does not open automatically please open it manually.

      [*]In HiJackThis, please place a check next to the following items and click FIX CHECKED:


      • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
      http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
      O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\byxut.dll
      O4 - HKLM\..\Run: [ó# K"h'þ9Óœ÷3rÃ…WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jwbgsipl.exe
      O20 - Winlogon Notify: byxut - C:\WINDOWS\system32\byxut.dll

    [*]After you have fixed these items, close Hijackthis.

    [*]Press enter to exit the program then manually reboot your computer.

    [*]Once your machine reboots please continue with the instructions below.

    Download and install CleanUp!

    Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).

    Set the program up as follows:

    Click "Options..."

    Move the arrow down to "Custom CleanUp!"

    Put a check next to the following (Make sure nothing else is checked!):

    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • Cleanup! All Users

    Click OK

    Press the CleanUp! button to start the program.

    It may ask you to reboot at the end, click NO.

    Next, please enable viewing of hidden files as follows:

    1) Go to My Computer, and click on the "Tools" menu

    2) Click "Folder options"

    3) Select the "View" tab

    4) Make sure "Show hidden files and folders" is selected

    5) Make sure "Hide extensions for known file types" is unchecked

    6) Make sure "Hide protected operating system files (recommended)" is unchecked

    Locate the following file and delete it:

    C:\WINDOWS\jwbgsipl.exe

    Then, please run this online virus scan: ActiveScan

    Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.