jwbirdsong
-
Content Count
262 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by jwbirdsong
-
-
I had already deleted the following but I know that there are others.
Yep..
ReRun HijackThis and put a check next to the following
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
Close all windows and click Fix Checked
reboot
Deckard's System Scanner
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
- Close all applications and windows.
- Double-click on dss.exe to run it, and follow the prompts.
- When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
- Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
- Please attach extra.txt to your post.
To attach a file to a new post, simply
- Go to the Atachments section on the post composition page.(just below the text entry window), and
- copy and paste the following into the "Select a file" box: C:\Deckard\System Scanner\extra.txt
- Click Upload.
What DSS will do:
- create a new System Restore point in Windows XP and Vista.
- clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
- check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
- Close all applications and windows.
-
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, in the menu, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
Post the Cureit log please and a HijackThis log
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
-
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
-
No problem..it's why we're here.
-
You've still got a/some old Java version on there
... but other than that looks real good.C:\Program Files\Java\jre1.5.0_11\bin\jusched.exeMake sure to look for and uninstall all the OLD java as they ARE a secuirty risk
Time for some housekeeping
- Click START then RUN
- Now type Combofix /u in the runbox and click OK
[*] When shown the disclaimer, Select "2"
The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
[*] Reset the clock settings.
[*] Hide file extensions, if required.
[*] Hide System/Hidden files, if required.
[*] Reset System Restore.
- ComboFix and its associated files and folders.
By deleteing the backups and reseting the System Restore we've taken acare of all the items found in the Kaspersly scan.
Make SURE to read How Did I Get Infected in the First Place??
- Click START then RUN
-
Look like we have everything. How is the machine running now?
You NEED to update your Jave/JRE.
Go to your Control Panel>Add/Remove and uninstall ALL Java/JRE programs.
Reboot then go HERE and D/L and install the latest version (JRE6 update 3)
Guide found HERE
Post a final(?) HijackThis log and any commnets concerns about how the computer is running.
-
I KNOW I posted this yesterday....not sure why didn't show up..
Using Internet Explorer please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
Click "I accept"
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (If available otherwise Standard)
[*]Scan Options:
- Scan Archives
- Scan Mail Bases
- Extended (If available otherwise Standard)
[*]Click OK
[*]Now under select a target to scan select My Computer
[*]The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
[*]Now click on the Save report button.
[*]Call it Kaspersky.txt
[*]Expand the arrow beside "file types" and save as .txt file.
[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.
- Scan using the following Anti-Virus database:
*Note
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.
If the KAV log has your email all over it -- please attach it rather than copy/paste.
- The program will launch and then start to download the latest definition files.
-
Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to C:\SDFix
Please then reboot your computer in Safe Mode (without Networking) by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the C:\SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back here along with a Combofix log..(below)
Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply .
- Restart your computer
-
Sorry i was having connection trouble yesterday.
Looking lots better
Using Internet Explorer please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
Click "I accept"
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (If available otherwise Standard)
[*]Scan Options:
- Scan Archives
- Scan Mail Bases
- Extended (If available otherwise Standard)
[*]Click OK
[*]Now under select a target to scan select My Computer
[*]The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
[*]Now click on the Save report button.
[*]Call it Kaspersky.txt
[*]Expand the arrow beside "file types" and save as .txt file.
[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.
- Scan using the following Anti-Virus database:
*Note
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.
If the KAV log has your email all over it -- please attach it rather than copy/paste.
- The program will launch and then start to download the latest definition files.
-
Please print out or copy to Notepad for reading this as you may be in safemode or can not have IE open during most fixes.
Please download FixWareout from HERE and save it to your deskop.
DO NOT run it yet
Open HijackThis by clicking ScanOnly.
place a check next to the following.
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O3 - Toolbar: °Ù¶È³¬¼¶ËÑ°Ô - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CE36F25-35D4-404A-8641-FAE654ED3133}: NameServer = 85.255.114.36,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C104927-7EC4-4967-B287-A5B57F15FD67}: NameServer = 85.255.114.36,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{A493CB15-4ED2-4704-8AB7-030A5F16B2F7}: NameServer = 85.255.114.36,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA5449A2-4516-4A2E-B4A3-AFA9ABD2C579}: NameServer = 85.255.114.36,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7D41A93-253D-48C0-B3B6-3D8773AB3679}: NameServer = 85.255.114.36,85.255.112.95
Make sure ALL other windows/progrmas are closed and click Fix Checked.
Do NOT reboot yet
NOW run the fixwareout on your desktop. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
- The fix will begin, follow the prompts.
- You will be asked to reboot your computer, please do so.
- Your system may take longer than usual to load. This is normal.
- Once the desktop loads post the text that will open C:\fixwareout\report.txt Save it to your desktop for now....
I will need in your next reply.
Downlaod ComboFix to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
After rebooting (Combofix will automatically boot )post the C:\fixwareout\report.txt and the Combofix log.
- The fix will begin, follow the prompts.
-
I don't care who you are..that's funny right there.
-
Well the logs look pretty go. As you see in the Kaspersky log only thing coming up in MyWebSearch stuff.
It's considered an optional fix but it looks like you no longer use it.
I suggest going to ControlPanel>Add/Remove and uninstalling anything with MyWay. Then delete the entire C:\Program Files\MyWebSearch folder. may need to reboot 1st.
You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.
Open HijackThis and click on Do a system scan only. Place a check mark next to the following:
NOTE the RED entries need to be removed.....the BLUE are all optional and NOT needed at startup. Unchecking them will help system performance. You can manually start any one of them as needed.
O2 - BHO: (no name) - {fd52bc30-fb90-4b8f-bcae-77b3906e9600} - C:\WINDOWS\system32\fonnth.dll (file
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <-------- You can leave this IF you set it and know what it does.
O20 - Winlogon Notify: fonnth - fonnth.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Documents and Settings\Compaq_Owner\Desktop\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE <<----- REALLY should uncheck this one. BIG resorce hog
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE<<----- REALLY should uncheck this one. BIG resource hog
Close ALL other open windows and programs and click Fix checked
Reboot and post a final(?) HijackThis log. Also tell how the computer is behaving.
-
Sorry I should have noticed that you were using Avast...The panda detection is a known False Positive..not sure why they won't fix it.
I can assure you the Panda download is completely safe to do. But if you are uncomfortable with it please do the Kaspersky scan below.
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
- Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.
- Scan using the following Anti-Virus database:
When done post the Kaspersky log and a fresh HijackThis log.
- The program will launch and then begin downloading the latest definition files:
-
Did AVAST give you file location for the Decompression Bombs?? BTW they are just what they sound like files that when you unzip/decompress them copy LARGE amount of junk to your system. Not necessarily malicious but no fun none the less.
Download and scan with SUPERAntiSpyware Free for Home Users
- Double-click SUPERAntiSpyware.exe and use the default settings for installation.
- An icon will be created on your desktop. Double-click that icon to launch the program.
- If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
- Under "Configuration and Preferences", click the Preferences button.
- Click the Scanning Control tab.
- Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
[*]Click the "Close" button to leave the control center screen.
[*]Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
[*]On the left, make sure you check C:\Fixed Drive.
[*]On the right, under "Complete Scan", choose Perform Complete Scan.
[*]Click "Next" to start the scan. Please be patient while it scans your computer.
[*]After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
[*]Make sure everything has a checkmark next to it and click "Next".
[*]A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
[*]If asked if you want to reboot, click "Yes".
[*]To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
[*]Click Close to exit the program.
- Close browsers before scanning.
Please go HERE to run Panda's ActiveScan
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on My Computer to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a fresh HijackThis log and the SuperAntiSpyware log
- Double-click SUPERAntiSpyware.exe and use the default settings for installation.
-
Copy the following to Notepad (make sure you 1st line is REGEDIT4)and save it to your desktop as "fix.reg"...when naming the file make sure to use quotes just as I did.
REGEDIT4
[-HKEY_CLASSES_ROOT\CLSID\{02B010E6-F55E-18F9-AFDC-5F03CBD884E6}]
[-HKEY_CLASSES_ROOT\CLSID\{07B26288-C681-0065-E065-8201DD28A761}]
[-HKEY_CLASSES_ROOT\CLSID\{30E404C8-9E52-6BCC-07B7-75B62569A989}]
[-HKEY_CLASSES_ROOT\CLSID\{3675715F-7D53-0434-2B54-B10B3458B832}]
[-HKEY_CLASSES_ROOT\CLSID\{37D770DC-7684-506E-506F-B70AAFEB6F95}]
[-HKEY_CLASSES_ROOT\CLSID\{3B54F794-786F-0118-4FF7-2319A73AE336}]
[-HKEY_CLASSES_ROOT\CLSID\ {42B4125A-8456-E674-1EAB-F008B3833B7C}]
[-HKEY_CLASSES_ROOT\CLSID\{44E34F5D-DD47-7872-AC46-520661BABE29}]
[-HKEY_CLASSES_ROOT\CLSID\{48014569-86A0-09D2-B74C-68DFC89AB093}]
[-HKEY_CLASSES_ROOT\CLSID\{5367AF43-53A3-260E-9D79-0CDB4035A008}]
[-HKEY_CLASSES_ROOT\CLSID\{5F4C15AC-0058-5C3E-822D-742B4125A084}]
[-HKEY_CLASSES_ROOT\CLSID\{61BA9713-4C7D-321C-7CDA-2D19B793429D}]
[-HKEY_CLASSES_ROOT\CLSID\{7060FA14-0E29-B33B-569A-AC425430C19B}]
[-HKEY_CLASSES_ROOT\CLSID\{77E75C18-2847-DA08-D856-8452824004C7}]
[-HKEY_CLASSES_ROOT\CLSID\ {7CDBEDA5-3DCB-A735-5055-0A014758ED6B}]
[-HKEY_CLASSES_ROOT\CLSID\ {7DD85366-D791-988B-E591-E8766F46FA72}]
[-HKEY_CLASSES_ROOT\CLSID\ {7E35BA92-B311-70A1-8E0E-EE430F0CC372}]
[-HKEY_CLASSES_ROOT\CLSID\{822904F6-6515-F4CA-FCA6-3DD79347C0E0}]
[-HKEY_CLASSES_ROOT\CLSID\{847C1672-FB03-7621-DD34-036D3E8460FD}]
[-HKEY_CLASSES_ROOT\CLSID\ {8A211D0F-A737-38A0-EA0A-D2480CDBEF01}]
[-HKEY_CLASSES_ROOT\CLSID\{9D6A4232-5595-7E6F-2779-C942DCAB8455}]
[-HKEY_CLASSES_ROOT\CLSID\{A66DF143-F487-E2C9-232E-3D99CC47A72F}]
[-HKEY_CLASSES_ROOT\CLSID\{B756513C-B2A5-1805-60FF-E40570DBC936}]
[-KEY_CLASSES_ROOT\CLSID\{BCC63C42-67AA-A5DB-877D-963D27AD9AFA}]
[-HKEY_CLASSES_ROOT\CLSID\ {BE39619D-2F5C-5C5D-24AA-44CE33AF3E2B}]
[-HKEY_CLASSES_ROOT\CLSID\{E66F4233-2A70-2CDE-18E8-550B593208D5}]
[-HKEY_CLASSES_ROOT\CLSID\{F322A8AF-EF0E-13F8-1E57-1BF7314624F9} ]
[-HKEY_CLASSES_ROOT\CLSID\{F82406AA-AA26-0FEF-2943-600622AB7AB5} ]
[-HKEY_CLASSES_ROOT\CLSID\{FD4A74BF-5712-24E2-4DA7-6711D4FD291B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]If saved correctly it should have an icon like this
Go to the desktop and Right Click in fix.reg then choose Merge You will be asked "Are you sure you wish to merge...??" Answser yes.
Reboot and post a new HijackThis log
-
Just delete in safe mode?
Yeah
Sorry it appears I didn't get a notice of your reply..I'll post after work today. Sorry
-
As long as they have the wireless adapter for the Xbox ( to receive the 'signal'...seen HERE ) any wireless router should work fine.
-
Please Download NoLop to your desktop from one of the links below...
- First close any other programs you have running as this will require a reboot
- Double click NoLop.exe to run it
- Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>> - When scanning is finished you will be prompted to reboot only if infected, Click OK
- Now click the "REBOOT" Button.
- A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
- First close any other programs you have running as this will require a reboot
-
I'm with you, not real partial to the bottom one.
I REALLY like the contrasting letter size of the 1st.
I also think I like the 'sun' of the 1st one the best.
If you could have the 1st sun with the bits (0' and 1's) of the 2nd sun I think you would have a real winner with it.
Let us know your final decision.
-
Is this a non english OS correct???
Well we can get rid of these entires if they won't go w/ HJT.
So just for my sake, so I can see it for my self plz do the following
You NEED to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.
Open HijackThis and click on Do a system scan only. Place a check mark next to the following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02B010E6-F55E-18F9-AFDC-5F03CBD884E6} - (no file)
O2 - BHO: (no name) - {07B26288-C681-0065-E065-8201DD28A761} - (no file)
O2 - BHO: (no name) - {30E404C8-9E52-6BCC-07B7-75B62569A989} - (no file)
O2 - BHO: (no name) - {3675715F-7D53-0434-2B54-B10B3458B832} - (no file)
O2 - BHO: (no name) - {37D770DC-7684-506E-506F-B70AAFEB6F95} - (no file)
O2 - BHO: (no name) - {3B54F794-786F-0118-4FF7-2319A73AE336} - (no file)
O2 - BHO: (no name) - {42B4125A-8456-E674-1EAB-F008B3833B7C} - (no file)
O2 - BHO: (no name) - {44E34F5D-DD47-7872-AC46-520661BABE29} - (no file)
O2 - BHO: (no name) - {48014569-86A0-09D2-B74C-68DFC89AB093} - (no file)
O2 - BHO: (no name) - {5367AF43-53A3-260E-9D79-0CDB4035A008} - (no file)
O2 - BHO: (no name) - {5F4C15AC-0058-5C3E-822D-742B4125A084} - (no file)
O2 - BHO: (no name) - {61BA9713-4C7D-321C-7CDA-2D19B793429D} - (no file)
O2 - BHO: (no name) - {7060FA14-0E29-B33B-569A-AC425430C19B} - (no file)
O2 - BHO: (no name) - {77E75C18-2847-DA08-D856-8452824004C7} - (no file)
O2 - BHO: (no name) - {7CDBEDA5-3DCB-A735-5055-0A014758ED6B} - (no file)
O2 - BHO: (no name) - {7DD85366-D791-988B-E591-E8766F46FA72} - (no file)
O2 - BHO: (no name) - {7E35BA92-B311-70A1-8E0E-EE430F0CC372} - (no file)
O2 - BHO: (no name) - {822904F6-6515-F4CA-FCA6-3DD79347C0E0} - (no file)
O2 - BHO: (no name) - {847C1672-FB03-7621-DD34-036D3E8460FD} - (no file)
O2 - BHO: (no name) - {8A211D0F-A737-38A0-EA0A-D2480CDBEF01} - (no file)
O2 - BHO: (no name) - {9D6A4232-5595-7E6F-2779-C942DCAB8455} - (no file)
O2 - BHO: (no name) - {A66DF143-F487-E2C9-232E-3D99CC47A72F} - (no file)
O2 - BHO: (no name) - {B756513C-B2A5-1805-60FF-E40570DBC936} - (no file)
O2 - BHO: (no name) - {BCC63C42-67AA-A5DB-877D-963D27AD9AFA} - (no file)
O2 - BHO: (no name) - {BE39619D-2F5C-5C5D-24AA-44CE33AF3E2B} - (no file)
O2 - BHO: (no name) - {E66F4233-2A70-2CDE-18E8-550B593208D5} - (no file)
O2 - BHO: (no name) - {F322A8AF-EF0E-13F8-1E57-1BF7314624F9} - (no file)
O2 - BHO: (no name) - {F82406AA-AA26-0FEF-2943-600622AB7AB5} - (no file)
O2 - BHO: (no name) - {FD4A74BF-5712-24E2-4DA7-6711D4FD291B} - (no file)
Close ALL other open windows and programs and click Fix checked.
Reboot and post the following:
Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post in your reply
-
-
Appologies.....
My error started in my representation of properties.
what I have in other post is NOT 555..it's 666.....or (111 in UMASK) and as I was writing I just wrote what permission I had...
- r-x r-x r-x IS 555 and read and execute....
Sorry for confusion. It was early and I hadn't had coffee yet I guess.
-
It just the way of setting permissions on the FS you are mounting if you don't want to use the defaults.
But keep in mind that UMASK doesn't use same permission as the system permissions, As a matter of fact it is the exact opposite (inverse to be precise)
Let use - rw- rw- rw- as an example == which means (in order) User , Groups and World(everyone else) have read/write access. This would also be written as 555. Doing the math (keeping in mmd MAXIMUM is 777) for UMASK then those same permission would be 222.
OR to set all permissions (777) in UMASK use 000.
Confused now?? LOL
-
Open Notepad and copy/paste the text in the quotebox below into it:
File::C:\Documents and Settings\Ana Pittell\Start Menu\Programs\Startup\svchost.exe
C:\WINDOWS\system32\yjaseyfj.exe
C:\WINDOWS\system32\swinoodt.exe
C:\DOCUME~1\ANAPIT~1\APPLIC~1\xxx.exe
C:\DOCUME~1\ANAPIT~1\APPLIC~1\findfast.exe
C:\DOCUME~1\ANAPIT~1\APPLIC~1\spoolsv.dll
C:\DOCUME~1\ANAPIT~1\APPLIC~1\errprotec.exe
FileLook::
C:\DOCUME~1\ANAPIT~1\APPLIC~1\sysdoctor.exe
C:\DOCUME~1\ANAPIT~1\APPLIC~1\protector.exe
Submit::
C:\WINDOWS\system32\lxglxebd.dll
C:\WINDOWS\system32\yjaseyfj.exe
C:\WINDOWS\system32\yvsactgp.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACFBFE1C-226C-4B6D-B097-779C319DF912}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACFBFE1C-226C-4B6D-B097-779C319DF912}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"s75Q33W"=-
"svhost"=-
"findfast"=-
"LaserJet"=-
"svchost"=-
"SystemOptimizer"="-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tbsa"=-
"findfast"="-
"LaserJet"=-
"svchost"="-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bdva]
Save this as CFScript.txt
Then drag/drop the CFScript.txt onto ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:
http://www.bleepingcomputer.com/submit-malware.php?channel=4
Please include a link to this topic in the message.
Pablos post[INACTIVE]
in Malware Removal
Posted · Edited by jwbirdsong
Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to C:\SDFix
Please then reboot your computer in Safe Mode (without Networking) by doing the following :
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply .
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
Traducido con los pescados de Babel. Usted debe chascar acoplamiento en poste del englsh. Espere que esto ayude a alguno
Descargue SDFix y ahórrelo a su tablero del escritorio. Doble el tecleo SDFix.exe y extraerá los archivos a C:\SDFix
Entonces reanude por favor su computadora en modo seguro (sin establecimiento de una red) haciendo el siguiente:
* Recomience su computadora
* Después de oÃr su computadora señaló una vez durante arranque, pero antes de que aparezca el icono de Windows, golpea ligeramente la llave F8 continuamente;
* En vez del cargamento de Windows como normal, el menú avanzado de las opciones debe aparecer;
* Seleccione la opción, para funcionar Windows en modo seguro, después la prensa entra.
* Elija su cuenta generalmente.
* Abra la carpeta y el tecleo doble RunThis.bat de C:\SDFix para comenzar la escritura.
* MecanografÃe Y para comenzar el proceso de la limpieza.
* Quitará cualesquiera servicios de Trojan y entrada del registro que encuentre entonces aviso usted para presionar cualquier llave para reanudar.
* Presione cualquier llave y recomenzará la PC.
* Cuando la PC recomienza el Fixtool funcionará otra vez y terminar el proceso del retiro después exhiba acabado, presione cualquier llave para terminar la escritura y para cargar sus iconos de escritorio.
* Una vez que la carga de escritorio de los iconos que el informe de SDFix se abrirá en la pantalla y también excepto en la carpeta de SDFix como Report.txt (Report.txt también será copiado al sujetapapeles listo para fijar detrás en el foro).
* Finalmente pegue el contenido del Report.txt detrás aquà junto con un Combofix log..(below)
Descargue Combofix a su tablero del escritorio. Doubleclick combofix.exe sigue los avisos. No chasque encendido la ventana mientras que el arreglo está funcionando, porque ése hará su sistema colgar. Cuando está acabado y después del reboot (en caso de que pide reanudar), él debe abrir un registro, combofix.txt. Fije esta conexión su contestación siguiente.