Jump to content

Nirvana

Trusted Malware Techs
  • Content Count

    162
  • Joined

  • Last visited

Everything posted by Nirvana

  1. Nirvana

    Millions and Millions of Popups!!!

    Since this issue appears to be resolved, this topic will be closed.
  2. Nirvana

    Millions and Millions of Popups!!!

    You're all clean now we're gonna purge System restore now to get rid of those remaining in System Volume Information. 1. On the Desktop, right-click My Computer. 2. Click Properties. 3. Click the System Restore tab. 4. Check Turn off System Restore. 5. Click Apply, and then click OK. 6. Restart the computer. 7. Follow steps 1 to 3 again, then uncheck Turn off System Restore tab. When you are sure you are clean create a restore point. To create a restore point: Single-click Start and point to All Programs. Mouse over Accessories, then System Tools, and select System Restore. In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button. Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done. You should also read Tony Klein's article on "How I got Infected in the First Place": http://castlecops.com/postlite7736-.html
  3. Nirvana

    Millions and Millions of Popups!!!

    Ok, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Next, navigate to and delete the following: C:\!KillBox\ <-------- Delete the contents of this folder. C:\Documents and Settings\Peter.PETERS-COMPUTER\.housecall\Quarantine\ <-------- Delete the contents of this folder. C:\Documents and Settings\Peter.PETERS-COMPUTER\Desktop\My Folder\Cleanups\Protectors\backups\ <-------- Delete the contents of this folder. C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\gjhz.exe <-------- Delete this file. C:\Program Files\wmplayer\p.zip <-------- Delete this file. C:\Program Files\Jalmp\uninstall.exe <-------- Delete this file. C:\Program Files\Network\network.exe <-------- Delete this file. C:\WINDOWS\$NtServicePackUninstall$\telnet.exe <-------- Delete this file. C:\WINDOWS\Downloaded Program Files\popcaploader.dll <-------- Delete this file. C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56T0311NetInstaller.exe <-------- Delete this file. C:\WINDOWS\Downloaded Program Files\UWFX5_0001_NI530211NetInstaller.exe <-------- Delete this file. Same again for all of the following: C:\WINDOWS\emruqfbA.exe C:\WINDOWS\hh32SPorms.exe C:\WINDOWS\inst_adperform.exe C:\WINDOWS\ms030734576.exe C:\WINDOWS\ms646464.exe C:\WINDOWS\NDNuninstall6_38.exe C:\WINDOWS\NDNuninstall7_22.exe C:\WINDOWS\nsw.log:xgcnko:$DATA C:\WINDOWS\nts-32orhh.exe C:\WINDOWS\offun.exe C:\WINDOWS\pf78.exe/data0002 C:\WINDOWS\pf78.exe/data0003 C:\WINDOWS\pf78.exe/data0006 C:\WINDOWS\pf78.exe/data0007 C:\WINDOWS\pf78.exe C:\WINDOWS\pms111x.exe C:\WINDOWS\River Sumida.bmp:brcry: C:\WINDOWS\setuperr.log:ddxewo: C:\WINDOWS\SPhhhh.exe C:\WINDOWS\SPPE6464hh.exe C:\WINDOWS\SYSTEM32\awtsp.dll. C:\WINDOWS\SYSTEM32\bkauk.dat C:\WINDOWS\SYSTEM32\btxmvmrq.dll C:\WINDOWS\SYSTEM32\ddsvdjc.exe C:\WINDOWS\SYSTEM32\episgovq.dll C:\WINDOWS\SYSTEM32\isjqmhvu.dll C:\WINDOWS\SYSTEM32\jgddolvi.dll C:\WINDOWS\SYSTEM32\lacginib.dll C:\WINDOWS\SYSTEM32\msSP.exe C:\WINDOWS\SYSTEM32\pnopnia.dll C:\WINDOWS\SYSTEM32\pre2.exe C:\WINDOWS\SYSTEM32\rciacp.exe C:\WINDOWS\SYSTEM32\rjpabanu.dll C:\WINDOWS\SYSTEM32\rwemw.dll C:\WINDOWS\SYSTEM32\ssjfmjhn.dll C:\WINDOWS\SYSTEM32\synt.exe C:\WINDOWS\SYSTEM32\titno.exe C:\WINDOWS\SYSTEM32\vhdytrxj.dll C:\WINDOWS\SYSTEM32\wtqyqeud.dll C:\WINDOWS\SYSTEM32\xytrubee.dll C:\WINDOWS\telnet.exe C:\WINDOWS\unin101.exe C:\WINDOWS\uni_eh.exe C:\WINDOWS\winsysban8.exe If you have problems deleting any of the files listed, use Killbox as before. When you're done, reboot into normal mode and scan again with Kaspersky and HijackThis and give us two new logs and an update on the machine's behaviour.
  4. Nirvana

    Millions and Millions of Popups!!!

    Fix this line again: O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\rciacp.exe reg_run See if this file is still present: C:\WINDOWS\system32\rciacp.exe If it is then delete it. Is that folder still gone? If so can you try to run Kaspersky again and see if you can post the log. If you still can't then e-mail it to me at kangaroopooATgmail.com (AT=@). Post another logfile and let us know what problems remain, if you're still getting popups what is their nature?
  5. Nirvana

    Millions and Millions of Popups!!!

    Download and run Ad-Aware. For best results follow the tutorial. Reboot your machine afterwards. See if that folder will stay deleted now and post another HijackThis log.
  6. Nirvana

    Millions and Millions of Popups!!!

    Oops! Try here: http://www.ccleaner.com/ccdownload.asp
  7. Nirvana

    Millions and Millions of Popups!!!

    Fix this one again using HijackThis: O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\rciacp.exe reg_run Next, download, unzip and launch the KillBox: http://www.downloads.subratam.org/KillBox.zip Select "Delete on Reboot". Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C C:\WINDOWS\wgtaojnA.exe C:\Program Files\outlook\outlook.exe C:\Program Files\Common Files\fmoq\fmoqm.exe C:\WINDOWS\system32\rciacp.exe C:\WINDOWS\system32\loader.exe Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually. Download: CCleaner from here Once installed, run CCleaner then tick the following: Next: click Options click the Advanced tab. Uncheck: "Only delete files older than 48 hrs", click Ok. Then click Run Cleaner (bottom right) then, when it finishes scanning click Exit. N.B. Run CCleaner on all user accounts on the p.c. Then scan with Kaspersky again and see if you can paste the log, if not you can attach it to your post, look for the 'file attachments' box below your reply box.
  8. Nirvana

    Millions and Millions of Popups!!!

    Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked': R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe O4 - HKLM\..\Run: [gimmygames] c:\\gimmygames9.exe O4 - HKLM\..\Run: [] p2pnetworking.exe O4 - HKLM\..\Run: [wgtaojnA] C:\WINDOWS\wgtaojnA.exe O4 - HKLM\..\Run: [loader.exeSetup.exeR] C:\WINDOWS\system32\loader.exeSetup.exeR O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\rciacp.exe reg_run O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM\..\RunServices: [winlog] winlog.exe O4 - HKLM\..\RunServices: [] p2pnetworking.exe O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [fmoq] C:\PROGRA~1\COMMON~1\fmoq\fmoqm.exe Set Windows to show hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. You should reverse these settings when we have you cleaned up. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Navigate to and delete the following files: C:\windows\winsysban9.exe <-------- Delete this file. C:\WINDOWS\wgtaojnA.exe <-------- Delete this file. C:\Program Files\wmplayer\wmplayer.exe <-------- Delete this file. C:\Program Files\outlook\outlook.exe <-------- Delete this file. C:\Program Files\Common Files\VCClient\VCClient.exe <-------- Delete this file. C:\Program Files\Common Files\VCClient\VCMain.exe <-------- Delete this file. C:\Program Files\Common Files\fmoq\fmoqm.exe <-------- Delete this file. C:\WINDOWS\system32\p2pnetworking.exe <-------- Delete this file. C:\WINDOWS\system32\rciacp.exe <-------- Delete this file. C:\WINDOWS\system32\loader.exe <-------- Delete this file. C:\WINDOWS\system32\Setup.exe <-------- Delete this file. Use Start | Search to find and delete winlog.exe Boot back into normal mode. Please do an online scan with Kaspersky WebScanner Click on Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make sure that the following are selected:Scan using the following Anti-Virus database:Extended (if available, otherwise Standard) Scan Options:Scan ArchivesScan Mail Bases Click OK Now under select a target to scan:Select My Computer This program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post along with a new HijackThis log.
  9. Nirvana

    Millions and Millions of Popups!!!

    O.K. We've gotten rid of one nasty, let's tackle the others: Please download VirtumundoBeGone from here: http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe Save it to your Desktop. Close all running programs (including your Internet Browser). Double-click VirtumundoBeGone.exe on the desktop. Follow the directions as indicated. Please note that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens. When it has finished, reboot and post the log that is created on your desktop called VBG.TXT in your next reply along with a new HijackThis log.
  10. Nirvana

    Millions and Millions of Popups!!!

    Hi Peter. Please download Look2Me-Destroyer.exe by Atribune to your desktop. Close all windows before continuing. Double-click Look2Me-Destroyer.exe to run it. Put a check next to Run this program as a task. You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. Once it's done scanning, click the Remove L2M button. You will receive a Done Scanning message, click OK. When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. Your computer will then shutdown. Turn your computer back on. Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. If you receive a message from your firewall about this program accessing the internet please allow it. If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
  11. Nirvana

    Please Help Me!

    Because when you fix, you learn... No?
  12. Nirvana

    [Solved]Newxp Pro User Hjt Log

    You're welcome It's a good idea to Flush your System Restore after ridding yourself of malware: 1. On the Desktop, right-click My Computer. 2. Click Properties. 3. Click the System Restore tab. 4. Check Turn off System Restore. 5. Click Apply, and then click OK. 6. Restart the computer. 7. Follow steps 1 to 3 again, then uncheck Turn off System Restore tab. When you are sure you are clean create a restore point. To create a restore point: Single-click Start and point to All Programs. Mouse over Accessories, then System Tools, and select System Restore. In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button. Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done. To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad. SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts. More info and download is available at: SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html SpywareGuard: http://www.wilderssecurity.net/spywareguard.html IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free. More info and download is available at: IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm Click here to make sure that you have the latest patches for Windows. Click here to get the latest version of Internet Explorer. It's very important to keep your system up to date to avoid unnecessary security risks. You may also want to read Tony Klein's article on "How I got Infected in the First Place": http://forums.net-integration.net/index.php?showtopic=3051
  13. Nirvana

    [Solved]Newxp Pro User Hjt Log

    Cali, everything looks fine to me. If you're not having any issues you're good to go. If you are having issues, please specify....
  14. Nirvana

    [Solved]Newxp Pro User Hjt Log

    Does ZoneAlarm give you a warning that those files are trying to get access to the internet? What exactly is ZoneAlarm telling you? Is Ad-Aware finding anything?
  15. Nirvana

    [Solved]Newxp Pro User Hjt Log

    These files need to be deleted: C:\windows\ahadp.exe C:\windows\system32\angelex.exe C:\windows\system32\ap9n4qmo.exe wmiprvs.exe <-------- Check the spelling on this one wmiprvse.exe (with an 'e' on the end) is valid. Then scan with Ad-Aware again and have it fix anything it finds. Are you still having issues?
  16. Nirvana

    [Solved]Newxp Pro User Hjt Log

    Please download ServiceFilter.zip. This will reveal potential unauthorized running services in your system. Extract it to a new folder on your desktop. Double-click ServiceFilter.vbs. This script will create a text file named Post_This.txt in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.
  17. Nirvana

    [Solved]Newxp Pro User Hjt Log

    Looks good, how's it running?
  18. Nirvana

    [Solved]Newxp Pro User Hjt Log

    Download 16bit_fix.exe by from the link Here. When it is downloaded, double-click it to run it. It reinstalls the missing or corrupt XP system files command.com, autoexec.nt and config.nt which cause the error. Then post another HijackThis log (with nothing in the ignore list) and let us know of any issues you are still having.
  19. Nirvana

    [Solved]Newxp Pro User Hjt Log

    Cali, your log looks fine. Are you still having problems?
  20. Nirvana

    [Solved]Newxp Pro User Hjt Log

    Absolutely, although your log looks very short, can you post one after a reboot into normal mode please?
  21. Nirvana

    [Solved]Newxp Pro User Hjt Log

    Hello Cali, Please temporarily disable Spybot's Teatimer function by following the advice here: http://russelltexas.com/malware/teatimer.htm. This is because it may interfere with any changes we need to make. You can re-enable it when we're sure your log is clean. Follow the tutorial here to download and configure Ad-Aware: http://www.bleepingcomputer.com/forums/ind...showtutorial=48. Do not run it yet, we'll do that a bit later. Download and install: CCleaner from here. Once again, don't run it yet. Make sure you have Set Windows to show Hidden Files & Folders. You may want to print out the rest of these steps to refer to as you go as we'll be working offline. Reboot into safe mode and follow these steps: Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked': O4 - HKLM\..\Run: [Microsoft Security] winService.exe O4 - HKLM\..\Run: [NTFSS MICROSOFT SYSTEM] filees.exe O4 - HKLM\..\Run: [regmgr32nt] msbin32.exe O4 - HKLM\..\Run: [uF5f3ni] dgstetab.exe O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe O4 - HKLM\..\RunServices: [Microsoft Security] winService.exe O4 - HKLM\..\RunServices: [NTFSS MICROSOFT SYSTEM] filees.exe O4 - HKLM\..\RunServices: [regmgr32nt] msbin32.exe O4 - HKCU\..\Run: [NTFSS MICROSOFT SYSTEM] filees.exe O4 - HKCU\..\Run: [regmgr32nt] msbin32.exe O4 - HKCU\..\RunServices: [regmgr32nt] msbin32.exe O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe Now navigate to and delete the following if present: C:\WINDOWS\System32\winService.exe <-------- Delete this file. C:\WINDOWS\System32\filees.exe <-------- Delete this file. C:\WINDOWS\System32\msbin32.exe <-------- Delete this file. C:\WINDOWS\System32\dgstetab.exe <-------- Delete this file. C:\WINDOWS\System32\gah95on6.exe <-------- Delete this file. C:\WINDOWS\zeta.exe <-------- Delete this file. Run CCleaner then tick the following: Then click Run Cleaner (bottom right) then, when it finishes scanning click Exit. Now click on Start | Run and type in: %temp% then click OK. Delete everything in that folder. Run CWShredder Click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing. Now run Ad-Aware. Let it fix anything it finds. Reboot as normal then post a fresh HijackThis log and let us know how things are running.
  22. Nirvana

    Please Help Me!

    darkeyes, by all means post a HijackThis log, see here: http://pcpitstop.ibforums.com/index.php?showtopic=36065
  23. Nirvana

    New Computer - Similar Problems

    Download, unzip and launch the KillBox: http://www.downloads.subratam.org/KillBox.zip Once launched, In the box where it says Full Path of File to Delete copy and paste this in there: C:\WINDOWS\System32\wkkkrw.exe Select the "Delete on Reboot" When it asks if you would like to Reboot now, press the NO button. Run Killbox program again. In the field labeled "Full Path of File to Delete"enter the following files and reboot after the last one: C:\WINDOWS\isrvs\desktop.exe C:\WINDOWS\isrvs\ffisearch.exe C:\WINDOWS\System32\wuaumgr.exe Reboot, then post a new HijackThis log and let us know how things are running.
  24. Nirvana

    New Computer - Similar Problems

    Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked': O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing) O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [Windows Update Auto Update] wuaumgr.exe O4 - HKLM\..\RunServices: [Windows Update Auto Update] wuaumgr.exe O4 - HKCU\..\Run: [Windows Update Auto Update] wuaumgr.exe Press Ctrl/Alt/Del to open the Task Manager then click on the 'processes' tab. Now click on 'Image Name' to alphabetize the list. Find the following files, right-click on them and choose 'end process': wkkkrw.exe, wuaumgr.exe Now navigate to and delete: C:\WINDOWS\isrvs <-------- Delete this folder. C:\WINDOWS\System32\wkkkrw.exe <-------- Delete this file. C:\WINDOWS\System32\wuaumgr.exe <-------- Delete this file. Reboot, then post a new HijackThis log and let us know how things are running.
  25. Nirvana

    New Computer - Similar Problems

    Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked': O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing) O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [ayufkl] c:\windows\system32\ayufkl.exe Don't really know this one, if you don't need it then uninstall it. These are valid Microsoft critical updates, once you upgrade again to Service Pack 2 they will all be compacted into one entry: Click here <http://windowsupdate.microsoft.com/> to make sure that you have the latest patches for Windows. Click here <http://www.microsoft.com/windows/ie/default.asp> to get the latest version of Internet Explorer. It's very important to keep your system up to date to avoid unnecessary security risks. Keep going back until there is nothing left to install. Reboot, then post a new HijackThis log and let us know how things are running.
×