Jump to content

crunchie

Trusted Malware Techs
  • Content Count

    280
  • Joined

  • Last visited

About crunchie

  • Rank
    Member

Previous Fields

  • Teams:
    Nothing Selected
  1. crunchie

    [Solved]Damn Malware Again

    You are welcome . Will mark this as solved now.
  2. crunchie

    [Solved]Damn Malware Again

    That silent runners log was not complete, but looking at the Find_it log, you are now clean . Are you still experiencing any problems?
  3. crunchie

    [Solved]Damn Malware Again

    Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing) I need to check for the qoologic trojan now that sometimes accompanies this infection. Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread. Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.
  4. crunchie

    [Solved]Damn Malware Again

    That log confirms the infection. Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
  5. crunchie

    [Solved]Damn Malware Again

    You have omitted the first line of your log that tells me the hijackthis version. It does not look like the latest though, so please do the following; Update hijackthis to version 1.99.1. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually. Unzip the new version into the hijackthis folder. You may have the latest version of VX2. Download L2mfix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  6. crunchie

    [Solved]Got About Blank Again,

    petro 116th. Ylu are welcome. Sorry it didn't work out the way we would have liked .
  7. crunchie

    [Solved]Got About Blank Again,

    Try this scan at Panda and see if it can do the job. Make sure you are logged on as Administrator. Download the zip file and unzip fixme.reg. Close all browser windows. Double click to run it and when asked if you want to merge with your registry, answer yes. Reboot and post another log please. fixme.zip
  8. crunchie

    [Solved]Got About Blank Again,

    Got some new stuff Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button. O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file) O2 - BHO: (no name) - {BF9B3742-6909-98B1-88C4-81BD77AAE879} - C:\WINNT\msib32.dll Go to http://bshagnasty.home.att.net/browsersettings.htm to change your browser security settings to a more secure setting that should help stop the installs.
  9. crunchie

    [Solved]Got About Blank Again,

    The two trojans that were not cleanable should be deleted manually. Download the Pocket KillBox Unzip the file to your desktop. Run Pocket Killbox and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below). C:\WINNT\System32\apphj32.exe C:\WINNT\System32\mslf32.exe C:\WINNT\system32\vkbwag.dat C:\WINNT\system32\vkbwag.exe C:\WINNT\system32\wnim.dll C:\WINNT\wnim.dll Reboot afterwards if the files are successfully deleted. If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter. Run the PurityScan uninstaller. Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button. O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file) O4 - HKLM\..\Run: [systems Restart] Rundll32.exe wnim.dll, DllRegisterServer O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file) Reboot and post another log pease. Whether you reformat or not is up to you. Make sure though that you have backed up all necessary documents and have all the drivers you need after . What problems are you still experiencing?
  10. crunchie

    [Solved]Got About Blank Again,

    That findit log was incomplete. You will need to rescan and post another . I would also suggest getting a firewall and anti-virus as you are likely getting hit every time you go online. To fix up the 015 entries do this; First, Disconnect from the Internet!! (Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.) ____ Next, launch Notepad, and copy/paste all the blue REGEDIT below to it Save in: Desktop File Name: fixme.reg Save as Type: All files Click: Save REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information. Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also have to re-install IE-SpyAd if installed.
  11. crunchie

    [Solved]Got About Blank Again,

    Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes; vozhymx.exe 170078.exe 175906.exe Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file) O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file) O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\boln.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe O4 - HKLM\..\Run: [vozhymx] c:\winnt\system32\vozhymx.exe O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe O4 - HKLM\..\Run: [systems Restart] Rundll32.exe boln.dll, DllRegisterServer O4 - HKLM\..\Run: [antiware] c:\winnt\system32\elitehxs32.exe O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe O15 - Trusted Zone: *.addictivetechnologies.com O15 - Trusted Zone: *.addictivetechnologies.net O15 - Trusted Zone: *.admin2cash.biz O15 - Trusted Zone: *.awmdabest.com O15 - Trusted Zone: *.bettersearch.biz O15 - Trusted Zone: *.c4tdownload.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.f1organizer.com O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O15 - Trusted Zone: *.iframe.biz O15 - Trusted Zone: *.megapornix.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.newiframe.biz O15 - Trusted Zone: *.overpro.com O15 - Trusted Zone: *.pizdato.biz O15 - Trusted Zone: *.private-dialer.biz O15 - Trusted Zone: *.private-iframe.biz O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.sp2admin.biz O15 - Trusted Zone: *.sp2:filtered:ed.biz O15 - Trusted Zone: *.vse-moe.biz O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com O15 - Trusted Zone: *.ysbweb.com O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll Reboot into safe mode following the instructions here and navigate to and delete the following if found: C:\WINNT\isrvs<----folder c:\winnt\system32\vozhymx.exe<----file C:\WINNT\system32\dddd.exe<----file c:\winnt\system32\elitehxs32.exe<----file C:\WINNT\system32\boln.dll<----file Reboot normally after doing the above, rescan with hijackthis, then post that log here please. Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean. Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.
  12. crunchie

    [Solved]Got About Blank Again,

    Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
  13. crunchie

    [Solved]Got About Blank Again,

    It looks like you may have picked up the latest VX2 infection too . Download L2mfix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  14. crunchie

    [Solved]Got About Blank Again,

    Download LSPfix from here On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "aklsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish. Download about:Buster and unzip it to your Desktop. Doubleclick on AboutBuster.exe to run it and then click on Update > Check for Update. If there is an update available, click on 'Download Update and wait while it downloads. Once downloaded, click on Exit. When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts) and make sure that you can view hidden files and folders. Close all open windows and run Hijack This again. Check the below entries and click on Fix Checked. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R3 - Default URLSearchHook is missing F3 - REG:win.ini: run=C:\WINNT\system32\soft.exe O2 - BHO: (no name) - {2A928540-DC8A-1A4C-4EDC-95558CC66BBE} - C:\WINNT\apibn32.dll O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [d3bd32.exe] C:\WINNT\d3bd32.exe O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\THEPET~1\LOCALS~1\Temp\1A.tmp.exe 1 10001 O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\THEPET~1\LOCALS~1\Temp\1A.tmp.exe 1 10001 O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe O4 - HKLM\..\Run: [vozhymx] c:\winnt\system32\vozhymx.exe O4 - HKLM\..\Run: [os3S3Fe] oddll.exe O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitewug32.exe O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\ O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\sm.exe O4 - HKCU\..\Run: [ZBs2RPK3X] nwevol32.exe O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe O15 - Trusted Zone: *.addictivetechnologies.com O15 - Trusted Zone: *.addictivetechnologies.net O15 - Trusted Zone: *.admin2cash.biz O15 - Trusted Zone: *.awmdabest.com O15 - Trusted Zone: *.bettersearch.biz O15 - Trusted Zone: *.c4tdownload.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.crazywinnings.com O15 - Trusted Zone: *.f1organizer.com O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O15 - Trusted Zone: *.iframe.biz O15 - Trusted Zone: *.megapornix.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.newiframe.biz O15 - Trusted Zone: *.overpro.com O15 - Trusted Zone: *.pizdato.biz O15 - Trusted Zone: *.private-dialer.biz O15 - Trusted Zone: *.private-iframe.biz O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.sp2admin.biz O15 - Trusted Zone: *.sp2:filtered:ed.biz O15 - Trusted Zone: *.topconverting.com O15 - Trusted Zone: *.vse-moe.biz O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com O15 - Trusted Zone: *.ysbweb.com O15 - Trusted IP range: 206.161.125.149 (HKLM) O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab searchmiracle O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab ISTBar Variant O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx Topconverting Adware O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file) Close Hijack This and run about:Buster again, click the 'Start' button and then click the 'OK' button. Let it scan (the scan can take some time to complete, so be patient.). Once the first scan has completed, it will ask you if you wish for about:Buster to scan once more. Click Yes and let it scan a second time. Once the second scan has finished, copy and paste the report to Notepad and save it on your drive. To copy and paste the report to a log file, select (highlight) all of the text produced by the scan with your mouse, right-click and select 'Copy'. Next, launch Notepad (click Start > Run > type notepad.exe and press enter). When the file is open, rightclick and select Paste. Click on File > Save As and save it in C:\ as Log.txt. Copy the log and post it back in this thread when you have rebooted. While still in Safe Mode, run a search and make sure that all of the below files in bold have been deleted (if not delete them): C:\WINNT\system32\rrrvu.dll<----file C:\WINNT\system32\soft.exe<----file C:\WINNT\apibn32.dll<----file C:\WINNT\d3bd32.exe<----file C:\WINNT\system32\sm.exe<----file c:\winnt\system32\vozhymx.exe<----file C:\WINNT\system32\oddll.exe<----file C:\winnt\system32\elitewug32.exe<----file C:\WINNT\system32\nwevol32.exe<----file C:\WINNT\system32\dddd.exe<----file c:\winnt\system32\aklsp.dll<----file C:\WINNT\isrvs<----folder C:\DOCUME~1\THEPET~1\LOCALS~1\Temp<----folder contents C:\Program Files\ISTsvc<----folder Reboot, reset your Home Page and run a Housecall scan. It will get rid of any remaining files. Post a new Hijack This log (and your About Buster log). Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean. Please try the Symantec's fix tool to remove the Ist bar.
  15. crunchie

    Hijack This Log

    You are welcome . Sometimes these nasties do not want to leave. They find a new shiny home, move in a couple of mates and then just want to party on . Download FireFox from http://www.mozilla.org/products/firefox/releases/ and then basically once installed, you're up and away. You still need IE for your M$ updates. I have FF on my PC and am much impressed, although Opera IMHO is a much better browser. Use FF for a while to get the feel of it, then set it as your default. You will not go back to IE I think .
×