Jump to content

yellowhammer

Trusted Malware Techs
  • Content Count

    115
  • Joined

  • Last visited

Everything posted by yellowhammer

  1. Your Welcome, You may delete all the files you downloaded. They should not be needed anymore. Some tips to keep your computer secure: 1. Keep Windows Updated via the windows update site. Better yet, set it up to automatically update. Instructions here 2. Keep a good antivirus system updated and running at all times. I use NOD32 available here. If you want a good free antivirus try AVG which is available here. 3. Keep a firewall running at all times. I recommend Sygate Personal Available here. 4. Set up your internet explorer security properly. See instructions here. 5. Use Adaware and Spybot S&D weekly after updating. 6. Use SpywareBlaster, SpywareGuard, IE-Spyad. Links to all of these on my site here. 7. Replace your host file with the one available here. 8. Run BugOff available here which disables three exploits that are commonly used by browser hijackers (including CWS), thus protecting you from infection. 9. Switch Browsers. Try Firefox available here or Opera available here.
  2. Sygate should not slow down your computer. Right click on it and exit and see if it speeds back up. If it does, then it is sygate related. If not, it is something else.
  3. Housecall should be able to delete them. If not, get the names and delete them manually. Sygate does not appear to by running based on your last log. Try uninstalling and reinstalling it now that the trojan is gone.
  4. Post a hijackthis log and I can tell if it is running. It normally shows in the system tray as a couple of up/down arrows.
  5. Earlier you were asked to check for the file KTD32.ATM and said you found it. See if you can delete it. If Norton is scanning emails at boot up then something is sending out the email. That is a good piece of information. Why don't you download Sygate Personal Firewall and install it as it does not look like you have a firewall installed. After a reboot it will be enabled. At that point it will start monitoring programs accessing the internet. Right click on it in the system tray and select "applications" and then remove all. That will force it to ask permission for each program that tries to access the net. You will get a pop up message asking for permission for a program to access the net. If an email is being sent, it will identify the program that is trying to send it. Get that information and post back. Get the firewall here: http://www.tucows.com/preview/213160.html
  6. Something is obviously protecting C:\windows\services. I have a couple more suggestions. First, repeat the last set of instructions. But them in safe mode. Let's see where that gets us. After that I have one more idea.
  7. 7. If you were successful in killing the C:\windows\services process, browse to and delete file C:\WINDOWS\services.exe If that is succesfull go to step 9. If not, do step 8. 8. Open killbox that you downloaded in the first step. Make sure the following are checked Delete on Reboot End Explorer Shell While Killing File Then type the full path to the following files in the killbox address bar: C:\WINDOWS\services.exe Then press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, Click Yes and allow it to reboot. 9. Reboot, Scan and post another log after the reboot.
  8. Kill the one that has just services.exe. The one in the system32 folder is legitimate.
  9. 1. Download Pocket kill box here Unzip the folder to your desktop. 2. Copy the information in the quote box to notepad. Save it to your desktop as type "all files" and name it pro.reg (note it is the same as you previously did so you don't have to recreate it if you still have it.) 3. Download process explorer here and unzip it. 4. Disconnect from the internet, and make sure Norton Antivirus realtime protection is not running. (Right click on it in system tray and disable). 5. Open process explorer. The top pane will show the processes that are running. Look through the list for services.exe. There will be two running. Place your mouse pointer over both of them and find the one that is in C:\Windows. When you find it, rightclick on it and select kill process tree. If you get any messages about it being a system file etc, ignore them and kill it. 6. Doubleclick the pro.reg file you created and grant it permission to merge the registry entries. 7. If you were successful in killing the C:\windows\services process, browse to and delete file C:\WINDOWS\services.exe If that is succesfull go to step 9. If not, do step 8. 8. Open killbox that you downloaded in the first step. Make sure the following are checked Delete on Reboot End Explorer Shell While Killing File Then type the full path to the following files in the killbox address bar: C:\WINDOWS\services.exe Then press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, Click Yes and allow it to reboot. 9. Reboot, Scan and post another log after the reboot.
  10. Yes but we made progress the last time as the O20 entry is gone. I think we are close now. 1. First look in your C:\WINNT\System32 folder and get the full name for the following file W8C6S4~1.DLL 2. Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it search.reg. Save it to your desktop and do not run it yet. 3. Disconnect from the internet and stay disconnected until you are through with these instructions. 4. Double click on the search.reg file and grant it permission to add the registry entries. 5. Open killbox Make sure the following are checked Delete on Reboot Then type the full path to the following files in the killbox address bar: C:\WINNT\System32\W8C6S4~1.DLL (Note - Use the full name you got in the first step above) 6. After the reboot scan with hijackthis and fix all the following entries. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL Reboot and post another log.
  11. Still there. Here are about 3 other things that may get us some more information. 1 Download Service Filter from here or here and unzip it. Follow the instructions that will be unzipped in the folder. Post the contents from the POST_THIS.TXT file that is generated. 2. Download the Registry Search Tool here. Unzip it and run it. If your antivirus inteferes you may have to disable script blocking in the antivirus. Put the following in the search box: services.exe Post the results. 3. Download autoruns here. Open it and click on view at the top menu and make sure all the following are checked. Show All Locations Show Services Then click the save button and save the .txt file generated. Copy and paste the contents of it into the next reply.
  12. OK, Lets try another method. Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm save it to your desktop you'll need it later. Close all Internet explorers and folders also. Now run the APM program In the upper window select C:\WINNT\explorer.exe In the lower window find and rightclick this file C:\WINNT\System32\W8C6S4~1.DLL Select Unload DLL and click OK on the prompts that follow. Do the same for fvusbwmn2558v4l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll or whatever file is currently listed in the O20 line Run Hijackthis and fix these R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O20 - AppInit_DLLs: fvusbwmn2558v4l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll ====================== Run Cwshredder again Scan and post another log.
  13. Copy the information in the quote box to notepad. Save it to your desktop as type "all files" and name it pro.reg Then doubleclick it and grant it permission to merge the registry entries. Then reboot and post another log.
  14. 1. First look in your C:\WINNT\System32 folder and get the full name for the following file W8C6S4~1.DLL 2. Download the latest version of AVG antivirus here and install it. Disable your existing antivirus temporarily and have AVG do a full scan. Have it remove everything it finds. 3. Download cwshredder here and unzip it to your desktop. Don't run it yet. 4. Reboot to safe mode. 5. Run cwshredder. Close all browser windows and click on the fix/next button. 6. Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it search.reg. Double click on the search.reg file and grant it permission to add the registry entries. 7. Open killbox Make sure the following are checked Delete on Reboot End Explorer Shell While Killing File Unregister .dll Before Deleting Then type the full path to the following files in the killbox address bar: C:\WINNT\System32\W8C6S4~1.DLL (Note - Use the full name you got in the first step above) and C:\WINNT\System32\hhvhynt2felvrel.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Click the Delete on Reboot button. Then press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, Click No until you have pasted the path to the last file. On the last file Click Yes and allow it to reboot. 8. After the reboot, scan with hijackthis and fix all the following entries. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O15 - Trusted Zone: *.greg-search.com O20 - AppInit_DLLs: hhvhynt2felvrel.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Reboot and post another log.
  15. Jamie823, I am trying to get some further information on this as well. Would you be kind enough to do the following? Download and unzip the file here to your desktop. It is titled prorat.bat Doubleclick on it and it should generate a file called look.txt Copy and paste the contents of that file into your next response. Also would you please browse to and Open the C:\windows\win.ini file with notepad and copy and paste it to your reply Also would you please browse to and Open the C:\WINDOWS\SYSTEM.INI file with notepad and copy and paste it to your reply
  16. Ok, Now scan again with hijackthis and post the log. After you do so, do not reboot until I get back with you. This thing changes every time you reboot.
  17. Apparently this is a new variant. There are several people working on these in several forums and they are proving difficult to remove. Let me see if I can get some additional information. Download autoruns here. Open it and click on view at the top menu and make sure all the following are checked. Show All Locations Show Services Then click the save button and save the .txt file generated. Copy and paste the contents of it into the next reply. Download the Registry Search Tool here. Unzip it and run it. If your antivirus inteferes you may have to disable script blocking in the antivirus. Put the following in the search box: {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} Post or upload the results.
  18. That is associated with registrar lite. Copy and paste it into the address bar in registrar lite.
  19. Are you copying the file name to the address bar in Killbox.exe or internet explorer? You should have internet explorer off while doing this.
  20. Launch Notepad. Copy/paste the text in the box below into a new text file. Save it as fixme.reg* on your Desktop Download Registrar Lite here. Copy and paste the following into the address bar and click go: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows Doubleclick the AppInit_DLLs value in the right pane to open its properties. Clear anything in the "Value" line and then OK out. Go Here: http://download.broadbandmedic.com and download Pocket KillBox Run Killbox.exe and be sure that 'Delete on Reboot is checked' Copy and paste each of the following file(s) to the address bar: C:\WINDOWS\system32\xorn1d5v4ibswyl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll C:\WINNT\System32\W8C6S4~1.DLL After each file press the 'Delete' icon to the far right of the address bar A dialog box will ask if you want to delete and reboot now - on all but the last file, answer 'No' For the last file (or first, if only one file), answer 'Yes' On restart Reboot in Safe Mode, verify that the files have been deleted Locate fixme.reg on your Desktop that you created in the first step and double-click on it. You will* receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer 'Yes' and wait for a message to appear similar to "Merged Successfully" Then Check the following items in HijackThis. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O4 - HKCU\..\Run: [Windows Runtime Proccess] 32RUNdll.exe O20 - AppInit_DLLs: xorn1d5v4ibswyl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Close all windows except HijackThis and click Fix checked. Reboot in normal mode and scan again.
  21. You are running hijackthis from within a temporary folder. That is not a good idea as you will lose your ability to restore any mistakes. Right click on your desktop and select New>Folder. Name the folder hijackthis. Then unzip hijackthis into the new folder. We are going to empty the temporary folders at then end so it will get deleted if you don't move it. Uninstall all of the following that are listed in the "Add/Remove Programs" in the Windows® Control Panel. Spyware Begone Download cwshredder here. Close all browser windows and click on the fix/next button. Make sure you can view hidden and system files: Instructions here. Boot to safe mode: Instructions here. Then Close all windows and have hijackthis fix the following that are still listed: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\SG12UN~1.DLL O4 - HKLM\..\Run: [Windows Runtime Proccess] 32RUNdll.exe O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\z58l0m13wiywethd.exe O4 - HKLM\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe O4 - HKCU\..\Run: [Windows Runtime Proccess] 32RUNdll.exe O4 - HKCU\..\Run: [spyware Begone] c:\freescan\freescan.exe -FastScan O4 - HKCU\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab O20 - AppInit_DLLs: su44i9f91w15pml.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Then delete the following files or folders: C:\WINNT\System32\z58l0m13wiywethd.exe <-File C:\WINNT\System32\SG12UN~1.DLL <-File The following step is important as you may have several malware files in your temp directory. Then browse to the C:\documents and settings\Your User Name(repeat for all users in documents and savings)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Windows (Winnt)\Temp folder and delete all files and folders in it. Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well. Then empty the recycle bin. Then reboot to normal mode. Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step. Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen. If an update is available download it and install it. Click the "Finish" button to go back to the main screen. Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark: Scan within archives Scan active processes Scan Registry Deep-scan Registry Scan my IE Favorites for banned URLs Scan my Hosts File Then click on the "Tweak" Button to open up the tweak settings. Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark: Scan registry for all users instead of current user only Make sure the following is unchecked with a "red" X: Unload recognized processes & modules during scan. Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark: Always try to unload modules before deletion During Removal, unload Explorer and IE if necessary Let Windows remove files in use at next reboot. Click the "Proceed" button to save settings. Click the "Next" button to start the scan. When a scan is completed the Performing System Scan screen will change name to "Scan Complete". Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries. To fix all the bad critical objects do the following: Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries. When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal. Then search your hard drive for the following file and let me know where it is. You may check the windows/system32 first as it is probably in it. su44i9f91w15pml.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Post a fresh HijackThis log please and the location of the above file.
  22. Your Welcome, Have a good one. :beer:
  23. That should have worked. With only 1 IE window open -- stretch the window to the size that you want all of your IE 'open new window' sizes to be then hold down your control key and click on the X icon to close. If that does not work try some of the solutions at the following link: http://www.wintrouble.net/cgi-bin/ubb/ulti...ic;f=9;t=000264
  24. Copy the information in the quote box to notepad. Save it to your desktop as type "all files" and name it IE.reg. Doubleclick the IE.reg file and grant permission to add the registry entries.
×
×
  • Create New...