Jump to content

noahdfear

Trusted Malware Techs
  • Content Count

    336
  • Joined

  • Last visited

Everything posted by noahdfear

  1. I'm not seeing anything in your logs that identifies the source of the error messages. Please describe them in more detail. Download GMER Right click and extract it to it's own folder on the desktop. Open the program and click on the Rootkit tab. Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’. Click on Scan. When the scan has completed, click Copy and paste the results (if any) into this topic.
  2. Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as; Filename: CFScript.txt Save As Type: All Files (*.*) http://forums.pcpitstop.com/index.php?s=&showtopic=163356&view=findpost&p=1552177 Collect::[22] c:\windows\system32\drivers\xsqatwof.sys File:: c:\windows\system32\drivers\Ndisprot.sys Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a989412-8707-11db-ad69-000ea65e656a}] Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log. Please do not click on the ComboFix window while it is running a scan. This can cause it to stall. Please note that I have instructed CFScript to collect some files ofr analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!
  3. Please run DDS again as described in post #2 then post the new log here.
  4. Kaspersky is about the best online scanner available, in my experience. I would say you're safe in removing all restore points and creating a new one. Don't worry ..... be happy. LOL
  5. 512 is a minimal amount of memory for XP, and when you start adding programs running too, you're barely scraping by. The RAM may also be on the weak side too. If at all possible, I would recommend you try adding more memory.
  6. Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as; Filename: CFScript.txt Save As Type: All Files (*.*) File:: c:\documents and settings\AJ\Desktop\RohanBotEn1.0.2\NtProcDrv.sys c:\windows\system32\f12da82.dll c:\windows\system32\1dcf9f62.dll c:\windows\system32\drivers\EagleNt.sys c:\windows\system32\2bf2a34a.dll c:\windows\system32\15d14f90.dll c:\windows\system32\wcdrtc32.dl_ c:\windows\system32\KFUeevI8.exe c:\windows\system32\Wh33B63f.exe c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At25.job c:\windows\Tasks\At26.job c:\windows\Tasks\At27.job c:\windows\Tasks\At28.job c:\windows\Tasks\At29.job c:\windows\Tasks\At3.job c:\windows\Tasks\At30.job c:\windows\Tasks\At31.job c:\windows\Tasks\At32.job c:\windows\Tasks\At33.job c:\windows\Tasks\At34.job c:\windows\Tasks\At35.job c:\windows\Tasks\At36.job c:\windows\Tasks\At37.job c:\windows\Tasks\At38.job c:\windows\Tasks\At39.job c:\windows\Tasks\At4.job c:\windows\Tasks\At40.job c:\windows\Tasks\At41.job c:\windows\Tasks\At42.job c:\windows\Tasks\At43.job c:\windows\Tasks\At44.job c:\windows\Tasks\At45.job c:\windows\Tasks\At46.job c:\windows\Tasks\At47.job c:\windows\Tasks\At48.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job c:\windows\Tasks\RegCure Program Check.job c:\windows\Tasks\RegCure.job Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6688565b-f946-11dc-9ac0-001617ea7e85}] Driver:: NTProcDrv Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log. Please do not click on the ComboFix window while it is running a scan. This can cause it to stall. **NOTE - Allow ComboFix to update if prompted.
  7. You've definitely still got some nasties on board. Lets get them cleaned out. Please visit the following webpage for instructions for downloading and running ComboFix How to use ComboFix Download ComboFix by sUBs from here, saving the file to your desktop. Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs. Close all open programs and windows Double click ComboFix.exe and follow the prompts. It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window while its running. That may cause it to stall **NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted. Should you internet for some reason not work again, a restart should fix it (I don't expect that to happen though).
  8. Did you redo the Kaspersky scan as suggested? I would really like to know that it still reports clean. Remove the quarantine items via the MBAM interface>Quarantine. Hold off on clearing the restore points till verifying with Kaspersky that the system is clean.
  9. Hi tntroy61, Your log appears clean. That message basically tells you that your applications are trying to use more RAM than available, and it is increasing the amount of disk space available to store some of the data in RAM that it deems 'less important', allowing the 'more important' data to be processed through the faster RAM. Leo has a pretty good simplistic explanation here. How much memory is installed?
  10. Your log appears clean. If you want to double check, I suggest an online scan. Instructions follow if you want to. Do an online scan with Kaspersky Online Scanner Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. **Note** To optimize scanning time and produce a more sensible report for review: Close any open programs. Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%. Post the Kaspersky log here.
  11. Did you install this? Desktop\RohanBotEn1.0.2\NtProcDrv.sys Did you also install HackShield?
  12. Hi strgazr04, MyWay is really just a pesky adware, meaning ad supported software. Use it, see ads. Did you by chance try uninstalling it via the Programs And Features applet in the Control Panel?
  13. Thank you. First, please open MBAM and select the Logs tab. Select the most recent scan and click View, then copy and post that log here. If there are several recent logs, post them all. Next, visit the following webpage for instructions for downloading and running ComboFix How to use ComboFix Download ComboFix by sUBs from here, saving the file to your desktop. Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs. Close all open programs and windows Double click ComboFix.exe and follow the prompts. It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window while its running. That may cause it to stall **NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.
  14. Please describe to us why you're posting a log. What symptoms or problems are you experiencing? This sort of information can be very important for us knowing what steps to take.
  15. Hi Mr Brightside, I sure would be interested in seeing what MBAM removed. Please see if it's still working after the system restore operation. If so, click the Logs tab and if there's a log present, select it then click View. Post it's contents here. System Restore will roll back a number of things, but it generally will not remove rogue files that have been dropped, so lets run a scan tool that might show us if any are present. Please download DDS and save it to your desktop. Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt Save both reports to your desktop. Please include the contents of the following in your next reply: DDS.txt I may ask for the Attach.txt log later, so keep it handy.
  16. Hi Loothawk, A bit more information would be helpful here. Log, please help me doesn't tell us much. Please download DDS and save it to your desktop. Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt Save both reports to your desktop. Please include the contents of the following in your next reply: DDS.txt I may ask for the Attach.txt log later, so keep it handy.
  17. Just noticed your edit RE: Java. I recommend you uninstall all versions of Java listed in Add/Remove program then reboot. Next, go here and install the latest version.
  18. Great! Now open MBAM and remove any items quarantined. Do the same with your resident antivirus. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well. Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file. You can delete any other logs that were created/saved too. Glad I could help Kieron. Merry Christmas to you also. Surf safe!
  19. Lets make sure something hasn't been missed. Please do an online scan with Kaspersky Online Scanner Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. **Note** To optimize scanning time and produce a more sensible report for review: Close any open programs. Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan. Post the Kaspersky log here.
  20. That's a good sign Kieron. PC seem to be behaving properly? If so, I think we're done here.
  21. Couple of very strange values in those keys. Since we have backups, lets nuke em. Highlight and copy the contents of the code box below. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_Dlls /f reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DriveConfiguration /f reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v LegacyDrive /f exit cls Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own. Reboot and let me know if everything still behaves normally.
  22. Great! If everything appears to be working properly I'd say you're good to go.
×
×
  • Create New...