Jump to content

ShadowPuterDude

Emsisoft Employee
  • Posts

    20056
  • Joined

  • Last visited

  • Days Won

    212

Everything posted by ShadowPuterDude

  1. The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u17 available from Sun Microsystems. ----------------------------------------------------------- Using Add or Remove Programs in the Control Panel; uninstall the following: ----------------------------------------------------------- Download Avenger from HERE and unzip to your desktop. Run Avenger Read the prompt that appears, and press OK Copy & paste the following text in Input script Box: Folders to delete: c:\users\ninja asassyn\appdata\roaming\weatherdpa Registry values to delete: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run | AdobeBridge Then click "Execute". You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot. Note: It is possible that Avenger will reboot your system TWICE. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post. ----------------------------------------------------------- Attach fresh logs for: Avenger (C:\avenger.txt) a-squared Free/Anti-Malware ISeeYouXP Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  2. There are no trojans in ISeeYouXP, I'm the author of that tool; and I would know if it was compromised. Unless you are having problems from Malware it is time to do the final steps. If you used ComboFix, uninstall ComboFix: Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.) AvoidTDSS /uninstall or combofix /uninstall or Combo-Fix /uninstall Note: The space before /uninstall, must be there. Which command you use depends on if I had you rename ComboFix during download. This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults. Delete everything in C:\!KillBox (If I didn't have you use KillBox, then this won't be present) Delete the following from your Desktop (If they exist) Avenger.exe Avenger.txt Avenger.zip CFscript.txt dds.scr dds.pif DisableAutoRuns.reg fixes.bat FixMe.reg FixReg.reg ISeeYouXP.exe ISeeYouXP.lnk ISeeYouXP.txt Win32kDiag.exe Win32kDiag.txt Anything else I had you use Delete the following files: (If they exist) C:\Avenger.txt C:\ComboFix.txt Delete the following folders: (If they exist) C:\Avenger C:\AvoidTDSSS C:\ComboFix C:\SDFix C:\Qoobox You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. Empty the Recycle Bin Run CCleaner Turn off System restore to flush all your restore points then turn system restore back on. To manually turn off System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. 4. Click Yes when you receive the prompt to the turn off System Restore. To turn on System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. Delete C:\ISeeYouXP Run Windows Update and update your Windows Operating System. Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated. That should take care of everything. Safe Surfing!
  3. Yes, it sounds like you have a good understanding of the "Restore" process for a HP system; and the additional steps that need to be taken to protect the system.
  4. Unless you are having problems from Malware it is time to do the final steps. If you used ComboFix, uninstall ComboFix: Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.) AvoidTDSS /uninstall or combofix /uninstall or Combo-Fix /uninstall Note: The space before /uninstall, must be there. Which command you use depends on if I had you rename ComboFix during download. This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults. Delete everything in C:\!KillBox (If I didn't have you use KillBox, then this won't be present) Delete the following from your Desktop (If they exist) Avenger.exe Avenger.txt Avenger.zip CFscript.txt dds.scr dds.pif DisableAutoRuns.reg fixes.bat FixMe.reg FixReg.reg ISeeYouXP.exe ISeeYouXP.lnk ISeeYouXP.txt Win32kDiag.exe Win32kDiag.txt Anything else I had you use Delete the following files: (If they exist) C:\Avenger.txt C:\ComboFix.txt Delete the following folders: (If they exist) C:\Avenger C:\AvoidTDSSS C:\ComboFix C:\SDFix C:\Qoobox You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. Empty the Recycle Bin Run CCleaner Turn off System restore to flush all your restore points then turn system restore back on. To manually turn off System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. 4. Click Yes when you receive the prompt to the turn off System Restore. To turn on System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. Delete C:\ISeeYouXP Run Windows Update and update your Windows Operating System. Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated. That should take care of everything. Safe Surfing!
  5. Download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: :filefind atapi.sy? Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Attach this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt
  6. Contact the manufacturer of the system. They may be able to provide the installation media for a nominal fee. Which, would be far less then what Microsoft would charge for a copy of Windows XP Professional.
  7. You can't use OEM Installation Media that came from one manufacturer on a system not made by that manufacturer. Depending on the age of the system, it may have come with a special restore partition. In which case, you can restore the system to it's original ship state. Meaning it will be just like it came out of the box the day it was first powered on. You should make every attempt to backup all personal files on the system before performing a clean install. If you have reason to believe that your system is infected you should start a new thread for that system.
  8. Enrico, Follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread. Attach the resulting logs from the tools in that thread. Quarantine lists aren't what I need to determine the state of your system.
  9. Based on the contents of the CombFix log, the system is so heavily infected it may not be worth the effort to disinfect the system. A Clean Install of the Operating System would be the most prudent Course of Action. Instructions for performing a Clean Install of Windows XP can be found at http://www.theeldergeek.com/xp_home_install_-_graphic.htm
  10. Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*). Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="Explorer.exe" Close Notepad. Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry. ----------------------------------------------------------- Reboot ----------------------------------------------------------- Attach fresh logs for: a-squared Free/Anti-Malware ISeeYouXP HiJackFree Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  11. Download Avenger from HERE and unzip to your desktop. Run Avenger Read the prompt that appears, and press OK Copy & paste the following text in Input script Box: Files to delete: C:\WINDOWS\system32\avg_sr.dll C:\WINDOWS\system32\avirasafe.dll Then click "Execute". You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot. Note: It is possible that Avenger will reboot your system TWICE. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post. ----------------------------------------------------------- HiJackFree logs are imcomplete. Attach fresh logs for: Avenger (C:\avenger.txt) a-squared Free/Anti-Malware ISeeYouXP Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  12. Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread
  13. The logs look good. How are things running?
  14. Download ComboFix from one of these locations: Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 Link 3 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. ----------------------------------------------------------- Attach fresh logs for: ComboFix (C:\combofix.txt) a-squared Free/Anti-Malware ISeeYouXP Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  15. Submit the following file to http://www.virustotal.com C:\WINDOWS\system32\drivers\atapi.sys Provide the link to the scan results.
  16. Your a-squared logs show that no update of a-squared has been performed. Update a-squared to the latest definitions. Attach a fresh a-squared log.
  17. Microsoft Office 2007 is not legitimate. The a-squared log shows that it was actived by means of a Keygen. ----------------------------------------------------------- Instructions for correcting the VIRUS ALERT! in the task tray can be found HERE ----------------------------------------------------------- Now we need to use ComboFix to remove some stuff. Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it! If it is not on your Desktop, the below will not work. Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ): KILLALL:: Driver:: CDAVFS File:: c:\documents and settings\owner\desktop\virusremover2008.lnk c:\documents and settings\owner\application data\microsoft\internet explorer\quick launch\virusremover2008.lnk c:\documents and settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\Scam Alert\host.html C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\Scam Alert\referrer.html C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\Scam Alert\script.html C:\Documents and Settings\Owner\My Documents\Microsoft OFFICE 2007\Microsoft OFFICE 2007 FULL Edition + KEYGEN [VISTA comp]\Office [Keygen].exe C:\Documents and Settings\Owner\My Documents\Microsoft OFFICE 2007\Microsoft OFFICE 2007 FULL Edition + KEYGEN [VISTA comp]\setup.exe C:\Program Files\Common Files\System Doctor\dcmon.exe c:\windows\DUMP2f2d.tmp C:\WINDOWS\system32\antlfqui.dll C:\WINDOWS\system32\bgdeiygl.dll C:\WINDOWS\system32\byXNddeC.dll C:\WINDOWS\system32\fcccdCtR.dll C:\WINDOWS\system32\hgGawUoM.dll C:\WINDOWS\system32\htdtxi.dll C:\WINDOWS\system32\jaxpcxbv.dll C:\WINDOWS\system32\jjabec.dll C:\WINDOWS\system32\jouvlyhy.dll C:\WINDOWS\system32\kaxjve.dll C:\WINDOWS\system32\kvthmy.dll C:\WINDOWS\system32\mlJApPHa.dll C:\WINDOWS\system32\mlJYpOFy.dll C:\WINDOWS\system32\nrlqxvfa.dll C:\WINDOWS\system32\ocrppwgb.dll C:\WINDOWS\system32\ogdmngln.dll C:\WINDOWS\system32\pjydppns.dll C:\WINDOWS\system32\tdssadw.dll C:\WINDOWS\system32\TDSSerrors.log C:\WINDOWS\system32\tdsslog.dll C:\WINDOWS\system32\tdssmain.dll C:\WINDOWS\system32\tdssserf.dll C:\WINDOWS\system32\tdssserf1.dll C:\WINDOWS\system32\tuvWmKeE.dll C:\WINDOWS\system32\vxtackpg.dll C:\WINDOWS\system32\wkfihlkn.dll C:\WINDOWS\system32\wvUkLFyv.dll C:\WINDOWS\system32\xlovou.dll c:\windows\system32\drivers\CDAVFS.sys Folder:: C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\Scam Alert c:\documents and settings\Owner\Local Settings\Application Data\CyberDefender C:\Documents and Settings\Owner\My Documents\Microsoft OFFICE 2007\Microsoft OFFICE 2007 FULL Edition + KEYGEN [VISTA comp] C:\Documents and Settings\Owner\My Documents\Microsoft OFFICE 2007 C:\Program Files\Common Files\System Doctor Registry:: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"=- [-HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}] [-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1] [-HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}] [-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"=- [-HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}] [-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1] [-HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}] [-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"=- [-HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}] [-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1] [-HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}] [-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar] Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe At this point, you MUST EXIT ALL BROWSERS NOW before continuing! You should have both the ComboFix.exe and CFScript.txt icons on your Desktop. Now use your mouse to drag CFscript.txt on top of ComboFix.exe Follow the prompts. When it finishes, a log will be produced named c:\combofix.txt I will ask for this log below Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall. The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name. ----------------------------------------------------------- Attach fresh logs for: ComboFix (C:\combofix.txt) a-squared Free/Anti-Malware HiJackFree Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  18. C:\WINDOWS\system32\Hook.dll Is a malicious file. Only files with the extensions of txt, log, pdf, rtf, rar and zip can be attached. Attachments of archives containing suspected malicious files are highly discouraged. We don't want unsuspecting users downloading and opening archives that contain malware. You should complete all the scans in the thread I linked to earlier. Malware almost never travels alone, there could be more malicious files on the system.
  19. Yes, the atapi.sys file you attached to your first post is the legitimate Microsoft atapi.sys for Windows XP SP3
  20. Thread Closed Reason: Lack of Response PM either ShadowPuterDude or Lynx to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread
  21. dat files are absolutely useless. This is a Malware Removal support forum. In order for me to analyze what was quarantined I need the quarantine list not a dat file.
  22. Follow the instructions I posted previously, and stop cluttering this thread with posts that do not move this case to completion. If I see something of concern, I will tell you.
  23. Without logs, I can't even begin to determine what is or is not malware. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread Traduction anglais-français: http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fsupport.emsisoft.com%2Findex.php%3F%2Fforum-6%2Fannouncement-2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread%2F&sl=en&tl=fr&history_state0= Englisch > Deutsch Übersetzung: http://translate.google.com/translate?hl=en&sl=en&tl=de&u=http%3A%2F%2Fsupport.emsisoft.com%2Findex.php%3F%2Fforum-6%2Fannouncement-2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread%2F Inglese Traduzione italiana: http://translate.google.com/translate?hl=en&sl=en&tl=it&u=http%3A%2F%2Fsupport.emsisoft.com%2Findex.php%3F%2Fforum-6%2Fannouncement-2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread%2F Traducción del Inglés al Español: http://translate.google.com/translate?hl=en&sl=en&tl=es&u=http%3A%2F%2Fsupport.emsisoft.com%2Findex.php%3F%2Fforum-6%2Fannouncement-2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread%2F EDIT: The copy of atapi.sys that you original attached, to your first post, is the correct file for Windows XP SP3; file size, md5, file name and signature match.
×
×
  • Create New...