Brutus_1

Help With Malware

Recommended Posts

Hello

last week i got an infection on my new computer that i have been unable to remove. i have run several scans and they have picked up all sorts of things, but have not been able to remove them. they produce pop ups at regular intervals, and work on internet explorer. firefox and google chrome seem to be unaffected. they cause internet explorer to launch on it's own, and seem to connect to something that then tries to download all sorts of things to my computer. my virus software blocks them at the moment, but things may be getting through, though it seems to be contained currently.

i checked out your site, and followed the instructions on the malware removal thread. i have attached them below, please could you take a look at them and help me to remove the malware on my computer. many thanks

richard

~ INLINE LOGS REMOVED {Lynx}

Share this post


Link to post
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

Link 3

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP
  • HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

You are using MsConfig to prevent several items from loading at Windows start. MsConfig is a diagnostic tool, and not intended to be used in the manner you are using MsConfig. Enable everything you used MsConfig to disable. If you are receiving error messages, related to these items, at system start; we can fix this without using MsConfig.

-----------------------------------------------------------

Now we need to use ComboFix to remove some stuff.

  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8450ECD6-C797-4777-A1B7-E4C4D38ADC2E}]

File::
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil841111111111111111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil841111111111111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil84111111111111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil8411111111111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil841111111111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil84111111111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil8411111111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil841111111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil84111111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil8411111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil841111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil84111111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil8411111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil841111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil84111.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil8411.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil841.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\msgutil84.dll
c:\documents and settings\Rich\Application Data\Messenger\Drivers\Aud32\smartasf27.exe
c:\windows\system32\nvbjhjkn.dll
C:\Program Files\SUN.EXE
C:\Program Files\game.exe

  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    th_CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP
  • HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

hello

thank you for your reply

i only disable in config the programs that i know are malware. they were starting up when windows loaded and stopping me from connecting to the internet unless i disabled them on start up.

i shall read through what you have suggested to make sure i follow it correctly and do it all tomorrow.

thank you very much again for all your help, it is already working better....

richard

Share this post


Link to post
Share on other sites

Malware disabled via MSsonfig can not be removed properly. Everything that is disabled via MsConfig must be enabled; so, that it can be properly dealt with.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude or Lynx to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Share this post


Link to post
Share on other sites

hello

thank you for reopening this thread. i have attached the new logs. i think we can get it sorted out easily enough, is running pretty well, just a few things i think still need removing.

many thanks

richard

Share this post


Link to post
Share on other sites

Uninstall ComboFix:

  • Click START then RUN and enter the below into the run box and then click OK.
  • Combo-Fix /uninstall
    Note: The space before /uninstall, must be there. Which command you use depends on if I had you rename ComboFix during download.
    This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Download a fresh copy of ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

Run ComboFix and attach the new log.

Share this post


Link to post
Share on other sites

hello

i ran the unistall as you suggested, but it said it cannot find Combo-Fix? i saved it as Combo-Fix.exe as instructed onto the desktop, and there is also a Combo-Fix folder on the desktop. is there another way of removing Combo-Fix so taht all the components are removed?

many thanks

richard

Share this post


Link to post
Share on other sites

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Share this post


Link to post
Share on other sites

Sorry, use this instead.

Now to remove most of the tools that we have used in fixing your machine:

  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude or Lynx to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Share this post


Link to post
Share on other sites

Now we need to use ComboFix to remove some stuff.

  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KILLALL::

File::
c:\windows\system32\balrlkehkktdla.exe
c:\windows\system32\tlrhuloe.dll
c:\windows\system32\uylxsxgjdfisd.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C2372D4-6506-4674-9775-2011BB80DE40}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBFA6AE7-E8A1-9AA1-6D50-DCD7C82A1BA9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qggrslkuehggnwwkk"=-

  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    th_CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude or Lynx to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Share this post


Link to post
Share on other sites

Hi Richard,

You provided the scan a-squared with outdated signatures:

"Last update: 26/12/2009"

Please update rescan and attach fresh report

My regards

Share this post


Link to post
Share on other sites

Please note that as long as you're using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur.

Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation.

Additional information on the safety of Peer to Peer Networks is here : http://www.spywareinfoforum.info/articles/p2p/

For a list of tested P2P programs: http://p2p.malwareremoval.com/

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from questionable sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

-----------------------------------------------------------

The contents of your A-Squared log, show several commercial programs in the Ares My Shared Folder. This leads me to believe that you have several programs installed on your computer that are not properly licensed. Software Piracy is a crime. It is theft, it's that simple.

I refer you back to the contents of the START HERE thread, where at the end of the thread, we discuss software piracy and this forums policies when we encounter system that we suspect to contain illegal software.

If the Malware Removal Specialist sees anything that leads them to believe that you have pirated software installed or you are using a copy of Windows that does not have a valid license, you will be informed to remove the illegal software from your system before they will continue helping you further, failure to comply with requests to remove illegal software will result in the immediate termination of assistance. In the case of illegal copies of the Windows Operating System, you will be informed to get "LEGAL", we will continue to provide cleaning assistance. We understand that some are not aware that they have an illegal copy of the Windows Operating System. Once the system has been disinfected, you will not receive any further assistance, until you have made your system "LEGAL".

Software Piracy is ILLEGAL and is not a victimless crime.

Share this post


Link to post
Share on other sites

hello

thank you for your help.

i have been trying to run the a-2 free scan, but it keeps just stopping, though i think i have it running ok now and should have the report ready in the morning.

with regards to your reference to the Ares filesharing system, i use it occasionally to locate any of my personal documents for my website that may be being used on it. when i got this infection on here, i downloaded ares in order to obtain the AVG free antivirus system as i had problems downloading it from the site. although i had a trial version of norton, i have come to loath this program and have always preferred using AVG, but i had not got round to installing it on my computer by the time of the infection, being a new computer. if there are files/programmes of mine that are being shared through this programme on my computer can you let me know so i can remove them.

if you require my registration of my windows then let me know. this is a brand new computer and i assure you that it comes with a fully validated windows licence.

many thanks for all your help

richard

Share this post


Link to post
Share on other sites

Just about everything available via P2P networks are protect works, and the majority of those are infected. You should not be downloading anything via a P2P network from untrusted sources.

These are all commercial programs:

C:\Documents and Settings\Rich\Local Settings\Application Data\Ares\My Shared Folder\autodesk maya unlimited v2009.exe/$[20].dll 	detected: Riskware.AdWare.Win32.RON!IK
C:\Documents and Settings\Rich\Local Settings\Application Data\Ares\My Shared Folder\autodesk maya unlimited v2009.exe/MsgUpdate.dll 	detected: Riskware.AdWare.Win32.BHO!IK
C:\Documents and Settings\Rich\Local Settings\Application Data\Ares\My Shared Folder\autodesk maya unlimited v2009.exe/BHOInstaller.exe 	detected: Riskware.AdWare.Win32.BHO!IK
C:\Documents and Settings\Rich\Local Settings\Application Data\Ares\My Shared Folder\autodesk maya unlimited v2009.exe/IgfxSys.dll 	detected: Riskware.AdWare.Win32.BHO!IK
C:\Documents and Settings\Rich\Local Settings\Application Data\Ares\My Shared Folder\autodesk maya unlimited v2009.exe/phuninst.dll 	detected: Riskware.AdWare.Win32.BHO!IK
C:\Documents and Settings\Rich\Local Settings\Application Data\Ares\My Shared Folder\bryce d daz full iso studio.exe/Progress.dll 	detected: Trojan-Dropper.Agen!IK
C:\Documents and Settings\Rich\Local Settings\Application Data\Ares\My Shared Folder\carrara pro rar serial.exe/Progress.dll 	detected: Trojan-Dropper.Agen!IK

Every last one of them are protected works, under International Law, Treaties, and Conventions. There are no legal downloads available from the vast majority of P2P networks, especially commercial applications.

All illegal applications must be removed from the system, before you will receive further assistance.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude or Lynx to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.