12 replies to this topic

[VeryHopeful]

So the problem I've been having seems pretty common as of late.
All started with AVcure.exe installing its self I quickly removed the program and went searching for any other problems.
So i found D.exe and f.exe were running, searched for them and only found the prefetcheds, removed those and removed the programs from the startup in MSconfig, also found the msa.exe and msb .exe files and deleted those.
Other than that I've had the same 'you may not have the appropriate permissions' problem with S&D/Hijackthis/kerspkey/MalBytes/adawear
I've used fr33 to open up malbytes but it closed down as soon as i hit scan and i get the permissions report the next time i try to open.
I've been browsing other peoples threads on this and started with running avenger and Win32kdig and heres the results, any help would be great.
Oh just found grep.cfxxe and pv.cfxxe running not sure what they are but yeah. and there was a nircmd.cfxxe when i tried to run combofix in safe mode, and no i'm not typeing the extention wrong its cfxxe comand.
THANKS AGAIN!!!

[VeryHopeful]

Results in text

Attached Files

•  Win32kDiag.txt   18K   20 downloads
•  avenger.txt   888bytes   25 downloads

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

[VeryHopeful]

Log in attached txt

Attached Files

•  log.txt   134.55K   35 downloads

[sUBs]

Please let me know if you still have System Mechanic installed on this machine?

[VeryHopeful]

I dont see it under start menu or program files, no.

[sUBs]

In that case, run this ...

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo off
swreg add "hklm\system\currentcontrolset\control\session manager" /v bootexecute /t reg_multi_sz /d "autocheck autochk *"
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
c:\windows\system32\UACrbwsljalua.dll
c:\windows\system32\UACsdpsbimafj.dll
c:\windows\system32\UACkiorjoliql.dat
c:\windows\system32\UACsntajqrrkw.dll
c:\windows\system32\UACxqlrxqvemc.dll
c:\windows\system32\drivers\UACyqxumafsoi.sys
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
pause
start "." "c:\documents and settings\Kevin\Desktop\ComboFix.exe" /U
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[VeryHopeful]

It said file deleted successfully, then it said combofix was uninstalled. then the windows closed.

[VeryHopeful]

VeryHopeful, on Aug 31 2009, 03:18 AM, said:

It said file deleted successfully, then it said combofix was uninstalled. then the windows closed.

Also the .bat file vanished from desktop

[sUBs]

LOL .. Didnt I say the water's fine?


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

• ANTIVIRUS SOFTWARE
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
  
  
• Microsoft Windows Update → http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
  
• http://www.mozilla.o...oducts/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
  
• http://www.aumha.org...erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywarein...showtopic=60955

After doing all these, your system will be optimised against future threats.
.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[VeryHopeful]

Wow... that was freakishly fast. No wonder you're hailed as the awesomeness.
Running malbytes now and reinstalling apps.

Quick question, so i tried to run hijackthis off of an external hd during this process and now the comp isnt recognizing it when i plug it in. Could this be a result of w/e was in my system or something separate?

[sUBs]

Quote

i tried to run hijackthis off of an external hd during this process and now the comp isnt recognizing it when i plug it in

Have you tried plugging it into another machine to verify if the external drive isn't faulty

[VeryHopeful]

I'll try tomorrow, Thanks for now. You can mark me off as a job well done.