Perplexus

Experts
  • Content count

    70
  • Joined

  • Last visited

About Perplexus

  • Rank
    Regular Member

Contact Methods

  • ICQ
    0
  1. This news pains my heart...I will miss you my dear friend...
  2. This news has broken my heart. I have kept up with Matt over the years and I was always happy to hear from him. I still remember the day when he excitedly IMed me to tell me about his new job with Malwarebytes. The world has lost a most valuable man. Rest in peace my dear friend.
  3. Let's do a little more information gathering. ------------------ Step 1: ------------------ Please submit the following files to VirScan.org Please go to VirSCAN.org FREE on-line scan service Copy and paste the following files one at a time into the "Suspicious files to scan"box on the top of the page: c:\windows\explorer.exe c:\windows\system32\userinit.exe [*] Click on the Upload button [*] Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard. [*] Paste the contents of the Clipboard in your next reply. If VirScan.org server is too busy, please submit the file to VirusTotal instead. ------------------ Step 2: ------------------ Download RootRepeal from one of the following locations: Location 1 (Zip File) Location 2 (Zip File) Location 3 (RAR File) Location 4 (Zip File) Location 5 (RAR File) Unzip it to your Desktop. Double click RootRepeal.exe to start the program Click on the Report tab at the bottom of the program window Click the Scan button In the Select Scan dialog, check: Drivers Files Processes SSDT Stealth Objects Hidden Services Shadow SSDT [*]Click the OK button [*]In the next dialog, select all drives showing [*]Click OK to start the scan Note: The scan can take some time. DO NOT run any other programs while the scan is running [*]When the scan is complete, the Save Report button will become available [*]Click this and save the report to your Desktop as RootRepeal.txt [*]Go to File, then Exit to close the program If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead. To attach a file, do the following: Click Add Reply Under the reply panel is the Attachments Panel Browse for the attachment file you want to upload, then click the green Upload button Once it has uploaded, click the Manage Current Attachments drop down box Click on to insert the attachment into your post ------------------ Step 3: ------------------ Download OTL to your desktop. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\*.exe %SYSTEMDRIVE%\eventlog.dll /s /md5 %SYSTEMDRIVE%\scecli.dll /s /md5 %SYSTEMDRIVE%\netlogon.dll /s /md5 %SYSTEMDRIVE%\cngaudit.dll /s /md5 %SYSTEMDRIVE%\sceclt.dll /s /md5 %SYSTEMDRIVE%\ntelogon.dll /s /md5 %SYSTEMDRIVE%\logevent.dll /s /md5 %SYSTEMDRIVE%\iaStor.sys /s /md5 %SYSTEMDRIVE%\nvstor.sys /s /md5 %SYSTEMDRIVE%\atapi.sys /s /md5 %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 %SYSTEMDRIVE%\viasraid.sys /s /md5 %SYSTEMDRIVE%\AGP440.sys /s /md5 Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in. ------------------ Step 4: ------------------ Please post back with the following: Results from virscan.org RootRepeal.txt OTL.txt Extras.txt
  4. Hello and welcome to Malwarebytes! My name is Perplexus and I will be helping you fix your computer problem. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate, so stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Before we proceed to clean your computer from malware there are some points you should consider that will make the process go smoother: Before beginning the fix, read this post completely. If there's anything that you do not understand, please ask your questions before proceeding as you may temporarily be disconnected from the internet. No question is considered dumb here. It's better to be safe than sorry! Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. It is IMPORTANT that you do not miss a step & perform everything in the correct order/sequence. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested, as it can be very dangerous and cause harm to your system. When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked) --------------------------------------------------------------------------------------------- Download ComboFix from one of these locations: Link 1 Link 2 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  5. You are very welcome. We're glad we could help
  6. Hi Chuck Q, Run OTL Under the Custom Scans/Fixes box at the bottom, paste in the following :OTL PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) :Files C:\Documents and Settings\Kellies.KELLIE\My Documents\LimeWire\Saved\T.I. - Paper Trail - Let My Beat Pound(1).mp3 C:\Documents and Settings\Kellies.KELLIE\My Documents\LimeWire\Saved\T.I. - Paper Trail - Let My Beat Pound.mp3 C:\My Downloads\EmpireEarthGoldSetup-dm.exe C:\Nexon\MapleStory\MapleStory.exe C:\WINDOWS\$NtServicePackUninstall$\userinit.exe :Commands [purity] [emptytemp] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot the PC when it is done Post the log it produces in your next reply.
  7. Hey brudi, Thank you so much for the kind words. It really keeps us going over here! As far as McAfee goes, if you already have a subscription then you might as well keep it. No sense in throwing away money. No antivirus is capable of detecting every infection. There is a website, called AV-Comparatives that does independent tests on antivirus applications and publishes the data. You can find detection rates for each of the packages. Personally, I quit using the big commercial apps like McAfee and Norton because you can get just as good if not better protection from the right combination of free products. I use Antivir for my antivirus along with Outpost for my firewall. Outpost is nice because if you are doing something new, you can put it into training mode and it will quit asking your permission to run the new apps. It will silently create rules for you. My recommendations always just entail free software, thus the SpywareGuard app is good to use. I actually use the paid version of Malwarebytes as additional real time protection in lieu of SpywareGuard. Even if you don't purchase Malwarebytes, I strongly urge you to keep the free version and do scans a couple times a month just to make sure you are clean. One caveat I should tell you is that with the free antivirus and firewall applications, you will encounter "nag" screens. These are screens that pop up everyday after an update to see if you're ready to buy. While I can't make the decision for you, I hope that you find the above information helpful. Let me know if I can be of any further help.
  8. Well done! Your log appears clean! ------------------ Step 1: ------------------ We're almost done. We need to do some clean up and get you on your way. Follow these steps to uninstall Combofix Click START then RUN Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there. (This will remove all restore points to rid your machine of saved infected files and create a new restore point) ------------------ Step 2: ------------------ We need to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. Run OTL.exe Click the Clean Up button in top right corner. You will be asked to reboot the machine to finish the Cleanup process. Choose Yes. Now delete any logs that you have left over on your desktop. ------------------ Step 3: ------------------ It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Windows Updates are constantly being revised to combat the newest hacks and threats. Microsoft releases security updates that help your computer from becoming vunerable. Please go to Microsoft's Windows Update and download all the critical updates to help prevent possible re-infection. It is best if you have these set to download automatically. Automatic Updates for Windows Click Start. Select Settings and then Control Panel. Select Automatic Updates. Click Automatic (recommended) Choose a day and a time when you know the computer will be on and connected to the internet. Click Apply then OK. --------------------------------------------------------------------------------------------- This is a good time to set up protection against further attacks. Read our How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker, and a real time spyware program to prevent malware intrusions. Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. --------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------- Anti Spyware Anti Spyware helps to eliminate certain types of infections. I would recommend getting these and running the scans at least twice a month. Also a real-time protector is beneficial to stop infections before they start. SpywareGuard is an excellent choice here. SUPERAntiSpyware is a powerful tool that can eliminate nasties that make it onto your machine. SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here. SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here. Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup. --------------------------------------------------------------------------------------------- Safer Web Browser Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are some good free alternatives: Firefox Opera Google Chrome Safari All are faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you choose FireFox, here are a couple of addons that I recommend: NoScript - for blocking ads and other potential website attacks McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must have if you do alot of Google searches. --------------------------------------------------------------------------------------------- Other Recommendations FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws. Take Care and Happy Surfing!
  9. Ok, that looks good now! Let's get a couple more scans to check for orphans The online scan can take awhile so you may want to do it overnight. Just make sure that you have disabled all real-time protection such as your anitivirus before beginning. It will speed things up. ------------------ Step 1: ------------------ Run Malwarebytes' Anti-Malware Select the Update tab and then click Check for Updates. If an update is found, it will download and install the latest version. Once the program has loaded, select the Scanner tab and "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. ------------------ Step 2: ------------------ Please download JavaRa to your desktop and unzip it to its own folder Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions. Accept any prompts. Open JavaRa.exe again and select Search For Updates. Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer. ------------------ Step 3: ------------------ Using Internet Explorer or Firefox, visit Kaspersky Online Scanner 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs. 3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take quite a long time to download. Once the update is complete, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, adware, dialers, and other riskware Archives E-mail databases [*]Click on My Computer under the green Scan bar to the left to start the scan. [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. [*]Click View report... at the bottom. [*] Click the Save report... button. [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply ------------------ Step 4: ------------------ Please post back with the following: How your machine is running MBAM log KasReport.txt
  10. Hey brudi, In the interest of time and getting you back up and clean, I've added a Plan B here in case the above did not work. Run OTL Under the Custom Scans/Fixes box at the bottom, paste in the following :Commands [purity] [resethosts] [emptytemp] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot the PC when it is done Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  11. I promise I won't get discouraged We'll get this done! I have several ways to go about this but I don't want to do heart surgery if I can do it with a bandage! Let's try this next: Reboot and hit the F8 key early and often. Choose Safe Mode. Open Windows explorer to the folder: \Windows\System32\Drivers\etc Right click on HOSTS (it should have no file extension) Sharing and Security Security tab Make sure you as a user, and/or "Administrator" has full permissions on the file. If not, change the permissions to Full. Using notepad, bring up C:\windows\system32\driver\ETC\hosts Delete all entries in that file except for: 127.0.0.1 localhost Save it. Post a fresh OTL log. IF that doesn't work, please run this and post back the log: Download Security Check by screen317 from here or here. Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  12. I had a great weekend, thanks for asking Hope yours went well too We don't want to delete the file, but let's try to manually fix it. Show System Files Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. Using notepad, bring up C:\windows\system32\driver\ETC\hosts Delete all entries in that file except for: 127.0.0.1 localhost Save it. Post a fresh OTL log.
  13. Ok, everything is looking alot better. Let's try and take care of hosts file and get clean up some stuff to get rid of Windows Enterprise Suite. As a side note, I will be out of pocket for the weekend but I will try and check when I can ------------------ Step 1: ------------------ Please download exeHelper to your desktop. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com) Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file). ------------------ Step 2: ------------------ Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Enter Safe Mode and do the following: Run HostsXpert 4.2 - Hosts File Manager from its new home Click on "File Handling". Click on "Restore MS Hosts File". Click OK on the Confirmation box. Click on "Make Read Only?" Click the X to exit the program. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself. Now reboot the machine as normal. ------------------ Step 3: ------------------ 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: SecCenter:: AV: Windows Enterprise Suite *On-access scanning enabled* (Updated) {B34FCF14-68EF-4AE0-BFF4-9287CCA76CD9} FW: Windows Enterprise Suite *enabled* {AA47C571-755B-4924-AC5B-07F016289E93} Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. ------------------ Step 4: ------------------ Rerun OTL and post a fresh OTL.txt log. ------------------ Step 5: ------------------ Please post back with the following: How your machine is running log.txt How HostsXpert did ComboFix.txt OTL.txt
  14. Let's take a closer look. Are you still being redirected? ------------------ Step 1: ------------------ Download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. Note: It is a good idea to run TFC to clear out all your temp files every now and again. This helps to keep your computer running more efficiently. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer. ------------------ Step 2: ------------------ Download RootRepeal from one of the following locations: Location 1 (Zip File) Location 2 (Zip File) Location 3 (RAR File) Location 4 (Zip File) Location 5 (RAR File) Unzip it to your Desktop. Double click RootRepeal.exe to start the program Click on the Report tab at the bottom of the program window Click the Scan button In the Select Scan dialog, check: Drivers Files Processes SSDT Stealth Objects Hidden Services Shadow SSDT [*]Click the OK button [*]In the next dialog, select all drives showing [*]Click OK to start the scan Note: The scan can take some time. DO NOT run any other programs while the scan is running [*]When the scan is complete, the Save Report button will become available [*]Click this and save the report to your Desktop as RootRepeal.txt [*]Go to File, then Exit to close the program If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead. To attach a file, do the following: Click Add Reply Under the reply panel is the Attachments Panel Browse for the attachment file you want to upload, then click the green Upload button Once it has uploaded, click the Manage Current Attachments drop down box Click on to insert the attachment into your post ------------------ Step 3: ------------------ Download OTL to your desktop. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\*.exe %SYSTEMDRIVE%\eventlog.dll /s /md5 %SYSTEMDRIVE%\scecli.dll /s /md5 %SYSTEMDRIVE%\netlogon.dll /s /md5 %SYSTEMDRIVE%\cngaudit.dll /s /md5 %SYSTEMDRIVE%\sceclt.dll /s /md5 %SYSTEMDRIVE%\ntelogon.dll /s /md5 %SYSTEMDRIVE%\logevent.dll /s /md5 %SYSTEMDRIVE%\iaStor.sys /s /md5 %SYSTEMDRIVE%\nvstor.sys /s /md5 %SYSTEMDRIVE%\atapi.sys /s /md5 %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 %SYSTEMDRIVE%\viasraid.sys /s /md5 %SYSTEMDRIVE%\AGP440.sys /s /md5 Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in. ------------------ Step 4: ------------------ Please post back with the following: How your machine is running RootRepeal.txt OTL.txt Extras.txt
  15. Do you still need assistance?