SirJon

Experts
  • Content count

    18
  • Joined

  • Last visited

About SirJon

  • Rank
    New Member
  • Birthday 06/10/1975

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Profile Information

  • Interests
    Nature, Computers, Networking, Hi-Fi, Malware Prevention.

Recent Profile Visitors

4,791 profile views
  1. It beat SAS yesterday on Vundo and Zlob infections. Nick and the boys are slipping a bit.
  2. Sorry I'm late. I hope it was good.
  3. Hello Bualc Welcome to the Malwarebytes forum. Sorry you are having malware trouble. 1. Please download FixWareout from here 2. Please download ComboFix from here. 3. Please save both removal tools to your desktop. Please do not run either tool yet. 4. Disconnect your PC from all Internet access. 5. Please temporarily disable your Norton Internet Security realtime protection. Procedure instructions can be found here. and here. 6. Go to Control Panel, Add or Remove Programs, and uninstall My Web Search, MalwareAlarm and all Zango programs. 7. After uninstalling the programs, reboot PC. 8. Double-click on the FixWareout.exe icon. 9. After double-clicking on the icon you will be presented with the first setup screen. 10. Simply press the Next button to continue the installation. 11. You will now be presented with the next installation screen. 12. Press the Install button to install FixWareout to the C:\FixWareout folder. 13. You will now be at the last screen of the FixWareout setup. Make sure that the checkbox labeled Run fixit is checked. 14. Then click on the Finish button to automatically start FixWareout. 15. FixWareout will start and you will see a screen. 16. Press any key on your keyboard to start the removal process. 17. FixWareout will now display a prompt stating that you will need to reboot your computer to continue with the fix. 18. Click on the OK button to start the reboot process. 19. Your computer will now reboot. Please be aware that the reboot time of your computer may be longer than normal due to the running of this fix. Before your desktop appears, you will see a prompt. 20. Press the OK button to continue with the removal process. This process can take a while, so please be patient. 21. Finally you will see a prompt stating that FixWareout has finished. 22. When the desktop appears a file called report.txt will automatically open in Notepad. This contains a list of some of the files that FixWareout found and removed on your computer. 23. Open Hijackthis, check both boxes below and select Fix checked O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.114 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.114 24. Close HijackThis, and click OK. 25. Go to the Control Panel. If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the step 22. 26. Double-click the Network Connections icon 27. Right-click the Local Area Connection icon and select Properties. 28. Highlight Internet Protocol (TCP/IP) and click the Properties button. 29. Be sure Obtain DNS server address automatically is selected. 30. Click OK. 31. Go to Start, Run and type in cmd 32. Click OK. This will open the command prompt. 33. Type or copy and paste the following line in the command window: ipconfig /flushdns 34. Hit Enter. 35. Close the command window. 36. Reboot your PC again. 37. Please post the contents of the logfile C:\fixwareout\report.txt along with a new HijackThis log. 38. Do not run the ComboFix tool yet.
  4. Never had this error before. Running v1.10 from RAM off a BartPE CD. Run Time error 7 Out of Memory 64MB of RAM, should be enough, nothing else running.
  5. Hello Please follow all the steps here first. If you are still experiencing symptoms after completing the steps, please post a HijackThis log here.
  6. No. Not necessarily. It sounds like your brother can guide you through.
  7. There was in the beginning over at the other forum. I'm not sure what's left on the hard drive now since I can't see anything from a HJT log. What? Do you mean bootup with some kind of LiveCD or a BartPE CD to copy and paste the backup files and folders to an external source? That's one way of doing it, I don't know if you've got USB 1.1 or 2.0, depending on what you want saved it might take a while, but they might just take out your HD and slave it to another box (hopefully a very fast diagnostic test box) and copy everything that way.
  8. Those steps usually do it for me. I'm pretty sure it's the Winlogon key and the userinit value that got corrupted. I wish they hadn't suggested that you manually edit the registry that way. Do you have a floppy drive on that laptop? I think at this point because of all you've been through I would go ahead and use the Repair option on the Windows XP Installation CD. It hasn't always helped me for this type of symptom (I'm not much of a fan of the Repair option), but it's worth a try. If I was working on your laptop in a shop at this point, I would back up anything you wanted on the drive and do it right by blowing everything away and starting over from scratch with a fresh install. I am not a fan of 'bandaid' fixes especially when the registry has been corrupted. Then, I would install ERUNT. It's a free, alternative registry backup that will run independently of Windows.
  9. Hello mnkutreva and Welcome! Sorry you are having malware trouble. I read your posts over on the Kaspersky forum and I see you manually edited the registry. I also see where Don Pelotas advised you to reinstall Windows after you made the registry changes. After reading your latest symptoms here on this forum, a reinstall may be the quickest solution to your problem. However, lets try a couple of steps. You'll need a Windows XP Installation CD to enter Recovery Console. You'll probably want to print out these instructions beforehand. How to get into the Recovery Console: 1.) Boot the system using the Windows XP Installation CD-ROM. 2.) Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so. 3.) When the "Welcome to Setup" screen appears, press R to start the Recovery Console. 4.) When the Recovery Console menu is displayed, a numbered list of the Windows installations on the computer is displayed (usually C:\Windows). Press the number (1) before you press ENTER, even when only one entry appears. (If you press ENTER first without pressing the number, the computer restarts and begins the process again.) 5.) When you are prompted to do so, type the Administrator password. If the Administrator password is blank, just press ENTER. 6.) At the C:\Windows prompt, type the following command and press <Enter>. CD SYSTEM32 <Enter> (There is a space between CD and SYSTEM32) 7.) Now type in this command and press <Enter>. COPY USERINIT.EXE WSAUPDATER.EXE (There is a space between COPY and USERINIT.EXE and WSAUPDATER.EXE) 8.) Now quit Recovery Console by typing EXIT and restart Windows. Now you should be able to login successfully as you've created the wsaupdater.exe file. 9.) At the desktop, copy the contents of the Code Box to Notepad. Name the file as RegFix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word CODE when saving the file. REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]"Start"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]"Start"=dword:00000002 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]"EnableDCOM"="Y" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"=-"Shell"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,""Shell"="Explorer.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]"lmcompatibilitylevel"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]"restrictanonymous"=dword:0000000010.) Double-click on the RegFix.reg file, and when it prompts to merge say Yes. 11.) Please reboot the PC and try to logon normally. 12.) From the HijackThis instructions you read earlier, try and post a HJT log here for review.
  10. PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING. STEP 1: Please download and install SUPERAntiSpyware here. 1.) During the installation process, the program will prompt you to download any updates, click Yes. 2.) After the update process has completed, a dialog box will state: Database definitions have been updated, click OK. 3.) At the SUPERAntiSpyware Main Menu, click the Preferences button. 4.) Click the General and Startup tab, under Start-Up Options, uncheck both boxes: Start SUPERAntiSpyware when Windows starts Show SUPERAntiSpyware icon in system tray 5.) Click the Hi-Jack Protection tab, under Home Page Protection, uncheck both boxes: Display notification when home page changed Protect home page from being changed. Changes can be made only here. 6.) Click Close at the bottom of the page. Don't run SUPERAntiSpyware yet, we will use it later. STEP 2: Download the eScan Antivirus Toolkit here. Save it to the desktop. Don't run eScan yet, we will use it later. STEP 3: Please download ATF Cleaner here. NOTE: This program is for Windows XP and 2000 only. Don't run ATF Cleaner yet, we will use it later. STEP 4: Please enable all hidden files and folders in Windows. For instructions click here Now please go to Start, Search, All Files and Folders, scroll down and find "More Advanced Options". Make sure "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" are all checked. STEP 5: Please reboot into Safe Mode. Get into Safe Mode using the F8 Key on your keyboard: 1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart) 2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. 3.) Select the option for Safe Mode using the up down arrow keys. 4.) Then press Enter on your keyboard to boot into Safe Mode. 5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows). STEP 6: From Safe Mode, please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked": R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gophersearch.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/ O2 - BHO: ohb - {E8888041-B24A-4B0B-911B-12B018E43F21} - C:\WINDOWS\system32\rlmtcs.dll Now close HijackThis. STEP 7: From Safe Mode, open the SUPERAntiSpyware program. 1.) At the SUPERAntiSpyware Main Menu, under Scan for Harmful Software, click the Scan your Computer button, the SUPERAntiSpyware Scanner menu will appear. 2.) Make sure under Scan Location that your correct hard drive letter is checked. (Example: C:\ - Fixed Drive (NTFS)) The correct hard drive letter should automatically be checked by default. 3.) Under Complete Scan, click Perform Complete Scan. 4.) At the bottom, click Next to start the scan. NOTE: This scan is very thorough, it will take a while to complete depending on the number of files and folders on the hard drive. Please be patient. STEP 8: From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions: 1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear. 2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky). 3.) A dialog box stating "1xx file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear. 4.) With the eScan interface on your desktop, make sure that these boxes under Scan Option are all checked: Memory Registry Startup Folders System Folders Services 5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\. 6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files. 7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds. 8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again. STEP 9: From Safe Mode, 1.) Double-click ATF-Cleaner.exe to run the program. 2.) Under Main choose: Select All 3.) Click the Empty Selected button. STEP 10: Now reboot the PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.
  11. Hello remba997 and Welcome! Sorry you are having malware trouble. I am reviewing your log and will reply shortly. In the mean time, we need to move HijackThis from the temp folder to the root of your C:\drive. C:\DOCUME~1\GNOBIN~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe Double-click on My Computer; double-click on your hard drive, (usually the C:\drive) right-click on a blank area, choose New, choose Folder, name the folder hijackthis. Now, place Hijackthis.exe in this folder.
  12. Unfortunately, we are not out of the woods with this thing yet. Now copy the contents of the Quote Box to Notepad. Name the file as rootkit.bat. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file. Now double-click on rootkit.bat This batch file will generate a text file called report.txt. Save this file to your desktop. Download "silent runners" from here. For instructions click here. 1.) Save it to the desktop in a new folder named SilentRunners. 2.) Double-click silentrunners.vbs, and it will scan for a few minutes and will create a log file in the silentrunners folder. This log file will be called "startup programs <computername>date" 3.) Copy and paste the log here in this thread for review. NOTE: If you get "script warning" from your antivirus program, please allow the entire script to run. It is not malicious; it is just making a log file of items in your startups and other registry information. Now please copy and paste the contents of report.txt and the silent runners log here in this thread for review.
  13. Hello rocksteady and Welcome! Sorry you are having malware trouble. You have a rootkit that is causing your problem and there are a few hoops that are required to jump through in order to completely eliminate this infection, but I need to see your entire HijackThis log. This infection is causing the O4 entries of the log to be missing. 1.) Please enable all hidden files and folders in Windows. For instructions click here 2.) Download the eScan Antivirus Toolkit here. Please do not run a scan with the eScan Antivirus Toolkit utility yet. 3.) Download and install the latest version of Ad-Aware SE here NOTE: If you are still using Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE. Please configure the program by following these instructions here. Before scanning click on "Check for updates now" to make sure you have the latest reference file. Please do not run a scan with Ad-Aware yet. 4.) Please download RegSrch.vbs here. Save it to your desktop. 5.) Copy the contents of the Quote Box to Notepad. Name the file as ExtraSystemService3.bat. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file. Now double-click on ExtraSystemService3.bat 6.) Please reboot into Safe Mode. For instructions click here Get into Safe Mode using the F8 Key on your keyboard: 1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart) 2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. 3.) Select the option for Safe Mode using the up down arrow keys. 4.) Then press Enter on your keyboard to boot into Safe Mode. 5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows). 7.) From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions: 1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder. 2.) Double-click on the mwavscan.com file; this will open the eScan program. 3.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are checked. 4.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\. 5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files. 6.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed. 8.) From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time. 9.) Reboot the PC back into Windows and open RegSrch.zip, extract, and double-click RegSrch.vbs and in the search window enter windows.dat and click OK. After the scan, click File, Save As, name the file martfinder.txt and save it to your desktop. Now do another search and enter styles in the search window and click OK. When the search has completed, open the martfinder.txt file, scroll down to the bottom of the contents of the windows.dat search, and copy and paste the results of styles search in the martfinder.txt file. Please post another HijackThis log with the results of the RegSrch scan here for review.
  14. Nice Work! Your log looks much better. O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto Your log shows that you have disabled some startup programs using MSConfig. This is not recommended because I cannot clearly see everything that is loading on your computer at startup. To enable all startup items quickly, please follow these instructions: 1.) Go to Start, Run, and type msconfig and click OK 2.) If not already selected go to the General tab. 3.) Under Startup Selection select "Normal Startup - load all device drivers and services". 4.) Click Apply and then Close. 5.) When given the option, please choose to reboot the computer. 6.) Post a new HJT log here in this thread when you are done.
  15. Hello jamie and Welcome! Sorry you're having malware trouble. PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING. PLEASE FOLLOW ALL THE STEPS SLOWLY AND CAREFULLY. STEP 1: Please make sure that you can view all hidden files. Instructions can be found here. After enabling hidden files, for Windows XP, go to Start, Search, All Files and Folders, scroll down and find "More Advanced Options". Make sure "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" are all checked. STEP 2: Download AboutBuster from RubbeR DuckY here In the Save in: window, find C:\Spyware Tools and click the Save button. Inside the Spyware Tools folder, extract all files from AboutBuster.zip inside its own folder named AboutBuster. Double-click AboutBuster.exe and press Update to make sure you have the latest reference file version. NOTE: You might want to view this AboutBuster tutorial here first before running the tool. Don't run it yet, we will use it later. STEP 3: Download and install the latest version of Ad-Aware SE here NOTE: If you are still using Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE. Please configure the program by following these instructions here. Before scanning click on "Check for updates now" to make sure you have the latest reference file. Don't run it yet, we will use it later. STEP 4: Download and install the Ewido Security Suite NOTE: The Ewido Security Suite utility will not install on Windows 95, 98, ME, or NT. The minimum system requirements for Ewido Security Suite is: Windows 2000 or Windows XP. 1.) Download and install the Ewido Security Suitehere 2.) IMPORTANT! When the Additional Options screen comes up, uncheck Install background guard and and Install scan via context menu, click Install. 3.) Double-click on the new e Ewido shortcut on the desktop to open the program. 4.) On the upper LH side column, click on the Update button. (This will update the program with all the latest signature files.) Don't run it yet, we will use it later. STEP 5: Copy the contents of the Quote Box below to Notepad. Name the file as hsafix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file. Don't double-click it yet, we will use it later.