Solve : virus, trojans, malware oh my....?

1.	Solve : virus, trojans, malware oh my....?
Answer» after the combofix restarted i got a mcafee waring about something called RemAdm-ProcLaunch!171 in folder c:\327882r2fwjfw\psexec.cfexe does that mean anything to ya? continuing with next step atf cleaner [recovering disk space -- attachment deleted by admin]k here are the logs for combofix and awf also i did the HJT for that one item [recovering disk space -- attachment deleted by admin] Quote from: SirOlwyn on September 11, 2008, 09:59:28 PM after the combofix restarted i got a mcafee waring about something called RemAdm-ProcLaunch!171 in folder c:\327882r2fwjfw\psexec.cfexe does that mean anything to ya? Yes that's part of ComboFix, which is why we suggest turning off the AV before running it. ComboFix uses scripts that are seen as malicious by antivirus. Kind of like the old saying "you have to fight fire with fire." Double click FindAWF.exe to start the tool. Select option #2 - Restore files from bak folders by typing 2 and press Enter A text file will open up. Please copy/paste the text in the Code box below into the text file: Code: [Select]"C:\Program Files\Dell Support\bak\DSAgnt.exe" "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\QuickTime\bak\qttask.exe" "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe" "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe" "C:\WINDOWS\SYSTEM32\bak\igfxpers.exe" "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe" "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe" "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe" "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe" "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe" "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe" "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe" "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe" "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe" Close the .txt file and click Yes to save the changes. When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in the next reply. afw log [recovering disk space -- attachment deleted by admin]Getting closer. Double-click FindAWF.exe to start the tool. Select option #3 - Remove bak folders by typing e and press Enter A text file will open up. Please copy/paste the text in the box below into the text file: Code: [Select]C:\PROGRA~1\DELLSU~1\BAK C:\PROGRA~1\ITUNES\BAK C:\PROGRA~1\MESSEN~1\BAK C:\PROGRA~1\QUICKT~1\BAK C:\WINDOWS\SYSTEM32\BAK C:\PROGRA~1\COMMON~1\WRUM\BAK C:\PROGRA~1\HP\HPCORE~1\BAK C:\PROGRA~1\INTEL\MODEME~1\BAK C:\WINDOWS\SYSTEM32\DLA\BAK C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK C:\PROGRA~1\COMMON~1\AOL\ACS\BAK C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK C:\PROGRA~1\GOOGLE\GOOGLE~2\121128~1.546\BAK C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK Close the .txt file and click Yes to save the changes. When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in the next reply. afw [recovering disk space -- attachment deleted by admin]Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Now download The Avenger by Swandog46 and save it to your Desktop. Extract avenger.exe from the Zip file and save it to your Desktop Run avenger.exe by double-clicking on it. Do not change any check box options!! Copy everything in the Code box below, and paste it into the Input script here window: Code: [Select]Comment: Folders to delete: C:\PROGRA~1\COMMON~1\AOL\ACS\BAK Now click the Execute button. Click Yes to the prompt to confirm you want to execute. Click Yes to the "Reboot now?" question that will appear when Avenger finishes running. Your PC should reboot, if not, reboot it yourself. A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot. Add the Avenger log in your next post. . ---------- Last step with FindAWF Double-click FindAWF.exe to start the tool. Select option #4 - Reset Domain Zones by typing 4 and press Enter You will be prompted to answer "Reset the domain zones?" Type 1 and press Enter. After completion, then type E and press Enter Note: if you use SPYWAREBLASTER, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection. Download ResetProtocolDefaults to your desktop. Double click ResetProtocolDefaults.reg and answer Yes to any prompts and allow it to merge into the Registry. ---------- Download OTCleanIt.exe and save it to your Desktop. Double-click OTCleanIt.exe. Click the CleanUp! button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes, if not delete it yourself. . ----- Go to: Start Run type: CLEANMGR.EXE Press Enter. . When prompted select the C: drive and click OK. Check the boxes for: Temporary Internet Files Downloaded Program Files Recycle Bin Temporary Files . Click OK or Enter ---------- Use the Kaspersky Online Scanner In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon and choose Run as Administrator. Click on SCAN NOW Click on the Accept button and install any components it NEEDS. The program will install and then begin downloading the latest definition files. After the files have been downloaded on the left side of the PAGE in the Scan section select My Computer. This will start the program and scan your system. The scan will take a while, so be patient and let it run. Once the scan is complete, click on View scan report Now, click on the Save Report as button. In Save as type: click the drop ARROW and select: *Text file [.txt] Then, click: Save** Save the file to your desktop. Post the Kaspersky log in your next reply. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.OTMoveIt has encountered a problem and needs to close. does it everytime i try to open it, about 1 sec into itIs this when you are trying to enter the text into it?no trying to launch itI know. There is two sets of instructions for OTMoveIt2. Did you do the first step in entering the text and clicking MoveIt or is it the second when trying to run the CleanUp option?I downloaded it, dbl click to open and it crashes, i never get to imput the textOk thats what I needed to know. I just edited the post with NEW directions to use another program.otcleanit will not launch when i dbl click it, same error mesg.Lets try one more. Download http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe Unzip it to the Desktop, open the folder and then open OTScanIt.exe Click the CleanUp button and start the cleanup process. Choose NOT to restart now. Close OTCleanIt and then re-open it and click the CleanUp button again and start the cleanup process. This time re-start the computer when prompted.

Answer»

after the combofix restarted i got a mcafee waring about something called RemAdm-ProcLaunch!171 in folder c:\327882r2fwjfw\psexec.cfexe

does that mean anything to ya?

continuing with next step atf cleaner

[recovering disk space -- attachment deleted by admin]k here are the logs for combofix and awf

also i did the HJT for that one item

[recovering disk space -- attachment deleted by admin] Quote from: SirOlwyn on September 11, 2008, 09:59:28 PM

after the combofix restarted i got a mcafee waring about something called RemAdm-ProcLaunch!171 in folder c:\327882r2fwjfw\psexec.cfexe

does that mean anything to ya?

Yes that's part of ComboFix, which is why we suggest turning off the AV before running it. ComboFix uses scripts that are seen as malicious by antivirus. Kind of like the old saying "you have to fight fire with fire."

Double click FindAWF.exe to start the tool.

Select option #2 - Restore files from bak folders by typing 2 and press Enter
A text file will open up. Please copy/paste the text in the Code box below into the text file:

Code: [Select]"C:\Program Files\Dell Support\bak\DSAgnt.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
"C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
"C:\WINDOWS\SYSTEM32\bak\igfxpers.exe"
"C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
"C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt in the next reply.

afw log

[recovering disk space -- attachment deleted by admin]Getting closer.

Double-click FindAWF.exe to start the tool.

Select option #3 - Remove bak folders by typing e and press Enter
A text file will open up. Please copy/paste the text in the box below into the text file:

Code: [Select]C:\PROGRA~1\DELLSU~1\BAK
C:\PROGRA~1\ITUNES\BAK
C:\PROGRA~1\MESSEN~1\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\COMMON~1\WRUM\BAK
C:\PROGRA~1\HP\HPCORE~1\BAK
C:\PROGRA~1\INTEL\MODEME~1\BAK
C:\WINDOWS\SYSTEM32\DLA\BAK
C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK
C:\PROGRA~1\COMMON~1\AOL\ACS\BAK
C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
C:\PROGRA~1\GOOGLE\GOOGLE~2\121128~1.546\BAK
C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt in the next reply.

afw

[recovering disk space -- attachment deleted by admin]Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Now download The Avenger by Swandog46 and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your Desktop
Run avenger.exe by double-clicking on it.
Do not change any check box options!!
Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]Comment:

Folders to delete:
C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

Now click the Execute button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

Add the Avenger log in your next post.

.
----------

Last step with FindAWF

Double-click FindAWF.exe to start the tool.

Select option #4 - Reset Domain Zones by typing 4 and press Enter
You will be prompted to answer "Reset the domain zones?" Type 1 and press Enter.
After completion, then type E and press Enter

Note: if you use SPYWAREBLASTER, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.

Download ResetProtocolDefaults to your desktop.

Double click ResetProtocolDefaults.reg and answer Yes to any prompts and allow it to merge into the Registry.

----------

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

.
-----

Go to:

Start
Run
type: CLEANMGR.EXE
Press Enter.

.
When prompted select the C: drive and click OK.
Check the boxes for:

Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files

.
Click OK or Enter

----------

Use the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon and choose Run as Administrator.

Click on SCAN NOW
Click on the Accept button and install any components it NEEDS.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the PAGE in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
In Save as type: click the drop ARROW and select: Text file [*.txt]
Then, click: Save
Save the file to your desktop.

Post the Kaspersky log in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.OTMoveIt has encountered a problem and needs to close.

does it everytime i try to open it, about 1 sec into itIs this when you are trying to enter the text into it?no trying to launch itI know. There is two sets of instructions for OTMoveIt2. Did you do the first step in entering the text and clicking MoveIt or is it the second when trying to run the CleanUp option?I downloaded it, dbl click to open and it crashes, i never get to imput the textOk thats what I needed to know.

I just edited the post with NEW directions to use another program.otcleanit will not launch when i dbl click it, same error mesg.Lets try one more.

Download http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe

Unzip it to the Desktop, open the folder and then open OTScanIt.exe

Click the CleanUp button and start the cleanup process. Choose NOT to restart now.

Close OTCleanIt and then re-open it and click the CleanUp button again and start the cleanup process. This time re-start the computer when prompted.

Solve : virus, trojans, malware oh my....?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment