Stubborn Trojan Smitfraud

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by fatalsolid01, Jan 1, 2012.

  1. fatalsolid01

    fatalsolid01 Private E-2

    Hello Major Geeks,:wave

    I was noticing a steady decline in computer speed during the last few days, and yesterday I started to get the windows blue screen. So it turns out I found out I have been infected by a trojan Smitfraud, scanned and indicated by AVG, Malwarebytes, and Spybot search & destroy. The problem is that none of these programs can seem to get rid of the problem, as every time I boot up Malwarebytes, and Spybot they just find more of the same malware that it found the previous time despite the supposed threats being removed. Along with slower computer speed the current effects of this infection have been not being able to load up windows normally, and my programs and files seem to have become hidden(there still all there though) and don't show up in the start menu except for what I have installed just recently yesterday. Big Thanks in advance.:)
     
    fatalsolid01, Jan 1, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Jan 1, 2012
    #2
  3. fatalsolid01

    fatalsolid01 Private E-2

    Thank you for the quick reply btw. Yes that tool did the trick my programs and files are unhidden again:).
    While following the instructions I came across two bumps in the road(aside from that everything was fine), 1 was not being able to either update nor delete the outdated versions of java(The most recent I have is Java 6 update 26) I have. When I tried it gave me a windows installer error. The 2nd was that when I tried to run Combofix I kept getting the blue screen(its in safe mode btw) while its initial extracting step.:confused But yeah anyway here's the logs for what I was able to do.
     

    Attached Files:

    fatalsolid01, Jan 2, 2012
    #3
  4. fatalsolid01

    fatalsolid01 Private E-2

    Hey just a quick update to tell u I was able to get combofix to work by disabling the internet in safe mode, so just disregard that part of the previous post.
     

    Attached Files:

    fatalsolid01, Jan 2, 2012
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall the below softwares:

    • Java(TM) 6 Update 22 (outdated)
    • Java(TM) 6 Update 26 (outdated)
    • StartNow Toolbar (garbage)


    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\ProgramData\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}

File::
c:\users\Anthony\AppData\Roaming\GetValue.vbs
c:\users\Anthony\AppData\Roaming\SetValue.bat
C:\ProgramData\uiuKBUNRte.exe
C:\ProgramData\gfhYdHclcK.exe
C:\ProgramData\uiuKBUNRte.exe
C:\Windows\SysWOW64\AK083E209605E394C.lie
C:\Windows\SysWOW64\tmp.reg
C:\Windows\SysWOW64\tmp.tx

Folder::
C:\ProgramData\ParetoLogic

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"gfhYdHclcK.exe"=-
"uiuKBUNRte.exe"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"gfhYdHclcK.exe"=-
"uiuKBUNRte.exe"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Reboot     your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let TimW know of any problems you may have encountered with the above instructions and also let him know how things are running now!
     
    Kestrel13!, Jan 2, 2012
    #5
  6. fatalsolid01

    fatalsolid01 Private E-2

    combofix went by smoothly and the computer's performance is good again as I can boot up normally with no blue screen or issues. I also updated Java and deleted the software Kestrel13 suggested.
     

    Attached Files:

    fatalsolid01, Jan 2, 2012
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look good. What other malware issues are you still having, if any?
     
    TimW, Jan 2, 2012
    #7
  8. fatalsolid01

    fatalsolid01 Private E-2

    The computer seemed to be doing fine but when I did a scan with AVG(Just reinstalled it), and malwarebytes it still found the same threats as before, so I pressed to remove threats on malwarebytes and after the reboot I got the blue screen yet again.:cry
     
    fatalsolid01, Jan 2, 2012
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Attach the logs from both so I can see what it is hitting on.
     
    TimW, Jan 2, 2012
    #9
  10. fatalsolid01

    fatalsolid01 Private E-2

    Here they are
     

    Attached Files:

    fatalsolid01, Jan 2, 2012
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I think AVG is giving you some false positives. However:

    Now download The Avenger by Swandog46 to your Desktop.

    See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
    Extract avenger.exe from the Zip file and save it to your desktop.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):


    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the http://img33.imageshack.us/img33/9159/executeavenger.jpg button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now please run this scan:
    eSet Online Scan.
     
    TimW, Jan 3, 2012
    #11
  12. fatalsolid01

    fatalsolid01 Private E-2

    Despite following the procedures for "The Avenger" tool it would not run/produce a log after the computer reboots. It says first step completed and it would run after the reboot but it doesn't. Anyway here's the log for the online scan.
     

    Attached Files:

    fatalsolid01, Jan 4, 2012
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try again with Combo:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::

File::
C:\Windows\svchost.exe
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jan 4, 2012
    #13
  14. fatalsolid01

    fatalsolid01 Private E-2

    I would say the computer's performance is about the same sadly. As soon I finished with both logs I rebooted to start windows normally but still ended up getting the blue screen, I retried booting normally after that and then the computer froze. I would say it successfully boots up normally about a third or fourth of the time(slowly).
     

    Attached Files:

    Last edited: Jan 4, 2012
    fatalsolid01, Jan 4, 2012
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::
Driver::
eykqlxf
augbdb
chqxpu
orca
fopw
foeczrcs
hcbz
rdzvfjhk
efcef
ybfzszry
yujhq
efcef
hcbz
ybfzszry
yujhq

File::
c:\windows\SysWow64\drivers\eykqlxf.sys
c:\windows\SysWow64\drivers\augbdb.sys
c:\windows\SysWow64\drivers\chqxpu.sys
c:\windows\SysWow64\drivers\orca.sys
c:\windows\SysWow64\drivers\fopw.sys
c:\windows\SysWow64\drivers\foeczrcs.sys
c:\windows\SysWow64\drivers\hcbz.sys
c:\windows\SysWow64\drivers\rdzvfjhk.sys
c:\windows\SysWow64\drivers\efcef.sys
c:\windows\SysWow64\drivers\ybfzszry.sys
c:\windows\SysWow64\drivers\yujhq.sys
C:\Program Files (x86)\czlk.txt
C:\Windows\rljetwua.txt
C:\Windows\yvrldnbq.txt
C:\Windows\System32\drivers\augbdb.sys
C:\Windows\System32\drivers\chqxpu.sys
C:\Windows\System32\drivers\efcef.sys
C:\Windows\System32\drivers\eykqlxf.sys
C:\Windows\System32\drivers\foeczrcs.sys
C:\Windows\System32\drivers\fopw.sys
C:\Windows\System32\drivers\hcbz.sys
C:\Windows\System32\drivers\orca.sys
C:\Windows\System32\drivers\rdzvfjhk.sys
C:\Windows\System32\drivers\ybfzszry.sys
C:\Windows\System32\drivers\yujhq.sys
C:\Windows\SysWOW64\vaxjpm.txt
C:\Windows\SysWOW64\szyse.txt
C:\Windows\SysWOW64\nrpckhf.txt
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jan 5, 2012
    #15
  16. fatalsolid01

    fatalsolid01 Private E-2

    Im sorry to say it but the computer still seems to be doing about the same as prior, as I still got the blue screen and im still not able to turn on windows security service center. Also something I forgot to mention before but is getting kind annoying now: that around the time it became apparent my computer got infected the audio stopped working in safe mode(works when it boots normally), and the clock/time got kind of screwed up(used to be a 12 hour clock and is now 24 hour clock and im unsure how to fix it) and files get saved at the wrong AM or PM. Are there ways to currently fix these problems or is it something that will get fixed on their own once the malware is removed? Thank u for your help.
     

    Attached Files:

    fatalsolid01, Jan 6, 2012
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Most of those issues will probably need to be addressed in the software forum. But for now:


    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the http://img33.imageshack.us/img33/9159/executeavenger.jpg button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
    Now run Ccleaner to clean out only temp files and nothing else!

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7 make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited by a moderator: Jan 6, 2012
    TimW, Jan 6, 2012
    #17
  18. fatalsolid01

    fatalsolid01 Private E-2

    I was still unable to get the Avenger tool to work after boot up once again(should I try it with Combofix?). I ran the Ccleaner as you said along with MGtools. Also the computer's performance is still the same.
     

    Attached Files:

    fatalsolid01, Jan 7, 2012
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go to the below link and follow the instructions for running TDSSKiller from Kaspersky

    Be sure to attach your log from TDSSKiller

    Please also download MBRCheck to your desktop.

    See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
    TimW, Jan 7, 2012
    #19
  20. fatalsolid01

    fatalsolid01 Private E-2

    I think it seems like the trojan has finally been taken care of:). After the TDSSKiller:cool along with MBRCheck ran and the computer booted back up I ran Malwarebytes, then quarantined the usual found trojan infections, and this time the threats didn't come back up after reboot like they always do. The computer's speed seems good once again along with no freezing or blue screens. I attached a zip file with three log files 1(Malwarebytes log with found and quarantined infections, 2(Malwarebytes log after reboot with no found infections, and 3(SuperAntiSpyware scan log several hours and boots later with no found threats.
     

    Attached Files:

    fatalsolid01, Jan 8, 2012
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just to be certain, re-run TDSSKiller and make sure these do not show up.....fix them if they do:
     
    TimW, Jan 8, 2012
    #21
  22. fatalsolid01

    fatalsolid01 Private E-2

    I ran TSSD and it found I believe the first object you mentioned. I chose the delete option(was this correct btw?). The log file seems to have been overwritten by a scan done shortly after that one, so that is the only log I am able to show.
     

    Attached Files:

    fatalsolid01, Jan 9, 2012
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good. That looks much better. Tell me what malware issues you are still having, if any. ;)


    Now please download a new copy of combofix.exe and save it to your desktop. Then run it.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the new combofix.txt log
    • C:\MGlogs.zip
     
    Last edited by a moderator: Jan 10, 2012
    TimW, Jan 9, 2012
    #23
  24. fatalsolid01

    fatalsolid01 Private E-2

    The computer isn't having anymore malware issues. Thank you again for all your help. :)
     

    Attached Files:

    fatalsolid01, Jan 12, 2012
    #24
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are still not clean.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::

Driver::
aeuqjfku
ajsho
ajsho
ffmkyff
fpetvidr
giqi
jaqemw
jyocao
lciew
nrsv
rlsimckx
Sftfs
Sftplay
Sftredir
Sftvol
cgsh
fsgnr
kseahhc
mghjb
njvkrp
rwczm
wfacan

File::
C:\Windows\SysWOW64\drivers\cgsh.sys
C:\Windows\SysWOW64\drivers\fsgnr.sys
C:\Windows\SysWOW64\drivers\kseahhc.sys
C:\Windows\SysWOW64\drivers\mghjb.sys
C:\Windows\SysWOW64\drivers\njvkrp.sys
C:\Windows\SysWOW64\drivers\rwczm.sys
C:\Windows\SysWOW64\drivers\wfacan.sys
C:\Windows\System32\drivers\cgsh.sys
C:\Windows\System32\drivers\fsgnr.sys
C:\Windows\System32\drivers\kseahhc.sys
C:\Windows\System32\drivers\mghjb.sys
C:\Windows\System32\drivers\njvkrp.sys
C:\Windows\System32\drivers\rwczm.sys
C:\Windows\System32\drivers\wfacan.sys
c:\windows\system32\drivers\chqxpu.sys 
c:\windows\system32\drivers\foeczrcs.sys 
c:\windows\system32\drivers\orca.sys 
c:\windows\system32\drivers\eykqlxf.sys 
c:\windows\system32\drivers\ybfzszry.sys 
c:\windows\system32\drivers\hcbz.sys 
c:\windows\system32\drivers\rdzvfjhk.sys 
c:\windows\system32\drivers\augbdb.sys 
c:\windows\system32\drivers\fopw.sys 
c:\windows\system32\drivers\yujhq.sys 
c:\windows\system32\drivers\efcef.sys
c:\windows\system32\DRIVERS\Sftfslh.sys 
c:\windows\system32\DRIVERS\Sftplaylh.sys 
c:\windows\system32\DRIVERS\Sftredirlh.sys 
c:\windows\system32\DRIVERS\Sftvollh.sys
C:\Program Files (x86)\qjqoqr.txt
C:\Program Files (x86)\yldg.txt
C:\arutkptz.txt
C:\avexport.bat
C:\Windows\cxfwkaam.txt
C:\Windows\SysWOW64\ducxyroj.txt
C:\Windows\SysWOW64\kyqg.txt
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jan 12, 2012
    #25
  26. fatalsolid01

    fatalsolid01 Private E-2

    Sorry about the slight delay between my post, anyway here are the logs. The computer seems to still be good and doesn't have any noticeable issues. Although for the one thing I noticed that is new is that while the computer is for example playing a video it'll have like a weird little freeze for about half a second or so. The chances of that little freeze up happening are maybe about once during a day of computer use. Im not sure whether that's a big, little or even no deal, but just thought id mention it.
     

    Attached Files:

    fatalsolid01, Jan 15, 2012
    #26
  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I don't know where these keep spawning themselves from, but let's run it again:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::
 
Driver::
aulk
dbbqill
frhq
gakth
haer
jjzmqmgo
spqpxlp
wesjylu
 
File::
c:\windows\system32\drivers\orca.sys
c:\windows\system32\drivers\rwczm.sys
c:\windows\system32\drivers\cgsh.sys
c:\windows\system32\drivers\fsgnr.sys
c:\windows\system32\drivers\mghjb.sys
c:\windows\system32\drivers\njvkrp.sys
c:\windows\system32\drivers\wfacan.sys
c:\windows\system32\drivers\kseahhc.sys
C:\Program Files (x86)\ftppby.txt
C:\Windows\qebt.txt
C:\Windows\ntbtlog.txt
C:\Windows\oghlgxb.txt
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below
    Note:
    Do not mouseclick combofix's window while it is running. That may cause it to stall.
    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    TimW, Jan 15, 2012
    #27
  28. fatalsolid01

    fatalsolid01 Private E-2

    Alright so I tried updating Combofix but after I did, it said it was not compatible with 64 bit so I had to run it on the previous version. Computer seems to be the about the same, nothing noticeable anyway.
     

    Attached Files:

    fatalsolid01, Jan 18, 2012
    #28
  29. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Much better. Now use windows explorer to find and delete:
    C:\Windows\SysWOW64\dwlnl.txt
    C:\Windows\SysWOW64\tmp.txt

    Tell me what malware issues you are still having, if any.
     
    TimW, Jan 18, 2012
    #29
  30. fatalsolid01

    fatalsolid01 Private E-2

    Ok I deleted the files u mentioned, and im not having any malware issues as far as I can tell.:major
     
    fatalsolid01, Jan 19, 2012
    #30
  31. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Jan 19, 2012
    #31
  32. fatalsolid01

    fatalsolid01 Private E-2

    Did as you said and thank you once again for your help!:)
     
    fatalsolid01, Jan 24, 2012
    #32
  33. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     
    TimW, Jan 24, 2012
    #33

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds