Tech Support Forum - View Single Post

alba · 12-10-2007, 12:20 PM

Hi bagofbeef

Can you tell me what happened on 2007-11-12, because what ever it was it created all these folders ??mantec and unfortunately you will have to delete them manually.

Please follow my instructions carefully and take your time

===============================================

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

===============================================

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present. You will see the full name of the folder (??asks = tasks etc) If there are two folders of the same name right click on them and then click on properties ONLY delete folders that were created on 2007-11-12

C:\Program Files\Common Files\??sks
C:\Program Files\??stem
C:\Program Files\Common Files\?ssembly
C:\Program Files\?ppPatch
C:\Program Files\??sks
C:\Program Files\?ppPatch
C:\Program Files\?dobe
C:\Program Files\??sks
C:\Program Files\??crosoft.NET
C:\Program Files\??crosoft
C:\Documents and Settings\Administrator\Application Data\?icrosoft
C:\Program Files\Common Files\?ymantec
C:\Program Files\Common Files\??pPatch
C:\Program Files\Common Files\??crosoft
C:\Documents and Settings\Administrator\Application Data\??curity
C:\Program Files\Common Files\?racle
C:\Program Files\Common Files\?icrosoft.NET
C:\Program Files\Common Files\?icrosoft
C:\Program Files\Common Files\?ecurity
C:\Program Files\Common Files\??mantec
C:\Program Files\Common Files\??crosoft.NET
C:\Program Files\?ecurity
C:\Program Files\??stem32
C:\Program Files\??pPatch
C:\Program Files\??mantec
C:\Program Files\??crosoft
C:\Documents and Settings\Administrator\Application Data\?racle
C:\Program Files\Common Files\?racle
C:\Program Files\Common Files\?ppPatch
C:\Program Files\Common Files\?icrosoft
C:\Program Files\Common Files\?dobe
C:\Program Files\Common Files\??stem
C:\Program Files\Common Files\??sembly
C:\Program Files\Common Files\??pPatch
C:\Program Files\Common Files\??mbols
C:\Program Files\?ymantec
C:\Program Files\?ssembly
C:\Program Files\?icrosoft.NET
C:\Program Files\?icrosoft
C:\Program Files\??sembly
C:\Program Files\??curity
C:\Program Files\Common Files\?ystem32
C:\Program Files\Common Files\?ymbols
C:\Program Files\Common Files\??stem32
C:\Program Files\Common Files\??curity
C:\Program Files\Common Files\??crosoft.NET
C:\Program Files\Common Files\??crosoft
C:\Program Files\?ystem
C:\Program Files\?racle
C:\Program Files\?racle
C:\Program Files\?icrosoft
C:\Program Files\?asks
C:\Program Files\??pPatch
C:\Program Files\??mbols
C:\Program Files\??crosoft.NET
C:\Documents and Settings\Administrator\Application Data\??crosoft.NET
C:\Documents and Settings\Administrator\Application Data\??crosoft
C:\Program Files\Common Files\?ystem
C:\Program Files\Common Files\?ppPatch
C:\Program Files\Common Files\?icrosoft.NET
C:\Program Files\Common Files\?dobe
C:\Program Files\Common Files\?asks
C:\Program Files\Common Files\?asks
C:\Program Files\Common Files\??sks
C:\Program Files\?ystem32
C:\Program Files\?ymbols
C:\Program Files\?icrosoft.NET
C:\Program Files\?dobe
C:\Program Files\?asks
C:\Documents and Settings\Administrator\Application Data\?icrosoft.NET
C:\Documents and Settings\Administrator\Application Data\?asks
C:\Documents and Settings\Administrator\Application Data\??stem32
C:\Documents and Settings\Administrator\Application Data\??stem
C:\Documents and Settings\Administrator\Application Data\??sks
C:\Documents and Settings\Administrator\Application Data\??mbols
C:\Documents and Settings\Administrator\Application Data\??mantec

===============================================

REBOOT TO NORMAL MODE

=================

Open notepad and carefully copy/paste all the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ahhitmqb.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbyax]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pkyearhj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\53062b4b]

DirLook::
C:\Documents and Settings\Administrator\.java
C:\WINDOWS\system32\_suspicious_files

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:

ComboFix.txt
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

12-10-2007, 12:20 PM	#5 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Re: Vundo / mljji.dll infection Hi bagofbeef Can you tell me what happened on 2007-11-12, because what ever it was it created all these folders ??mantec and unfortunately you will have to delete them manually. Please follow my instructions carefully and take your time =============================================== Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. =============================================== If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab. Tick - Show hidden files and folder Untick - Hide file extensions for known types Untick - Hide protected operating system files Click Yes to confirm & then click OK Locate and delete the following folders, if present. You will see the full name of the folder (??asks = tasks etc) If there are two folders of the same name right click on them and then click on properties ONLY delete folders that were created on 2007-11-12 C:\Program Files\Common Files\??sks C:\Program Files\??stem C:\Program Files\Common Files\?ssembly C:\Program Files\?ppPatch C:\Program Files\??sks C:\Program Files\?ppPatch C:\Program Files\?dobe C:\Program Files\??sks C:\Program Files\??crosoft.NET C:\Program Files\??crosoft C:\Documents and Settings\Administrator\Application Data\?icrosoft C:\Program Files\Common Files\?ymantec C:\Program Files\Common Files\??pPatch C:\Program Files\Common Files\??crosoft C:\Documents and Settings\Administrator\Application Data\??curity C:\Program Files\Common Files\?racle C:\Program Files\Common Files\?icrosoft.NET C:\Program Files\Common Files\?icrosoft C:\Program Files\Common Files\?ecurity C:\Program Files\Common Files\??mantec C:\Program Files\Common Files\??crosoft.NET C:\Program Files\?ecurity C:\Program Files\??stem32 C:\Program Files\??pPatch C:\Program Files\??mantec C:\Program Files\??crosoft C:\Documents and Settings\Administrator\Application Data\?racle C:\Program Files\Common Files\?racle C:\Program Files\Common Files\?ppPatch C:\Program Files\Common Files\?icrosoft C:\Program Files\Common Files\?dobe C:\Program Files\Common Files\??stem C:\Program Files\Common Files\??sembly C:\Program Files\Common Files\??pPatch C:\Program Files\Common Files\??mbols C:\Program Files\?ymantec C:\Program Files\?ssembly C:\Program Files\?icrosoft.NET C:\Program Files\?icrosoft C:\Program Files\??sembly C:\Program Files\??curity C:\Program Files\Common Files\?ystem32 C:\Program Files\Common Files\?ymbols C:\Program Files\Common Files\??stem32 C:\Program Files\Common Files\??curity C:\Program Files\Common Files\??crosoft.NET C:\Program Files\Common Files\??crosoft C:\Program Files\?ystem C:\Program Files\?racle C:\Program Files\?racle C:\Program Files\?icrosoft C:\Program Files\?asks C:\Program Files\??pPatch C:\Program Files\??mbols C:\Program Files\??crosoft.NET C:\Documents and Settings\Administrator\Application Data\??crosoft.NET C:\Documents and Settings\Administrator\Application Data\??crosoft C:\Program Files\Common Files\?ystem C:\Program Files\Common Files\?ppPatch C:\Program Files\Common Files\?icrosoft.NET C:\Program Files\Common Files\?dobe C:\Program Files\Common Files\?asks C:\Program Files\Common Files\?asks C:\Program Files\Common Files\??sks C:\Program Files\?ystem32 C:\Program Files\?ymbols C:\Program Files\?icrosoft.NET C:\Program Files\?dobe C:\Program Files\?asks C:\Documents and Settings\Administrator\Application Data\?icrosoft.NET C:\Documents and Settings\Administrator\Application Data\?asks C:\Documents and Settings\Administrator\Application Data\??stem32 C:\Documents and Settings\Administrator\Application Data\??stem C:\Documents and Settings\Administrator\Application Data\??sks C:\Documents and Settings\Administrator\Application Data\??mbols C:\Documents and Settings\Administrator\Application Data\??mantec =============================================== REBOOT TO NORMAL MODE ================= Open notepad and carefully copy/paste all the text in the code box below into it: Code: File:: C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\ahhitmqb.dll Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbyax] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pkyearhj] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\53062b4b] DirLook:: C:\Documents and Settings\Administrator\.java C:\WINDOWS\system32\_suspicious_files Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ================= Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. ================= Please Run a scan with HiJackThis and save the log ================= In your next post, please include fresh logs from: ComboFix.txt HiJackThis Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat Last edited by alba; 12-10-2007 at 12:23 PM.