Tech Support Forum - View Single Post

alba · 12-11-2007, 09:58 AM

Hi bagofbeef

Did you download anything on that day we dont judge but it would be interesting to know where the infection came from

in future please copy/paste your logs into your reply when you attach them it makes it harder to read the logs and takes much longer to prepare a fix for you

We are nearly there so lets get going.

I have asked you to remove CuteFTP because it is infected with adware see Here
for more info
---------------------------------------

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

=================

From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :

Web Buying
CuteFTP

=================

Okay same as last time, you can try deleting them from normal mode first, this should be them all just take your time and check duplicate folders for the creation date 2007-11-12

Locate and delete the following folders, if present:

C:\WINDOWS\system32\s?mbols
C:\WINDOWS\?racle
C:\WINDOWS\?ymantec
C:\WINDOWS\system32\a?sembly
C:\WINDOWS\?racle
C:\WINDOWS\system32\A?pPatch
C:\WINDOWS\system32\?racle
C:\WINDOWS\?icrosoft
C:\WINDOWS\M?crosoft
C:\WINDOWS\system32\?racle
C:\WINDOWS\system32\?icrosoft.NET
C:\WINDOWS\system32\s?mbols
C:\WINDOWS\system32\S?mantec
C:\WINDOWS\s?mbols
C:\WINDOWS\system32\?asks
C:\WINDOWS\M?crosoft
C:\WINDOWS\?dobe
C:\Program Files\W?nSxS
C:\Program Files\Common Files\W?nSxS

============================================

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and carefully copy/paste all the text in the code box below into it:

Code:

File::
C:\Downloads\cUTE ftp\CUTE4032.EXE

Folder::
C:\WINDOWS\system32\_suspicious_files
C:\Program Files\Web Buying
C:\Program Files\GlobalSCAPE

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

====================================

Please empty your recycle bin and spybots recovery folder

I see you have been to bitdefender online scan please go there again and do another scan

Go here and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and post it in your next reply

=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:

ComboFix.txt
Bitdefender report
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

12-11-2007, 09:58 AM	#8 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Re: Vundo / mljji.dll infection Hi bagofbeef Did you download anything on that day we dont judge but it would be interesting to know where the infection came from in future please copy/paste your logs into your reply when you attach them it makes it harder to read the logs and takes much longer to prepare a fix for you We are nearly there so lets get going. I have asked you to remove CuteFTP because it is infected with adware see Here for more info --------------------------------------- Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. =============================================== S& D Spybot's Tea Timer While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. ================= From Control Panel->Add/Remove Programs, uninstall the following programs, if present, : Web Buying CuteFTP ================= Okay same as last time, you can try deleting them from normal mode first, this should be them all just take your time and check duplicate folders for the creation date 2007-11-12 Locate and delete the following folders, if present: C:\WINDOWS\system32\s?mbols C:\WINDOWS\?racle C:\WINDOWS\?ymantec C:\WINDOWS\system32\a?sembly C:\WINDOWS\?racle C:\WINDOWS\system32\A?pPatch C:\WINDOWS\system32\?racle C:\WINDOWS\?icrosoft C:\WINDOWS\M?crosoft C:\WINDOWS\system32\?racle C:\WINDOWS\system32\?icrosoft.NET C:\WINDOWS\system32\s?mbols C:\WINDOWS\system32\S?mantec C:\WINDOWS\s?mbols C:\WINDOWS\system32\?asks C:\WINDOWS\M?crosoft C:\WINDOWS\?dobe C:\Program Files\W?nSxS C:\Program Files\Common Files\W?nSxS ============================================ 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and carefully copy/paste all the text in the code box below into it: Code: File:: C:\Downloads\cUTE ftp\CUTE4032.EXE Folder:: C:\WINDOWS\system32\_suspicious_files C:\Program Files\Web Buying C:\Program Files\GlobalSCAPE Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying] Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ==================================== Please empty your recycle bin and spybots recovery folder I see you have been to bitdefender online scan please go there again and do another scan Go here and do the BitDefender online virus scan. Click "I Agree" to agree to the EULA. Allow the ActiveX control to install when prompted. Leave the scanning options at default and press "Click here to scan" to begin the scan. Please refrain from using the computer until the scan is finished. When the scan is finished, click on "Click here to export the scan results" Save the report to your desktop then come back here and post it in your next reply ================= Please Run a scan with HiJackThis and save the log ================= In your next post, please include fresh logs from: ComboFix.txt Bitdefender report HiJackThis Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat Last edited by alba; 12-11-2007 at 10:04 AM.