Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with jejobadi and others


  • This topic is locked This topic is locked
11 replies to this topic

#1 krallrl

krallrl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 26 January 2010 - 08:43 PM

This computer runs certain software fine, but will not open sites in Firefox, and blocks a lot of sites in IE, especially sites like bleepingcomputer, or Combofix, or other malware removal sites. When booted up, it sometimes does not boot at all, requiring a hard shut down and restart. Whenever it does boot, four popup boxes appear saying the following files can't be located: jejobadi.dll, datoraha.dll, evofiley.dll and duyivove.dll. From time to time, randomly throughout the day, IE opens up on its own.

Here is the DDS.txt log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Front Desk at 18:23:12.78 on Tue 01/26/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.195 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\UPSMON\UPSMON.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Front Desk\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://retail.btol.com/
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {40ba5ab5-65a1-48c6-83c6-3d96c1c02948} - c:\windows\system32\dadatefe.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [UPSMON] c:\program files\upsmon\UPSMON.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PhilipsDM] "c:\program files\philips\philips device manager\bin\DeviceManager.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Mcejicakih] rundll32.exe "c:\windows\evofiley.dll",e
mRun: [CPM6b9df0e1] Rundll32.exe "c:\windows\system32\jejobadi.dll",a
mRun: [68aec37d] rundll32.exe "c:\windows\system32\duyivove.dll",b
mRun: [ketirimumo] Rundll32.exe "c:\windows\system32\datoraha.dll",s
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: {ED85756B-5343-45B6-8ED3-C7941A9F0221} = 208.67.220.220,208.67.222.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: PCANotify - PCANotify.dll
AppInit_DLLs: c:\windows\system32\jejobadi.dll,c:\windows\system32\puvitihi.dll,yumuyofu.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jejobadi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\jejobadi.dll
LSA: Notification Packages = scecli sacbew.dll c:\windows\system32\puvitihi.dll nezogeju.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\frontd~1\applic~1\mozilla\firefox\profiles\pr8bjwnd.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://retail.btol.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: XUL Cache: {597DC426-6A82-4929-A70C-D4198AC755CA} - c:\documents and settings\front desk\local settings\application data\{597DC426-6A82-4929-A70C-D4198AC755CA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-10-30 77312]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2007-3-30 18232]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2007-3-30 17848]
R2 SPSniff;SPSniff;c:\program files\eltima software\serial port monitor ax demo\SPSniff.sys [2008-8-5 19328]
S1 92L6v;92L6v;c:\windows\system32\drivers\92L6v.sys [2010-1-20 72192]
S1 iexplore.exe;iexplore.exe;\??\c:\windows\system32\drivers\harddiskvolume1\program files\internet explorer\iexplore.exe.sys --> c:\windows\system32\drivers\harddiskvolume1\program files\internet explorer\iexplore.exe.sys [?]
S3 647FAN9;647FAN9;c:\windows\system32\drivers\647FAN9.sys [2010-1-16 72192]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-1-22 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-1-22 30104]
S3 awhost32;Symantec pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2007-5-11 132728]
S3 PortEmulator;Port Emulator (Star);c:\program files\starmicronics\tsp100\software\20061130\portemu.exe [2006-11-28 98304]

=============== Created Last 30 ================

2010-01-26 14:53:42 0 d-----w- c:\windows\system32\XPSViewer
2010-01-26 14:53:08 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-26 14:53:08 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-26 14:53:07 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-26 14:53:07 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-26 14:53:07 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-26 14:53:07 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-26 14:53:07 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-26 14:53:07 0 d-----w- C:\608d22442c4bb6d3bf
2010-01-26 02:54:38 35328 ---ha-w- c:\windows\system32\cacletup.dll
2010-01-26 02:18:25 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-26 02:16:23 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-01-26 02:16:23 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-01-26 02:16:10 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-01-26 02:16:03 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-01-26 02:15:07 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-26 02:04:26 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-01-26 02:02:22 0 d-----w- c:\windows\ERUNT
2010-01-26 01:55:20 0 d-----w- C:\SDFix
2010-01-22 15:28:38 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-01-22 15:28:38 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-01-22 15:16:24 0 d-----w- C:\AVGTemp
2010-01-20 17:54:13 72192 ----a-w- c:\windows\system32\drivers\92L6v.sys
2010-01-20 17:54:13 27136 ---ha-w- c:\documents and settings\front desk\a.exe
2010-01-18 18:08:52 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-17 01:51:11 72192 ----a-w- c:\windows\system32\drivers\647FAN9.sys
2010-01-16 20:51:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-16 20:51:35 552 ----a-w- c:\windows\system32\d3d8caps.dat

==================== Find3M ====================

2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-02-08 14:25:32 0 --sha-w- c:\windows\system32\bekoduya.dll
2009-02-05 02:23:00 0 --sha-w- c:\windows\system32\botireyo.dll
2009-05-09 14:26:02 3505 --sha-w- c:\windows\system32\defarewo.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\fofufenu.dll
2009-05-05 14:23:32 3505 --sha-w- c:\windows\system32\genapawa.dll
2009-02-07 14:24:37 0 --sha-w- c:\windows\system32\gugaduwu.dll
2009-02-06 02:23:38 0 --sha-w- c:\windows\system32\herebusa.dll
2009-02-09 14:25:54 0 --sha-w- c:\windows\system32\hiwumeku.dll
2009-05-04 14:23:20 3505 --sha-w- c:\windows\system32\jeharaya.dll
2009-02-08 02:25:05 0 --sha-w- c:\windows\system32\kipilopa.dll
2009-02-07 02:24:08 0 --sha-w- c:\windows\system32\kokemabo.dll
2009-02-05 14:23:14 0 --sha-w- c:\windows\system32\loberifa.dll
2009-05-05 02:23:12 3505 --sha-w- c:\windows\system32\mehirasi.dll
2009-05-10 02:26:18 3505 --sha-w- c:\windows\system32\mirikiri.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\nezogeju.dll
2009-05-08 14:25:38 3505 --sha-w- c:\windows\system32\pehuraba.dll
2009-05-07 14:24:58 3505 --sha-w- c:\windows\system32\pewosiwi.dll
2009-05-07 02:24:28 6425 --sha-w- c:\windows\system32\pijelodo.dll
2009-02-04 14:22:47 0 --sha-w- c:\windows\system32\tomavita.dll
2009-02-09 02:25:43 0 --sha-w- c:\windows\system32\toponaku.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\yumuyofu.dll
2009-02-10 02:26:05 0 --sha-w- c:\windows\system32\zawibavu.dll

============= FINISH: 18:24:15.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:17 PM

Posted 26 January 2010 - 09:09 PM


Hello krallrl,
  • Welcome to Bleeping Computer.
  • Sorry for delayed response. Forums have been really busy.
  • My name is fireman4it and I will be helping you with your Malware problem.
  • As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.
Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 krallrl

krallrl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 26 January 2010 - 09:25 PM

Thank you, fireman4it. Please be patient with me ... this computer is used in a business and I will only be able to work on it early in the morning and in the evening.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:17 PM

Posted 26 January 2010 - 09:34 PM

Hello,
I would not use this machine until it is clean. Doing so could infect others and cause reinfection during the cleaning.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:17 PM

Posted 26 January 2010 - 11:36 PM

Hello krallrl,

Make sure you do the following in order without a reboot.

1.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

2.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

3.
Download Combofix from any of the links below. You must rename it 1234.scr before saving it. Save it to your desktop.

Link 1
Link 2






--------------------------------------------------------------------

Double click on 1234.scr & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

4.
We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Things to include in your next reply:
Combofix.txt
RootRepeal log.
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 krallrl

krallrl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 28 January 2010 - 10:51 AM

Thank you very much for the information and instructions. I have to decide today whether to try to kill the infection or reformat the drive and reinstall the operating system. I will let you know tomorrow which I am going to do.

Ron

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:17 PM

Posted 28 January 2010 - 07:20 PM

Hello,
I will wait for your response. If you decide to continue cleaning. Do the steps above.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:17 PM

Posted 29 January 2010 - 11:32 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 krallrl

krallrl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 30 January 2010 - 06:28 PM

I've decided it's better to do a complete reformat and reinstall of Windows. I will be doing that tonight or tomorrow night. I will close this case once I've completed that and am sure I don't want to try to remove the infection.

Thank you.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:17 PM

Posted 31 January 2010 - 05:25 PM

Hello,
Just a few thing to help keep you clean and to make sure you don't backup any bad files.

1.
You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions . Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

Note:
Again, do not back up any data with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

2.
For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.
Please also have a look at the following links, giving some advice and suggestions for preventing future infections:
  • So How did I get infected?
  • Microsoft - 'Security at home'
  • Miekies' prevention suggestions
  • I recommend you regularly visit the Windows Update Site , you where lagging behind on a few of them!
    • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
    • By updating your machine, you have one less headache!
    • Update ALL Critical updates and any other Windows updates for services/programs that you use.
    • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
    • Note that it will download them for you, but you still have to actually click install.
    • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
    • It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.
    • Another recommend, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
      1. Double-click the Downloaded installer and install the tool to a location of your choice
      2. Via the Startmenu, navigate to HostsMan and run the program.
        [list=a]
      3. Click "Hosts" in the menu
      4. Click "Manage Updates" in the submenu
      5. Out of the three, select atleast one of the three (I have MVPS Host as my main one)
      6. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 krallrl

krallrl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 31 January 2010 - 11:16 PM

I have successfully reformatted the drive and reinstalled Windows and the software I needed.

Thank you for offering your help.

I am quite impressed by the professionalism of all of you.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 PM

Posted 01 February 2010 - 11:37 AM

Hello.

Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users