Kerespup's problems thread
- Thread starter kerespup
- Start date
- Status
momok
Posts: 2,127 +6
Hi,
Have HijackThis fix the following entries:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Apart from that, your logs are clean.
Delete all files in AVG Antispyware Quarantine folder.
Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.
After that turn system restore back on.
This would have created a new safe and clean restore point for your system.
Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.
Should you have any further problems, please post in this thread.
Regards,
Your friendly momok =)
This thread is for the use of kerespup only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Have HijackThis fix the following entries:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Apart from that, your logs are clean.
Delete all files in AVG Antispyware Quarantine folder.
Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.
After that turn system restore back on.
This would have created a new safe and clean restore point for your system.
Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.
Should you have any further problems, please post in this thread.
Regards,
Your friendly momok =)
This thread is for the use of kerespup only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Internet Problem
I don't know why but all of a sudden my internet is acting goofy.
I'm using firefox. Just a while ago everything was fine.
I can't seem to go to some websites anymore (actually most websites)
wikipedia, gaiaonline, etc. The only sites I can seem to come on is this site and google.
Here are my HiJackThis logs, both in Safe Mode and in Normal Mode.
I don't know why but all of a sudden my internet is acting goofy.
I'm using firefox. Just a while ago everything was fine.
I can't seem to go to some websites anymore (actually most websites)
wikipedia, gaiaonline, etc. The only sites I can seem to come on is this site and google.
Here are my HiJackThis logs, both in Safe Mode and in Normal Mode.
howard_hopkinso
Posts: 21,238 +17
Your HJT log is clean.
Run the Ccleaner programme as per step9 of this thread HERE and see if that helps.
I also suggest you move HJT to the proper location as per this thread HERE.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Run the Ccleaner programme as per step9 of this thread HERE and see if that helps.
I also suggest you move HJT to the proper location as per this thread HERE.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Already did the CCleaner deal.
I'm using FireFox and it seems like it only goes up to the "Looking Up..." part. Not at all to the connecting or waiting. It always ends up with the Problem Loading Page.
I've also noticed that when I open the task manager, CPU Usage spikes to 100% for some milliseconds. When look at it again and again. It doesn't spike anymore. But if I close it then open it again, it spikes to 100% once more for a few milliseconds.
Also, even if I moved the HJT. Everything in the log is still the same.
I ran my AVG, and this is all they could find and delete:
I'm using FireFox and it seems like it only goes up to the "Looking Up..." part. Not at all to the connecting or waiting. It always ends up with the Problem Loading Page.
I've also noticed that when I open the task manager, CPU Usage spikes to 100% for some milliseconds. When look at it again and again. It doesn't spike anymore. But if I close it then open it again, it spikes to 100% once more for a few milliseconds.
Also, even if I moved the HJT. Everything in the log is still the same.
I ran my AVG, and this is all they could find and delete:
howard_hopkinso
Posts: 21,238 +17
Nothing nasty there.
It`s important that you put HJT in the proper location, just for future reference.
Post a Combofix log and I`ll take a look at it.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
It`s important that you put HJT in the proper location, just for future reference.
Post a Combofix log and I`ll take a look at it.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
LOGOOS.EXE is a modified ntsokernel file for modifying boot screens.
Regards Howard
Regards Howard
howard_hopkinso
Posts: 21,238 +17
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh Combofix log.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh Combofix log.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
You didn`t have any kind of usb flash drive attached did you? or perhaps a card reader with a card in it?
Let me know, then we`ll sort it.
Regards Howard
Let me know, then we`ll sort it.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
Ok, let`s do the following.
After some research, it looks like your system is infected with a very nasty worm/virus.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Click start/run and type regedit into the run box and hit the enter key.
Navigate to the following regkeys and delete them.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7f6dc3-d5a0-11db-8417-c9194954320d}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7f6dc7-d5a0-11db-8417-c9194954320d}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{807ba0b0-194f-11dc-85a6-ce54ecde7b70}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab097adb-01b9-11dc-8528-a0ba3cab1f3b}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caf90d20-da0c-11db-842c-893c2c407a10}]
Close regedit.
Search your system for these files and dlete them if found.
INFO.exe
tel.xls.exe
sxs.exe
Reboot into normal mode and rehide your protected OS files.
Post a fresh Combofix log and let me know how your system is running.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
After some research, it looks like your system is infected with a very nasty worm/virus.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Click start/run and type regedit into the run box and hit the enter key.
Navigate to the following regkeys and delete them.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7f6dc3-d5a0-11db-8417-c9194954320d}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7f6dc7-d5a0-11db-8417-c9194954320d}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{807ba0b0-194f-11dc-85a6-ce54ecde7b70}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab097adb-01b9-11dc-8528-a0ba3cab1f3b}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caf90d20-da0c-11db-842c-893c2c407a10}]
Close regedit.
Search your system for these files and dlete them if found.
INFO.exe
tel.xls.exe
sxs.exe
Reboot into normal mode and rehide your protected OS files.
Post a fresh Combofix log and let me know how your system is running.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Okay, here's the latest ComboFix one.
Also, when I checked the Registry editor.
In the MountPoints2 part... in the F part... it seems to have an _Autorun under it and
under _Autorun is DefaultIcon which has some sort of file related to F:\USBNB.exe
I also noticed that this started when I saw my "Connect To The Internet"'s icon saying that it has no firewall, but when I check the firewall, it's actually on. (It's showing that red X)
Also, I was unable to find those files (not even 1 of those 3 files)
Also, when I checked the Registry editor.
In the MountPoints2 part... in the F part... it seems to have an _Autorun under it and
under _Autorun is DefaultIcon which has some sort of file related to F:\USBNB.exe
I also noticed that this started when I saw my "Connect To The Internet"'s icon saying that it has no firewall, but when I check the firewall, it's actually on. (It's showing that red X)
Also, I was unable to find those files (not even 1 of those 3 files)
howard_hopkinso
Posts: 21,238 +17
Your Combofix log is now clean.
Download this TOOL. Extract it and run the Noob_kill.
the USBNB.exe file appears to be legit, but why it`s running from there I don`t know. Kill it.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Download this TOOL. Extract it and run the Noob_kill.
the USBNB.exe file appears to be legit, but why it`s running from there I don`t know. Kill it.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
From regedit which is where you found it right?
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
That`s very odd, since your system looks clean. I`m afraid, I don`t know what`s causing your problem,.
I suggest you start a new thread in our Storage and Networking forum.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I suggest you start a new thread in our Storage and Networking forum.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
That`s definitely a good idea. It certainly can`t do any harm.
1.) Download WinsockFix.zip. (by: Option^Explicit)
2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
3.) Run WinsockFix.exe.
4.) Click the Fix button.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
1.) Download WinsockFix.zip. (by: Option^Explicit)
2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
3.) Run WinsockFix.exe.
4.) Click the Fix button.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Awww... it's not working. Still getting those "Problem Loading Page".
I'm going to try the Ctrl+R technique that my 13 year old sister is doing.
How about LSP fix?
Okay, I attached a new hjt log and a screenshot of an error that appeared.
Also, I noticed when i tried opening an image in my documents with firefox/ie. Some weird: "Cannot be found" thing appeared, but when I cancelled it, it appeared on the browser anyways.
Seems like that it only happens on the first try... When I put a URL in the Address Bar up there, and press enter. It won't load. But if I keep on Reloading it, it will eventually load. (Nothing -> Just Text -> With Images -> Fully Loaded). Usually on the 4th to 5th try.
I'm going to try the Ctrl+R technique that my 13 year old sister is doing.
How about LSP fix?
Okay, I attached a new hjt log and a screenshot of an error that appeared.
Also, I noticed when i tried opening an image in my documents with firefox/ie. Some weird: "Cannot be found" thing appeared, but when I cancelled it, it appeared on the browser anyways.
Seems like that it only happens on the first try... When I put a URL in the Address Bar up there, and press enter. It won't load. But if I keep on Reloading it, it will eventually load. (Nothing -> Just Text -> With Images -> Fully Loaded). Usually on the 4th to 5th try.
howard_hopkinso
Posts: 21,238 +17
Your HJT log is clean.
That error message pic looks more like a Windows problem than anything else.
Try doing a Windows repair as per this thread HERE and see if it helps.
If it doesn`t, you really need to open a new thread in the appropriate forum.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
That error message pic looks more like a Windows problem than anything else.
Try doing a Windows repair as per this thread HERE and see if it helps.
If it doesn`t, you really need to open a new thread in the appropriate forum.
Regards Howard
This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
Similar threads
Latest posts
-
Asus releases firmware update to address game crashes on Intel CPUs- Malone12 replied
-
8BitDo updates gamepads with drift-proof hall-effect analog sticks
- Daniel Sims replied
-
The Best Handheld Gaming Consoles- amghwk replied