tallb
Posts: 65 +0
https://www.techspot.com/vb/showthread.php?p=578549#post578549
please help me out guys..... =/
please help me out guys..... =/
My computer is infected
- Thread starter tallb
- Start date
- Status
Blind Dragon
Posts: 3,774 +4
Hi tallb,
If you could please follow our Viruses/Spyware/Malware, preliminary removal instructions in order, then post the requested logs back in this thread.
1)AVG log
2)Combofix log
3)Hijackthis log
Thanks.
This thread is for the use of tallb only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
If you could please follow our Viruses/Spyware/Malware, preliminary removal instructions in order, then post the requested logs back in this thread.
1)AVG log
2)Combofix log
3)Hijackthis log
Thanks.
This thread is for the use of tallb only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Blind Dragon
Posts: 3,774 +4
AVG = Step 14
Hijackthis = step 15
Can you please run Hijackthis again after AVG has finished and removed anything it finds.
Next reply =AVG Log and new Hijackthis log
Hijackthis = step 15
Can you please run Hijackthis again after AVG has finished and removed anything it finds.
Next reply =AVG Log and new Hijackthis log
Blind Dragon
Posts: 3,774 +4
Before I suggest a fix what country do you live in. Here is why I ask. A certain infection usually links to servers in the ukraine, russia, estonia, turkey part of the world. This could be normal if you live there. Normally I don't ask but you also have a hebrew translation file on there. I am pretty sure it is just the infection but wanted to make 100% sure that you didn't live in the region
195.175.37.71: 80 transparent proxy server Turkey
195.175.37.71: 80 transparent proxy server Turkey
tomrca
Posts: 924 +3
information for blind dragon
from HERE
Fresh anonymous proxy list.in addition did you notice wild tangent??
Anonymous proxy servers help You to hide your IP address and so prevent unauthorized access to your computer from the Internet. Anonymous proxy server between the user and the web site protect user. Please use anonymous proxies for legal private activity only! Here is our fresh anonymous proxy list:
199.196.63.224:80
202.108.11.77:80
202.108.11.137:80
202.108.11.147:80
195.175.37.71:80
125.90.64.69:80
60.195.248.146:80
69.88.144.162:80
216.163.188.40:80
216.163.188.39:80
125.90.64.72:80
from HERE
Fresh anonymous proxy list.in addition did you notice wild tangent??
Anonymous proxy servers help You to hide your IP address and so prevent unauthorized access to your computer from the Internet. Anonymous proxy server between the user and the web site protect user. Please use anonymous proxies for legal private activity only! Here is our fresh anonymous proxy list:
199.196.63.224:80
202.108.11.77:80
202.108.11.137:80
202.108.11.147:80
195.175.37.71:80
125.90.64.69:80
60.195.248.146:80
69.88.144.162:80
216.163.188.40:80
216.163.188.39:80
125.90.64.72:80
Blind Dragon
Posts: 3,774 +4
Thanks tom
yea I already saw that site when I googled it. I messaged momok to look at this log, there were a few things that I wasn't sure on.
yea I already saw that site when I googled it. I messaged momok to look at this log, there were a few things that I wasn't sure on.
tallb
Posts: 65 +0
well i live in israel and that file you saw usualy named as hebrew.exe or upsidedown.exe is a program that transform english into hebrew in a sec if you excidently type in the wrong language.
what were those ip's you were talknig about? is this the ip that was hacking to my computer? incase you just wonder about the area than israel is really close to turkey, and usualy israel is annexed in online games and servers to turkey cause were so close.
what were those ip's you were talknig about? is this the ip that was hacking to my computer? incase you just wonder about the area than israel is really close to turkey, and usualy israel is annexed in online games and servers to turkey cause were so close.
momok
Posts: 2,127 +6
For Blind Dragon
I would fix these HJT entries:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SpearCast BHO - {93AE98A9-E4F6-4F76-BD98-872FA7D45E51} - (no file)
O3 - Toolbar: Palore - {C44B1312-178E-40A7-8B32-FEC9D6F4A159} - (no file)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
In addition, these are files I would recommend deletion (from combofix)
C:\WINDOWS\unins000.exe
C:\WINDOWS\system32\khclkcs.dat
Remember to flush system restore points when the system is clean.
Regards,
momok
I would fix these HJT entries:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SpearCast BHO - {93AE98A9-E4F6-4F76-BD98-872FA7D45E51} - (no file)
O3 - Toolbar: Palore - {C44B1312-178E-40A7-8B32-FEC9D6F4A159} - (no file)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
In addition, these are files I would recommend deletion (from combofix)
C:\WINDOWS\unins000.exe
C:\WINDOWS\system32\khclkcs.dat
Remember to flush system restore points when the system is clean.
Regards,
momok
Blind Dragon
Posts: 3,774 +4
@tallb
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Save this as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
-------------------------------------------------------------------------------------------------------
After combofix has finished running.
Boot into Safe Mode
Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SpearCast BHO - {93AE98A9-E4F6-4F76-BD98-872FA7D45E51} - (no file)
O3 - Toolbar: Palore - {C44B1312-178E-40A7-8B32-FEC9D6F4A159} - (no file)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
Select Fix Checked
Reboot the computer into Normal Mode
and post a fresh Hijackthis log
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Save this as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
-------------------------------------------------------------------------------------------------------
After combofix has finished running.
Boot into Safe Mode
- Restart your computer and start pressing the F8 key on your keyboard.
- Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SpearCast BHO - {93AE98A9-E4F6-4F76-BD98-872FA7D45E51} - (no file)
O3 - Toolbar: Palore - {C44B1312-178E-40A7-8B32-FEC9D6F4A159} - (no file)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
Select Fix Checked
Reboot the computer into Normal Mode
and post a fresh Hijackthis log
Blind Dragon
Posts: 3,774 +4
Yes your logs look good.
Run Hijackthis again - Do a System Scan only - put a check beside
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll (file missing)
Select Fix Checked
--------------------------------------------------------------------------------------------------------
Go to start -> Run -> type in combofix /u
*note the space between
This will uninstall combofix
*remove vundofix backups
*remove quarentine files
*create a fresh clean restore point
Remove Hijackthis from Start-> control panel -> add/remove programs
Remove the 3 tools from step 10 (smitfraud, vundofix,virtumondobegone) by dragging to the recycle bin
I recommend you keep
1 anti virus program (AVG not anti spyware)
1 firewall
Spybot S&D, Adaware 2007, AVG Anti Spyware if you want but the version we downloaded is a 30 day trial
keep them updated.
You can also turn on tea timer in Spybot:
Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.
Run Hijackthis again - Do a System Scan only - put a check beside
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll (file missing)
Select Fix Checked
--------------------------------------------------------------------------------------------------------
Go to start -> Run -> type in combofix /u
*note the space between
This will uninstall combofix
*remove vundofix backups
*remove quarentine files
*create a fresh clean restore point
Remove Hijackthis from Start-> control panel -> add/remove programs
Remove the 3 tools from step 10 (smitfraud, vundofix,virtumondobegone) by dragging to the recycle bin
I recommend you keep
1 anti virus program (AVG not anti spyware)
1 firewall
Spybot S&D, Adaware 2007, AVG Anti Spyware if you want but the version we downloaded is a 30 day trial
keep them updated.
You can also turn on tea timer in Spybot:
- Click on Mode at the top and make sure that Advanced is checked
- Expand the Tools tab in the left pane
- Single click on the Resident Icon also in the left pane
- check Resident "TeaTimer" (Protection of over-all system settings) Active
- Close spybot
Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.
Blind Dragon
Posts: 3,774 +4
I guess I need to make that clearer, when you RUN-> combofix /u. It does all that for you
Blind Dragon
Posts: 3,774 +4
Can you attach the last few minidumps here for us, click the attach icon (looks like paperclip) and navigate to C:\windows\minidump\minidump.dmp
Probably caused by : DrvFltIp
Probably caused by : nv4_disp.dll
DrvFltIp
http://www.symantec.com/security_response/writeup.jsp?docid=2007-092009-4412-99&tabid=2
You must remove this Spyware
Please view the above link, for files that are likely infected (and requiring removal)
nv4_disp.dll
There are a lot of issues found on the web with this Video driver (and a lot of fixes - none that seem to be the only fix)
Try:
Fully removing your Video drivers (even using a driver cleaner)
Then installing the new drivers from:
nVidia
Or from here http://content.guru3d.com/newsitem.php?id=3508
Or from your original install CD
If that doesn't work:
Set your bios to 64 Meg video (Windows will adjust anyway)
Basically just a Video driver issue, made worse by Spyware.
Please report back.
Probably caused by : nv4_disp.dll
DrvFltIp
http://www.symantec.com/security_response/writeup.jsp?docid=2007-092009-4412-99&tabid=2
You must remove this Spyware
Please view the above link, for files that are likely infected (and requiring removal)
nv4_disp.dll
There are a lot of issues found on the web with this Video driver (and a lot of fixes - none that seem to be the only fix)
Try:
Fully removing your Video drivers (even using a driver cleaner)
Then installing the new drivers from:
nVidia
Or from here http://content.guru3d.com/newsitem.php?id=3508
Or from your original install CD
If that doesn't work:
Set your bios to 64 Meg video (Windows will adjust anyway)
Basically just a Video driver issue, made worse by Spyware.
Please report back.
Blind Dragon
Posts: 3,774 +4
so on the spyware side, first go to add/remove programs and try uninstalling spysure
# Go to Start > Search > All Files or Folders.
# In the "All or part of the the file name" section, type in "SpySure" file name(s).
# To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
# When Windows finishes your search, hover over the "In Folder" of "SpySure", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard and paste it here
I will give better instructions once you get me the path
# Go to Start > Search > All Files or Folders.
# In the "All or part of the the file name" section, type in "SpySure" file name(s).
# To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
# When Windows finishes your search, hover over the "In Folder" of "SpySure", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard and paste it here
I will give better instructions once you get me the path
Blind Dragon
Posts: 3,774 +4
ok, try searching for the actuall files associated with it, and remember if you find one of these -> I need the path's of where it is installed. for example C:\Windows\spysure
spysureinstallzip[1].exe
syservice.exe
servirsess.exe
servircess.exe
ashcap
spysureinstallzip[1].exe
syservice.exe
servirsess.exe
servircess.exe
ashcap
- Status
Similar threads
