system security

View previous topic View next topic Go down

system security

Post by jfpoolman1234 on 30th June 2009, 10:28 pm

Please help, I've been reading other posts and no luck so far. I cant download or run anything. Any ideas?

jfpoolman1234
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-06-30
OS OS : windows xp
Points Points : 27206
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Origin on 30th June 2009, 10:29 pm

See if you can download IceSword:

Please download Ice Sword from [You must be registered and logged in to see this link.]

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. Then look in the left hand bottom of the program and press "Registry"
  4. When the registry list opens, drag the line between the two windows so you can see which registry hive you need.
  5. Next, open the HKEY_LOCAL_MACHINE, and navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  6. Now look in the right side pane for two run values that are just random numbers.
  7. Once you have found the value(s), right click it and press "Delete"
  8. Okay the prompt and close IceSword.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

download ice sword

Post by jfpoolman1234 on 30th June 2009, 10:32 pm

when i click on the provided link i get a page that says forbidden

jfpoolman1234
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-06-30
OS OS : windows xp
Points Points : 27206
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Origin on 30th June 2009, 10:34 pm

I see, what about this:

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by jfpoolman1234 on 30th June 2009, 11:27 pm

system security wont let me pull up my clipboard to paste results

jfpoolman1234
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-06-30
OS OS : windows xp
Points Points : 27206
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by jfpoolman1234 on 30th June 2009, 11:29 pm

GMER 1.0.15.14972 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-30 18:30:22
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[712] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[712] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 40A5178F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[712] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 40A51710 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[712] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 40A51754 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[712] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 40A5169C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[712] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 40A516D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[712] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 40A517CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[712] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1164] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1164] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 40A5178F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1164] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 40A51710 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1164] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 40A51754 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1164] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 40A5169C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1164] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 40A516D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1164] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 40A517CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1164] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

jfpoolman1234
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-06-30
OS OS : windows xp
Points Points : 27206
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Origin on 30th June 2009, 11:33 pm

GMER shows no sign of a RootKit, hmm, please do the following:


1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by jfpoolman1234 on 30th June 2009, 11:40 pm

it wont let me download it says file cannot be executed because it is infected

jfpoolman1234
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-06-30
OS OS : windows xp
Points Points : 27206
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Belahzur on 30th June 2009, 11:41 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security

Post by jfpoolman1234 on 30th June 2009, 11:43 pm

ive downloaded it and renamed it and it wont let me execute because it says its infected

jfpoolman1234
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-06-30
OS OS : windows xp
Points Points : 27206
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Belahzur on 30th June 2009, 11:46 pm

Can you do the following in Safe Mode with Networking, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security

Post by jfpoolman1234 on 30th June 2009, 11:49 pm

ring to download dds and system secuiy says its infctd and sends me to blank page. i am unable to get into safe mode. it tells me i may have a problem with my keyboard, ive tried tapping the f8 button as well as just holding it. and unable to download hijack this as well

jfpoolman1234
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-06-30
OS OS : windows xp
Points Points : 27206
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Belahzur on 30th June 2009, 11:55 pm

Hello.
Lets try this manually, then use a more aggresive tool. Smile


  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.
  10. Close My Computer.


Now navigate to this folder in bold:

C:\Documents and settings\USERNAME\Application Data

Inside there, there is a bunch of needed system software folders, and two malicious folders that are just numbers, and inside these numbered folders, is an .exe file that is also just numbers.

I need you to note down each folder name (the numbers) and your profile name exactly as seen, otherwise this might not work correctly.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security

Post by jfpoolman1234 on 1st July 2009, 12:06 am

ok did as you instructed and there are no folders with numbers but here is a list of what is there: adobe, divx, identities, limewire, mozilla, uniblue, winrar, adaware alert, funwebproducts, microsoft, macromedia, sun, utorrent, desktop.ini

jfpoolman1234
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-06-30
OS OS : windows xp
Points Points : 27206
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by jfpoolman1234 on 1st July 2009, 12:17 am

11866714.exe is the only one i found under all users. profile name for this ite is jfpoolman1234

jfpoolman1234
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-06-30
OS OS : windows xp
Points Points : 27206
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by jfpoolman1234 on 1st July 2009, 12:18 am

on computer profile name is Jeremy

jfpoolman1234
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-06-30
OS OS : windows xp
Points Points : 27206
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by jfpoolman1234 on 1st July 2009, 12:32 am

sorry im an idiot, r u silll there? i found the file it is 11866714.exe , what do i do next?

jfpoolman1234
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-06-30
OS OS : windows xp
Points Points : 27206
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Belahzur on 1st July 2009, 2:23 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\Documents and settings\All Users\Application Data\11866714.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum