Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92370 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Security Tool


  • This topic is locked This topic is locked
57 replies to this topic

#16 VanDavies

VanDavies

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 13 November 2009 - 05:03 PM

Yes I dragged it into Inherit, still no joy. Trying it in normal mode now, it still won't let me open it- Security Tool still stopping it. It says "Combo.com.exe is infected with a worm"

    Advertisements

Register to Remove


#17 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 November 2009 - 05:08 PM

Hi,

Please do the following:

Please download OTM by OldTimer.
  • Save it to your desktop.
  • Please click OTM and then click >> run.
  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"69947237"=-
"a0655570"=-
"yomutujav"=-

:Files
c:\programdata\69947237\69947237.exe
c:\programdata\bebojori\bebojori.dll
c:\progra~2\jojejure\jojejure.dll
c:\programdata\yibuleko
c:\programdata\jojejure
c:\programdata\zedokupa
c:\programdata\yowajaka
c:\programdata\69947237
c:\programdata\zuhoboku
c:\programdata\metuyuli
c:\programdata\jehiyile
c:\programdata\bebojori
c:\programdata\pojevejo
c:\programdata\gehazoze
c:\programdata\dakabedu
c:\programdata\holusiti
c:\programdata\figimeje
c:\programdata\wonutego
c:\programdata\hawupula
c:\programdata\wufajeda
c:\programdata\sakiweto
c:\programdata\kepuzuli
c:\programdata\jahasuri

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#18 VanDavies

VanDavies

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 13 November 2009 - 05:10 PM

Downloaded OTM. Again, it won't work in normal mode (Security Tool is stopping it from opening) So I'll try it in Safe Mode and get back to you.

#19 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 November 2009 - 05:12 PM

Hi,

If it wont work in safe mode:

Look for the following file:

Drag it to your desktop (don't delete it) then see if OTM and ComboFix will run:

c:\programdata\69947237\69947237.exe


you may need to show hidden files and folders to find it:

  • Close all programs so that you are at your desktop.
  • Open the Control Panel menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and exit My Computer.
  • Now your computer is configured to show all hidden files.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#20 VanDavies

VanDavies

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 13 November 2009 - 05:27 PM

Hi I managed to run OTM in safe mode and navigated to the log file; it comes back with this: All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== REGISTRY ========== Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\69947237 deleted successfully. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\a0655570 deleted successfully. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yomutujav deleted successfully. ========== FILES ========== c:\programdata\69947237\69947237.exe moved successfully. DllUnregisterServer procedure not found in c:\programdata\bebojori\bebojori.dll c:\programdata\bebojori\bebojori.dll moved successfully. DllUnregisterServer procedure not found in c:\progra~2\jojejure\jojejure.dll c:\progra~2\jojejure\jojejure.dll moved successfully. c:\programdata\yibuleko folder moved successfully. c:\programdata\jojejure folder moved successfully. c:\programdata\zedokupa folder moved successfully. c:\programdata\yowajaka folder moved successfully. c:\programdata\69947237 folder moved successfully. c:\programdata\zuhoboku folder moved successfully. c:\programdata\metuyuli folder moved successfully. c:\programdata\jehiyile folder moved successfully. c:\programdata\bebojori folder moved successfully. c:\programdata\pojevejo folder moved successfully. c:\programdata\gehazoze folder moved successfully. c:\programdata\dakabedu folder moved successfully. c:\programdata\holusiti folder moved successfully. c:\programdata\figimeje folder moved successfully. c:\programdata\wonutego folder moved successfully. c:\programdata\hawupula folder moved successfully. c:\programdata\wufajeda folder moved successfully. c:\programdata\sakiweto folder moved successfully. c:\programdata\kepuzuli folder moved successfully. c:\programdata\jahasuri folder moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Keymar ->Temp folder emptied: 546190415 bytes ->Temporary Internet Files folder emptied: 97009819 bytes ->Java cache emptied: 50991261 bytes ->FireFox cache emptied: 36119426 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes Windows Temp folder emptied: 70131284 bytes %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 520028 bytes RecycleBin emptied: 748156414 bytes Total Files Cleaned = 1477.39 mb OTM by OldTimer - Version 3.1.1.0 log created on 11132009_231646

#21 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 November 2009 - 06:50 PM

delete the combofix you have on your desktop...download a fresh copy and run it

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#22 VanDavies

VanDavies

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 13 November 2009 - 07:13 PM

OK a lot of things just happened!! It went through to Stage 50 completed or something like that, then said saving log. I can't seem to find the log now though to post on here. Any suggestions? Thanks

#23 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 November 2009 - 07:15 PM

The log should be located at C:\Combofixt.txt or C:\Qoobox\Combofix2.txt

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#24 VanDavies

VanDavies

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 13 November 2009 - 07:16 PM

OK I think I found it: ComboFix 09-11-14.01 - Keymar 14/11/2009 0:54:24..1 - FAT32x86 NETWORK Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.894.453 [GMT 0:00] Running from: C:\Users\Keymar\Desktop\ComboFix.exe Command switches used :: C:\Users\Keymar\Desktop\ComboFix.exe AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A} SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\$RECYCLE.BIN\S-1-5-21-2365545147-1999384947-2466353664-500 C:\$RECYCLE.BIN\S-1-5-21-2393766080-3187394018-3383541026-500 C:\$RECYCLE.BIN\S-1-5-21-899496415-1834721142-2599837188-500 C:\ProgramData\91415146.ini C:\ProgramData\CrucialSoft Ltd C:\ProgramData\tuwezune\tuwezune.dll C:\Users\Keymar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.lnk C:\Users\Keymar\Desktop\Security Tool.lnk C:\Windows\system32\AutoRun.inf C:\Windows\system32\nsprs.dll C:\Windows\system32\serauth1.dll C:\Windows\system32\serauth2.dll C:\Windows\system32\ssprs.dll C:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

#25 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 November 2009 - 07:26 PM

Hi, that's a teeny tiny bit of the log...can you see if there is more of it and post the rest thanks

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove


#26 VanDavies

VanDavies

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 13 November 2009 - 07:28 PM

That's the whole lot I'm afraid. There are other .txt files in the ComboFix folder though- want me to try these?

#27 VanDavies

VanDavies

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 13 November 2009 - 07:31 PM

The only text files in the ComboFix folder are: ComboFix.txt mbr.txt OsId.txt pend.txt Resident.txt Version.txt

#28 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 November 2009 - 07:51 PM

If that was all there was to the ComboFix.txt then i need you to please run it again - see if we can get a proper log

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#29 VanDavies

VanDavies

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 13 November 2009 - 08:03 PM

Hey!! I've just run my laptop on normal mode and Security Tool is gone!! Plus I can open up .exe files!! Thank you so much! My background is still black however. What do you suggest?

#30 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 November 2009 - 08:15 PM

I need to see a ComboFix log...there is likely a lot more work to do yet...it seldom gets fixed in one pass

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users