Page 3 of 15 FirstFirst 123456713 ... LastLast
Results 21 to 30 of 144

Thread: A dirty little bug is in my house

  1. #21
    Member
    Join Date
    Oct 2011
    Posts
    81

    Default

    Hi Jeff....still no go. I've followed your instructions, again, and it gets hung up at stage 50, then nothing. When I close the box, what remains is a blue screen and I have to pull the plug and batter to re-start. There is no log except something that is called PFRO, that was created between when the program ran and when I rebooted. It is a txt document.

    Please advise and thank you for your valiant effort, Jeff.

  2. #22
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi mnyyoungs,

    Lets try this again but I have re-written the fix...please do the following using the new ComboFix you just downloaded to your system.


    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      SkipFix::
      
      File::
      c:\windows\system32\c_41644.nl_
      c:\windows\System32\drivers\bpfvii.sys
      c:\windows\system32\ConduitEngine.tmp
      
      Firefox::
      FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
      FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
      
      RegLock::
      [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
      @Denied: (2) (LocalSystem)
      "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
      d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
      "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
      d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
      "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
      d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
      
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
      @Denied: (A) (Users)
      @Denied: (A) (Everyone)
      @Allowed: (B 1 2 3 4 5) (S-1-5-20)
      "BlindDial"=dword:00000000
      
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
      @Denied: (A) (Users)
      @Denied: (A) (Everyone)
      @Allowed: (B 1 2 3 4 5) (S-1-5-20)
      "BlindDial"=dword:00000000
      
      RegNull::
      [HKEY_USERS\S-1-5-21-2740605613-3585765697-2305856818-1000\Software\SecuROM\License information*]
      "datasecu"=hex:cb,cc,19,08,d8,6d,2e,40,1a,65,bb,68,0a,b9,d8,3d,ed,1e,80,69,df,
      e9,de,db,27,4a,44,51,86,72,49,6f,cd,da,71,56,3c,29,57,35,4a,5a,58,0d,a3,ce,\
      "rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
      
      Driver::
      qgdttjh
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

  3. #23
    Member
    Join Date
    Oct 2011
    Posts
    81

    Default

    I ran the new script in the new and renamed combo fix. I've been sitting on a "please wait" screen with a blinking cursor for about 3 hours now....any suggestions? Heading to slumber-land so I'm going to hibernate this computer until the am. Is this driver error?????

  4. #24
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi mnyyoungs,

    Sorry that this is taking so long. Let's try to get this to run another way.

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      KillAll::
      
      File::
      c:\windows\system32\c_41644.nl_
      c:\windows\System32\drivers\bpfvii.sys
      c:\windows\system32\ConduitEngine.tmp
      
      Firefox::
      FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
      FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
      
      RegLock::
      [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
      @Denied: (2) (LocalSystem)
      "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
      d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
      "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
      d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
      "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
      d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
      
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
      @Denied: (A) (Users)
      @Denied: (A) (Everyone)
      @Allowed: (B 1 2 3 4 5) (S-1-5-20)
      "BlindDial"=dword:00000000
      
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
      @Denied: (A) (Users)
      @Denied: (A) (Everyone)
      @Allowed: (B 1 2 3 4 5) (S-1-5-20)
      "BlindDial"=dword:00000000
      
      RegNull::
      [HKEY_USERS\S-1-5-21-2740605613-3585765697-2305856818-1000\Software\SecuROM\License information*]
      "datasecu"=hex:cb,cc,19,08,d8,6d,2e,40,1a,65,bb,68,0a,b9,d8,3d,ed,1e,80,69,df,
      e9,de,db,27,4a,44,51,86,72,49,6f,cd,da,71,56,3c,29,57,35,4a,5a,58,0d,a3,ce,\
      "rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
      
      Driver::
      qgdttjh
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

  5. #25
    Member
    Join Date
    Oct 2011
    Posts
    81

    Default

    Ok, as she sighs, here's the deal now....I have a series of what look like combo fix and the renamed combofix, svchost. There may be other, but the windows seem to be in some sort of a loop and flash far too quickly for me to get a good look at what each of the boxes says. They flash along a diagonal 5/6 times then start at the top left hand corner again. I've tried to shut it down using task manager and that did not do anything. I've tried completely deleting combofix and svchost, but it continues to do the same thing. I've restarted, completely shut down and have this kookie thing keep happening. That said, I have not re-run the new script....I'm afraid to use my clickfree back up, in the event the data is affected in the back up so I've picked up a large usb key, but can't even get the info when it's doing the freaky windows flash dance! lol.

    I really appreciate you assistance, and no apologies are needed. You didn't break my computer.

  6. #26
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi mnyyoungs,

    I am going to get some more opinions on this infection on your computer. I will return as quickly as I can.

  7. #27
    Member
    Join Date
    Oct 2011
    Posts
    81

    Default

    MUCH appreciated!

  8. #28
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi mnyyoungs,

    If you need to do the following in Safe Mode than that is just fine.
    -------------

    Please download aswMBR to your desktop.

    • Right click and Run as Administrator the aswMBR icon to run it.
    • When asked if you want to download Avast's virus definitions please select Yes.
    • Click the Scan button to start scan.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.



    Click the image to enlarge it
    ----------

  9. #29
    Member
    Join Date
    Oct 2011
    Posts
    81

    Default

    Arrrrrgggggggggggggggggggggggggg

  10. #30
    Member
    Join Date
    Oct 2011
    Posts
    81

    Default

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-11-07 12:52:45
    -----------------------------
    12:52:45.323 OS Version: Windows 6.0.6002 Service Pack 2
    12:52:45.323 Number of processors: 2 586 0xF0D
    12:52:45.339 ComputerName: FAMILY-PC UserName: Family
    12:52:55.245 Initialize success
    12:57:58.046 AVAST engine defs: 11110700
    12:58:26.235 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    12:58:26.235 Disk 0 Vendor: FUJITSU_ 0085 Size: 114473MB BusType: 3
    12:58:26.266 Disk 0 MBR read successfully
    12:58:26.266 Disk 0 MBR scan
    12:58:26.360 Disk 0 Windows VISTA default MBR code
    12:58:26.360 Disk 0 scanning sectors +234438656
    12:58:26.547 Disk 0 scanning C:\Windows\system32\drivers
    12:58:59.167 Service scanning
    12:59:00.056 Service .kbdclass \* **LOCKED** 123
    12:59:01.429 Modules scanning
    12:59:33.908 Disk 0 trace - called modules:
    12:59:33.939 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    12:59:33.955 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84c6f540]
    12:59:33.955 3 CLASSPNP.SYS[87fa98b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84c4d030]
    12:59:35.546 AVAST engine scan C:\Windows
    12:59:47.293 AVAST engine scan C:\Windows\system32
    13:07:11.347 AVAST engine scan C:\Windows\system32\drivers
    13:07:38.460 AVAST engine scan C:\Users\Family
    13:17:08.640 AVAST engine scan C:\ProgramData
    13:20:05.746 Scan finished successfully
    13:26:46.973 Disk 0 MBR has been saved successfully to "C:\Users\Family\Desktop\MBR.dat"
    13:26:46.988 The log file has been saved successfully to "C:\Users\Family\Desktop\aswMBR.txt"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •