Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

antispywaresuite popup, plz help analyse combofix log [RESOLVED]


  • This topic is locked This topic is locked

#1
Sunny42

Sunny42

    New Member

  • Member
  • Pip
  • 4 posts
Hi Geeks,

my PC slowed down recently (about may 18th) and since then I keep getting popups asking me to install AntiSpywareSuite etc. I checked your site and downloaded combofix. Could you please help me analyse the log?

Thanks a lot!

[log removed]

Edited by Sunny42, 24 May 2008 - 11:49 PM.

  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

First of all... not sure where you have read the instructions to use Combofix, but the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingc...to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then, after you installed the Recovery Console..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\pskt.ini
C:\WINDOWS\BMeb508879.xml
C:\WINDOWS\system32\pmpltbhf.ini
C:\WINDOWS\system32\pwqxvuhi.dll
C:\WINDOWS\system32\fhbtlpmp.dll
C:\WINDOWS\system32\fljfdnsi.ini
C:\WINDOWS\system32\isndfjlf.dll
C:\WINDOWS\system32\bbqyqwlb.dll
C:\WINDOWS\system32\xwqfcckw.ini
C:\WINDOWS\system32\vrttdprx.ini
C:\WINDOWS\system32\blgtcpuw.ini
C:\WINDOWS\system32\khfcDtQg.dll
C:\WINDOWS\system32\ddcDtQih.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E23136A1-1AC4-4D1B-926F-5D537CFFF359}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMeb508879"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcDtQih]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMeb508879]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e863bbe5]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#3
Sunny42

Sunny42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi Miekiemoes,

sorry if that caused extra trouble. I installed the recovery console and proceeded as you described.
Thanks very much for your fast reply. Here are the logs you requested:

[log removed]

Edited by Sunny42, 24 May 2008 - 11:50 PM.

  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\ahtpnthu.ini
C:\WINDOWS\system32\ftmowmjv.dll
C:\WINDOWS\system32\uhtnptha.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"e863bbe5"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#5
Sunny42

Sunny42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi,
reboot was not necessary. How do the logs like now? Thanks again!

[log removed]

Edited by Sunny42, 24 May 2008 - 11:51 PM.

  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#7
Sunny42

Sunny42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi,

the system seems to be up to speed again. The buffer overflow issues seem to be gone as well :)
Just asking, is there a way to remove the logs I posted in this thread? There are some server names which I would prefer not to keep in this thread.
Do you have any recommendations as to how to stay clean now?

Thanks a lot again!
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

There are some server names which I would prefer not to keep in this thread.

You can still edit your post and take out the servernames :)

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#9
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP