[Sunny42]

Hi Geeks,

my PC slowed down recently (about may 18th) and since then I keep getting popups asking me to install AntiSpywareSuite etc. I checked your site and downloaded combofix. Could you please help me analyse the log?

Thanks a lot!

[log removed]

Edited by Sunny42, 24 May 2008 - 11:49 PM.

[Advertisements]

Hi,

First of all... not sure where you have read the instructions to use Combofix, but the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingc...to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then, after you installed the Recovery Console..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\pskt.ini
C:\WINDOWS\BMeb508879.xml
C:\WINDOWS\system32\pmpltbhf.ini
C:\WINDOWS\system32\pwqxvuhi.dll
C:\WINDOWS\system32\fhbtlpmp.dll
C:\WINDOWS\system32\fljfdnsi.ini
C:\WINDOWS\system32\isndfjlf.dll
C:\WINDOWS\system32\bbqyqwlb.dll
C:\WINDOWS\system32\xwqfcckw.ini
C:\WINDOWS\system32\vrttdprx.ini
C:\WINDOWS\system32\blgtcpuw.ini
C:\WINDOWS\system32\khfcDtQg.dll
C:\WINDOWS\system32\ddcDtQih.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E23136A1-1AC4-4D1B-926F-5D537CFFF359}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMeb508879"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcDtQih]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMeb508879]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e863bbe5]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

[miekiemoes]

Hi,

First of all... not sure where you have read the instructions to use Combofix, but the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingc...to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then, after you installed the Recovery Console..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\pskt.ini
C:\WINDOWS\BMeb508879.xml
C:\WINDOWS\system32\pmpltbhf.ini
C:\WINDOWS\system32\pwqxvuhi.dll
C:\WINDOWS\system32\fhbtlpmp.dll
C:\WINDOWS\system32\fljfdnsi.ini
C:\WINDOWS\system32\isndfjlf.dll
C:\WINDOWS\system32\bbqyqwlb.dll
C:\WINDOWS\system32\xwqfcckw.ini
C:\WINDOWS\system32\vrttdprx.ini
C:\WINDOWS\system32\blgtcpuw.ini
C:\WINDOWS\system32\khfcDtQg.dll
C:\WINDOWS\system32\ddcDtQih.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E23136A1-1AC4-4D1B-926F-5D537CFFF359}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMeb508879"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcDtQih]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMeb508879]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e863bbe5]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

[Sunny42]

Hi Miekiemoes,

sorry if that caused extra trouble. I installed the recovery console and proceeded as you described.
Thanks very much for your fast reply. Here are the logs you requested:

[log removed]

Edited by Sunny42, 24 May 2008 - 11:50 PM.

[miekiemoes]

Hi,
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\ahtpnthu.ini
C:\WINDOWS\system32\ftmowmjv.dll
C:\WINDOWS\system32\uhtnptha.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"e863bbe5"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

[Sunny42]

Hi,
reboot was not necessary. How do the logs like now? Thanks again!

[log removed]

Edited by Sunny42, 24 May 2008 - 11:51 PM.

[miekiemoes]

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[Sunny42]

Hi,

the system seems to be up to speed again. The buffer overflow issues seem to be gone as well
Just asking, is there a way to remove the logs I posted in this thread? There are some server names which I would prefer not to keep in this thread.
Do you have any recommendations as to how to stay clean now?

Thanks a lot again!

[miekiemoes]

There are some server names which I would prefer not to keep in this thread.

You can still edit your post and take out the servernames

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.