tallywacker

October 10, 2009

Hi tallywacker
Just a remainder: Did you go through the contents of the link I posted in post #4 above?
Just want to know.
Regards.

Hi 'srtools1980y' I did go through the contents if the link you posted and some of this has helped to speed things up a little.

Thanks for the reply to my post..

October 3, 2009

Hi Guys,

Thanks for the advice, I have done several thing including the instructions from yardbird (thanks) deafragmented the CDrive and used the built in XP disc cleanup.

It is now running a little faster but appears to take an age to the internet browser (i am using mozilla)

Any ideas.

Thanks

Martin

September 27, 2009

HI! I've seen you have been in the HJK forum a few times! Is your AV still ESET? regards....
EDIT: Please exclude the following files from your antivirus (if using any firewall besides the built in Windows Firewall, exclude them from it as well):
For Windows Vista or Windows 7:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\ProgramData\Malwarebytes' Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys
C:\Windows\System32\drivers\mbamswissarmy.sys
please post back & let us know if this helped....

Hi Yardbird. Please could you let me know how to carry out your instructions above. I am running windows Xp and AVG antivirus.

Please explain what you mean by 'Is your AV still ESET?'

Thanks

September 27, 2009

HI! I've seen you have been in the HJK forum a few times! Is your AV still ESET? regards....
EDIT: Please exclude the following files from your antivirus (if using any firewall besides the built in Windows Firewall, exclude them from it as well):
For Windows Vista or Windows 7:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\ProgramData\Malwarebytes' Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys
C:\Windows\System32\drivers\mbamswissarmy.sys
please post back & let us know if this helped....

September 26, 2009

Hi, I have used this forum previouly to remove a Malware infection from my computer. Since the removal my computer has been a little on the slow side, particularly on start up and when on the net.

Can anyone suggest a cure for this? I have ran a scan and I have no Malware infections and other than the computer being (frustratingly) slow it is running fine.

Please help.

Thanks

June 18, 2009

That's right. Your logs are all coming back clean.
Please read this topic and post a HJT log:
http://www.malwarebytes.org/forums/index.php?showtopic=9573
You should only have one active antivirus and one firewall.
You have the Ad-aware - Lavasoft driver running in the background now. If you buy the registered version of Malwarebytes, it also has a real time protection module so you shouldn't be running both simultaneously. You can keep both programs as on demand scanners, but only run one protection module at a time. Which one I favor should come as no surprise to you - what forum is this?
How is your computer running now?

Hi, My computer is again runing perfectly thanks to your help and advice.

The experience of removing the virus (something i thought would never be possible with taking the computer to an expert) was good for me as a novice.

It is great that there are forums like this to help others and I feel you do a great job.

Once again thanks for all your help. It's Appreciated.

Martin.

June 16, 2009

You're welcome.
That is your ESET scan report and it shows no infections.
Let's do a bit more.
Download CCleaner by clicking the Latest Version arrow on the right.
http://www.filehippo.com/download_ccleaner/Download
Double-click the CC setup file to launch the installer
1. Note: CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, When the install options are presented, UNCHECK the last install option to "Add CCleaner Yahoo! Toolbar and use CCLeaner from your browser".
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
* Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
* Clean all the entries in the "Windows Explorer" section.
* Clean all entries in the "System" section.
* Clean all entries in the "Advanced" section.
* Clean any others that you choose.
In the Applications Tab:
* Clean all except cookies in the Firefox/Mozilla section if you use it.
* Clean all in the Opera section if you use it.
* Clean Sun Java in the Internet Section.
* Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.
Reboot
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Disable the active protection component of your antivirus and all antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html
Next, please perform a rootkit scan:
Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
Leave your system completely idle while this longer scan is in progress.
When the scan is done, save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
You may now re-enable any active protection you disabled before performing the scan.
Reboot to unload the antirootkit driver.
Launch MBAM
Update MBAM to the latest definitions set
Select Perform quick scan, then click Scan.
When the scan is complete, click OK -> Show Results to view the scan results.
Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.
NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Please post back ARK.txt and the MBAM log

Hi Negster,

I have downloaded and performed the scans as instructed. According to the logs the computer should be clear?

Would you let me know what you think? I have pasted the logs below.

Now I have downloaded MBAM, i have previously also been running Ad-Aware. Can these 2 run alongside each other or should I uninstall Ad-Aware?

Do I aslo need to delete the CCleaner now that the scan has been done?

Thanks .

Malwarebytes' Anti-Malware 1.37

Database version: 2290

Windows 5.1.2600 Service Pack 2

16/06/2009 22:35:35

mbam-log-2009-06-16 (22-35-35).txt

Scan type: Quick Scan

Objects scanned: 84419

Time elapsed: 12 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

................................................................................

...............................................................................

GMER 1.0.15.14972 - http://www.gmer.net

Rootkit scan 2009-06-16 21:50:17

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF762987E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7629BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

June 14, 2009

You're welcome.
Please do not attach logs unless requested to do so - just copy and paste them into your reply.
It looks like Combofix got everything. How's your computer running now?
I would like you to run a complete system scan with the ESET online scanner. Expect some detections in Qoobox and system volume information (they will not be active malware - so don't worry):
Please perform a scan with the ESET online virus scanner:
http://www.eset.com/onlinescan/index.php
ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
Check the "Yes, I accept the terms of use" box.
Click "Start"
Check the boxes the following two boxes:
enable "Remove found threats"
Scan unwanted applications
[*]Click the Scan button to begin scanning.
[*]When the scan is done the log is automatically saved. To retrieve it
Close the ESET scan Window.
Now open a run line by clicking Start >> Run...
Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
The Scan results will now display in Notepad
[*]Please copy and paste the ESET scan report that can be found in this location
C:\Program Files\EsetOnlineScanner\log.txt into your next reply
Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).
To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.
Please post back:
C:\Program Files\EsetOnlineScanner\log.txt

Hi I have installed and carried out the scan using ESET. No infections were found during this scan. However, I could not get this to open in the START>RUN section. I have located the log on the c:drive and have copied and pasted below. Please let me know if this is the correct log file.

My computer appears to be running very slowly, especially when using the internet. Yesterday whilst using the net it became impossibly slow to the point where I could not use it? I have aslo found that the email appears to have stopped sending and receiving and bring up an error message whilst trying to do so?

Thank-you for your continued support.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

# OnlineScanner.ocx=1.0.0.5863

# api_version=3.0.2

# EOSSerial=6c21721de1278b4486f94a5d219035ab

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-06-14 07:25:03

# local_time=2009-06-14 08:25:03 (+0000, GMT Standard Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=1026 37 83 100 1705636094016

# compatibility_mode=5889 61 66 100 823859474700000

# scanned=32183

# found=0

# cleaned=0

# scan_time=3301

June 12, 2009

Hi and Welcome!
Your RootRepeal log show you have a UAC rootkit.
Please download Combofix from one of these locations:
HERE or HERE
I want you to rename Combofix.exe as you download it to a name of your choice such as borked.exe
Notes:
It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
For Firefox
Open Firefox and click Tools -> Options -> Main
Under the downloads section check the button that says "Always ask me where to save files".
Click OK
[*]For Internet Explorer:
When downloading, choose to save, not open the file
When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already (Note: Vista users do NOT have to install the Recovery Console!):
Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingcomputer.com/forums/topic114351.html
Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
Close any open browsers.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
1. Double click on the renamed combofix.exe (borked.exe) & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post back C:\Combofix.txt

Hi. Appreciate your help and advise. I have ran combo fix and attached the log to this reply.

I have also since ran Ad Aware and it has only picked up some cookies which I have removed. My computer however, does seem very slow. Please advise.

Thanks .

combox_fix_log_100609.txt

June 11, 2009

Please help.. I have a Malware infection which I beleive is a trojan. I have scan the computer with Ad aware and it detects the infection but will not remove it. Spybot and Malware-bytes will not open when downloaded.

I have read some of the post who appear to be experiencing the same problem.

I have downloaded root Repeal and I have scanned and saved the log.

Please could I ask someone to advise me on the attached log file. I believe I need to remove the rootkit but need an expert to tell me which file to wipe.

Thanks.

==================================================

Scan Time: 2009/06/11 20:53

Program Version: Version 1.3.0.0

Windows Version: Windows XP SP2

==================================================

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACafmytblhymcihin.dll