negster22
-
Posts
1,157 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by negster22
-
-
Good Job!!
Please keep Teatimer and Adwatch disabled.
We're going to rerun OTL with a new script to make some more fixes as follows:
- Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html - Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to restart the OTL program.
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Files
C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe
C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe
C:\Documents and Settings\All Users\Application Data\Ygguuiaahy.dll
C:\Documents and Settings\Owner\Desktop\test.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\{720E9D1B-4A29-4186-8EC8-1ABF64ABAF7C}
C:\Documents and Settings\All Users\Application Data\dOhOb06511
:OTL
[2010/12/21 12:07:38 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dfrgr
[2010/12/21 12:07:35 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dfrg
[2010/12/21 09:44:01 | 000,000,823 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Disk Repair.lnk
[2010/12/18 11:23:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Emomozecahexofip.bin
[2010/12/18 11:23:31 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Dcuqutehobek.dat
2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k7
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k6
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k5
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k4
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k3
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k2
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k1
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k0
[2010/12/21 22:46:39 | 000,000,192 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k0
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k7
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k6
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k5
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k4
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k3
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k2
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k1
:Commands
[reboot] - Now click Run Fix and let the program run uninterrupted.
- Let the program run unhindered, and reboot the PC when it is done
- Copy/Paste OTL Log in your next reply
Is FrontLine Registry Cleaner something you installed because I do no advocate the use of Registry Cleaners as they usually do more harm than good and they are absolutely unnecessary!
Please post the new OTL log and run a new and fully updated MBAM scan (there's a new version out so You may have to upgrade internally) and post the MBAM log!!!
- Disable the active protection component of your antivirus by following the directions that apply here:
-
Hi feverdog71,
The OTL log gave me a good idea of the extent to which HDDTools has infected your system so we'll try to reverse that now.
You have a lot of security programs running that are known to interfere with fixes!!
It's essential that You disable Adwatch and Teatimer for the duration of the clean-up or any fixes we make will have no impact or be reversed!! They keep the good out along with the bad!!
First, disable Spybot's TeaTimer or any fixes we make in HjiackThis will be reversed. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.
Disable AD-AWARE AD-WATCH
* Start Ad-Aware
* Click the Ad-Watch tab
* Click the Settings button
* Ensure all highlighted options bellow are unchecked:(some settings may be used or changed only in the Pro version)
Under the General tab
o Processes Protection
o Registry Protection
o Network Protection
Under the Detection Layers tab:
o Spyware heuristics
o AntiVirus engine
* OK your way out, and close the main Ad-Aware window.
* Shut down Ad-Aware and Ad-Watch Live! by right clicking on the system tray icon, and selecting Exit Ad-Aware.
* OK the change.
We're going to rerun OTL with a script that fixes the infected load points and files on your system as follows:
- Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html - Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to restart the OTL program.
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:File
C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe
C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe
C:\Documents and Settings\All Users\Application Data\Ygguuiaahy.dll
C:\Documents and Settings\Owner\Desktop\test.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\{720E9D1B-4A29-4186-8EC8-1ABF64ABAF7C}
C:\Documents and Settings\All Users\Application Data\dOhOb06511
:OTL
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [bKNILMsCGe.exe] C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe (MOSE software)
O4 - HKCU..\Run: [qGy6kOdgyFFL] C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe (Optimization Corporation)
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[emptyflash]
[createrestorepoint]
[reboot] - Now click Run Fix and let the program run uninterrupted.
- Let the program run unhindered, and reboot the PC when it is done
- Copy/Paste OTL Log in your next reply
Do You have any idea what these multiple "k" drivers are as they were installed the same time your system was infected and their quantity and creation date makes them appear suspicious?:
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k7[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k6
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k5
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k4
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k3
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k2
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k1
[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k0
[2010/12/21 22:46:39 | 000,000,192 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k0
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k7
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k6
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k5
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k4
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k3
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k2
[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k1
- Disable the active protection component of your antivirus by following the directions that apply here:
-
Hi and Welcome feverdog71,
Can You please copy/paste the MBAM log that shows the threats that were removed.
Also, I need You to try and run the scans in this topic:
http://forums.malwarebytes.org/index.php?showtopic=9573
Then copy/paste all requested logs (do NOT attach them) into your next reply.
Download OTL and save it on your desktop:
http://oldtimer.geekstogo.com/OTL.exe
- Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.
- In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
- Now click Run Scan at Top left and let the program run uninterrupted. The scan may take 5-10 minutes.
- Do NOT touch your keyboard until the scan is done!!
- It will produce two (2) logs on your desktop, one will pop up called OTL.txt; the other will be named Extras.txt.
- Copy/Paste OTL.txt and attach Extras.txt into your next reply,
- Exit OTL by clicking the X at top right.
- Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.
-
Either disable McAfee: using the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html
Or add EXEhelper.com and combofix,exe to McAfee's exclusion list.
Or boot into safe mode with networking and download all required tools before rebooting back to normal mode.
-
Please try running Combofix in safe mode with networking
Reboot your computer > tap F8 repeatedly on startup until an advanced option menu appears > arrow up to Safe mode with networking and select that option.
Run exehelper.
Now delete the copy of ComboFix on your desktop and download a new copy.
Then try launching Combofix again and see if it works now.
If not, you should try downloading (and renaming) Combofix on another CLEAN PC, transfer it to USB, and then copy it to the infected machine and run from there.
=====
If still no joy run Download OTL and save it on your desktop:
http://oldtimer.geekstogo.com/OTL.exe
- Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.
- Now click Run Scan at Top left and let the program run uninterrupted. The scan may take 5-10 minutes.
- Do NOT touch your keyboard until the scan is done!!
- It will produce two (2) logs on your desktop, one will pop up called OTL.txt; the other will be named Extras.txt.
- Copy/Paste OTL.txt and attach Extras.txt into your next reply,
- Exit OTL by clicking the X at top right.
- Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.
-
Your Gmer Quick scan is clean.
Your DDS.txt has one suspicious directory present but we have to run more detection and removal tools to see what else might be present.
Please copy/paste all logs into your topic - do NOT attach them!
Please do not quote my directions in your next reply - just post the logs I requested.
Download TFC to your desktop
http://oldtimer.geekstogo.com/TFC.exe
- Close any open windows.
- Double click the TFC icon to run the program
- TFC will close all open programs itself in order to run,
- Click the Start button to begin the process.
- Allow TFC to run uninterrupted.
- The program should not take long to finish it's job
- Once its finished it should automatically reboot your machine,
- if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.
-------
Download Microsoft's Malicious Software Removal Tool (MSRT) to your desktop
Save and Rename it as You download it to explorer.exe
Double-click explorer.exe on your Desktop to run it
In the "Scan Type" window, select Full Scan
Perform a scan and the Click Finish when the scan is done.
Retrieve the MSRT log as follows, and post it in your next reply:
1) Click on Start, Run
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter
notepad c:\windows\debug\mrt.log
==========
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Do NOT reboot your computer and proceed on to downloading and running Combofix.
Please Run ComboFix by following the steps provided in exactly this sequence:
Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingcomputer.com/forums/topic114351.html
Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.
Using ComboFix ->
Please download Combofix from HERE
I want you to rename Combofix.exe as you download it to iexplore.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it explorer.exe
- Open Firefox
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers and programs.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
- If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!
- If Combofix asks to update, allow it to do so!
- If the explorer.exe (renamed Combofix) reverts back to combofix.exe when running, that is normal.
1. To Launch Combofix
Click Start --> Run, and enter this command exactly as shown:
"%userprofile%\desktop\iexplore.exe" /killall
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post C:\ComboFix.txt in your next reply.
- Close any open windows.
-
TDSSKiller is completely negative for Alureon and though the MSRT detected it previously, it seems to have cleaned it up because the only thing it detected in your full scan are Alureon traces in your system restore (SR) data (system volume information) and this is not an active infection. We will simply purge those SR points at the end of our work here.
Uninstall Viewpoint Manager from Add/Remove Programs.
If you no longer use Ares let me know because it is still being given a free pass through your firewall.
I want You to submit the following two files for analysis
C:\WINDOWS\system32\drivers\NtFsLdf20.sys
C:\WINDOWS\system32\DRIVERS\nv_agp.sys
Then, Go HERE:
and upload each file to VirusTotal to have all the scanners cast their verdict. To do that:
Select the "Upload a File" Tab.
Click the "Browse" button and a Windows Explorer-type interface will open that enables you to navigate through your file system.
Locate the file you want analyzed for it's threat potential, left-click that file, and click "Send File" to upload it to VirusTotal.
If the file was previously scanned VirusTotal, it will display this message:
If this happens Select "Reanalyze".
Wait for it to be scanned and post back the url (copy/paste the link to the scan result page from your browser's address bar) if any of the scanners determine the file to be a threat.
Repeat this same procedure for each of the two files listed above.
Please perform a scan with the ESET online virus scanner. ESET may flag some files in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:
http://www.eset.com/onlinescan/index.php
- ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
- Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
- Check the "Yes, I accept the terms of use" box.
- Click "Start"
- Approve the installation of the ActiveX control that's required to enable scanning
- Make sure the box to
- Remove found threats. is CHECKED!!
- Click "Start"
[*]Allow the definition data base to install
[*]Click "Scan"
- Remove found threats. is CHECKED!!
When the scan is done, please post the scan report in your next reply. It can be found in this location:
C:\Program Files\EsetOnlineScanner\log.txt
Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:
Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).
To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.
- ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
-
Thanks for the update, treb!!
We tried, but it can be difficult to thoroughly assess the degree to which entrenched stealth malware has compromised a system using correspondence troubleshooting alone. There was probably a hidden threat remaining that opened the door for additional threats to come on board, after Comodo was removed. In your case, a reformat and reinstall was the best option to ensure that your computer is truly clean.
I'd be interested in knowing what the 8 threats were that the Tech shop found, but I assume any logs created are now gone!
BTW, Microsoft Security Essentials version 2.0 was just released yesterday with many improvements. FYI:
http://secure-computer-solutions.com/blog/2010/12/
Thanks for keeping me posted, and let me know how the rest of the Saga goes, once you get back online!!
-
Run this program first (TDSSKiller) and then run Combofix after your system reboots.
In answer to our question don't worry about the Combofix renaming reversal, it has been known to occur normally.
Some background information on what we're planning to do can be found HERE
Please read carefully and follow these steps.
- Download TDSSKiller and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Now run Combofix as per my previous instructions, and post that log, too!
- Download TDSSKiller and save it to your Desktop.
-
I am sticking with my False Positive prognosis.
Added proof of this is that Kaspersky (a very highly regarded AV) once detected this file as a threat but they have since removed that detection declaring it clean:
2008 VT REPORT:
http://www.virustotal.com/file-scan/report...adfe0f9c000d96f
2010 VT REPORT:
http://www.virustotal.com/file-scan/report...4b9b-1292626837
For further support read this topic which describes it as a nonessential updating component of SONY VAIO:
http://forum.notebookreview.com/sony/23932...-utility-2.html
-
I appreciate you removing the glut of game entries.
Download TFC to your desktop
http://oldtimer.geekstogo.com/TFC.exe
- Close any open windows.
- Double click the TFC icon to run the program
- TFC will close all open programs itself in order to run,
- Click the Start button to begin the process.
- Allow TFC to run uninterrupted.
- The program should not take long to finish it's job
- Once its finished it should automatically reboot your machine,
- if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Let's try another ARK since the other one BSOD'ed!
Please download Rootkit Unhooker and save it on your desktop.
http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar
If your unzipping program doesn't unzip RAR files, then you can download and install 7-Zip to accomplish that.
Just right click the RAR file you downloaded to your desktop, and choose the 7-Zip -> "Extract here" option from the context menu.
- Temporarily disable your antivirus and antimalware real-time protection before performing a scan by following the directions that apply HERE
- Double-click RkU3.8.388.590.exe to run the program
- Click the Report tab, then click Scan
- Check Drivers, and Stealth Code
- Uncheck the rest, then click OK
- When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
- Wait till the scanner has finished then go File > Save Report
- Save the report somewhere you can find it. Click Close
- Re-enable your security programs
- Copy the entire contents of the report and paste it in your next reply.
Note - If You get this warning it is ok, just ignore it:
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
===============
| Reboot |
===============
Rerun exeHelper by Double-clicking on exeHelper.com
A black window should pop up, press any key to close once the fix is completed.
Do NOT reboot before this next step.
Please Run ComboFix by following the steps provided in exactly this sequence:
(since I am advising You to rename the Combofix EXE to iexplore.exe as You will see, you should run the MSRT first, and then delete that installer that You renamed iexplore.exe previously)
Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingcomputer.com/forums/topic114351.html
Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.
Using ComboFix ->
Please download Combofix from one of these locations:
I want you to rename Combofix.exe as you download it to iexplore.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
- Open Firefox
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers and programs.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
- If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!
1. To Launch Combofix
Click Start --> Run, and enter this command exactly as shown:
"%userprofile%\desktop\iexplore.exe" /killall
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please copy/paste the following into your next reply:
1. RKU Log
2. c:\windows\debug\mrt.log
3. C:\Combofix.txt
- Close any open windows.
-
OK, but I asked for the url to the results because some scanners are generally considered to be more accurate than others. Some just adopt the other vendors definitions calling a nonthreat a threat. 20% detection is low - and it would support the FP status.
Can I have the link to the webpage that displays the results for each of those files please.
-
Download DDS and save it to your desktop from >Here<
Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.
- When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
[*]Save both reports to your desktop
[*]Please copy and paste dds.txt into your next reply (do NOT attach and hold on to attach.txt for now).
- DDS.txt
-------
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage:
http://www.gmer.net/download.php
Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html</a>
Next, please perform a rootkit scan:
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
- When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
- When the scan is finished (a few seconds, Save the scan log to the Windows clipboard)
- Open Notepad or a similar text editor
- Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
- Exit the Program
- Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.
-------
Download Microsoft's Malicious Software Removal Tool (MSRT) to your desktop:
http://www.microsoft.com/downloads/en/deta...;displaylang=en
Save and Rename it as You download it to iexplore.exe
Double-click iexplore.exe on your Desktop to run it
In the "Scan Type" window, select Full Scan
Perform a scan and the Click Finish when the scan is done.
Retrieve the MSRT log as follows, and post it in your next reply:
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter
notepad c:\windows\debug\mrt.log
- When done, DDS will open two (2) logs:
-
Don't worry!! There are only two files flagged and not five (look at the file names). I believe this may represent a false positive detection of AVG targeting SONY VAIO updating software. This program runs in the background (well, it used to .. before it was quarantined). ESET did not target those files, neither did Combofix or MBAM and that is another reason I believe these are false Positives. Executable files that connect remotely can appear to be suspicious to scanners but there are legitimate uses for such connections and I believe this is what is happening here.
PRC - [2007/06/05 08:49:30 | 003,682,576 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Service Utility\VAIO-SUTOOL.exePRC - [2007/05/31 10:32:14 | 000,551,032 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
If You want to, You can check for that by dequarantining those two targeted files:
C:\Program Files\Sony\VAIO Service Utility\VAIO-SUTOOL.exe
C:\Program Files\Sony\VAIO Service Utility\VAIO-SUTOOL.exe:\unthinstall0013.bin
Then upload them to VirusTotal to have all the scanners cast their verdict. To do that:
Go HERE:
Select the "Upload a File" Tab.
Click the "Browse" button and a Windows Explorer-type interface will open that enables you to navigate through your file system.
Locate the file you want analyzed for it's threat potential, left-click that file, and click "Send File" to upload it to VirusTotal.
If the file was previously scanned VirusTotal will display this message:
If this happens Select "Reanalyze".
Wait for it to be scanned and post back the url (copy/paste the link to the scan result page from your browser's address bar) if any of the scanners determine the file to be a threat.
Repeat this same procedure for each of the two files listed above.
-
Please post all logs generated thus far.
As far as Gmer goes only post the Quick Scan results as follows if you can get them successfully:
Very Important! BEFORE running Gmer, temporarily disable your antivirus and antimalware real-time protection and re-enable after the log is produced.
http://www.bleepingcomputer.com/forums/topic114351.html
Perform a Quick scan:
- Double-click the Gmer EXE
- When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
- When the scan is finished (a few seconds), save the scan log to the Windows clipboard
- Open Notepad or a similar text editor
- Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
- Exit the Program
- Save the Scan log as ARKQ.txt and post it in your next reply.
If not possible to get a Quick scan log then
Please download Rootkit Unhooker and save it on your desktop.
http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar
If your unzipping program doesn't unzip RAR files, then you can download and install 7-Zip to accomplish that.
Just right click the RAR file you downloaded to your desktop, and choose the 7-Zip -> "Extract here" option from the context menu.
- Temporarily disable your antivirus and antimalware real-time protection before performing a scan by following the directions that apply HERE
- Double click RkU3.8.388.590.exe to run the program
- Click the Report tab, then click Scan
- Check Drivers, and Stealth Code
- Uncheck the rest, then click OK
- When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
- Wait till the scanner has finished then go File > Save Report
- Save the report somewhere you can find it. Click Close
- Re-enable your security programs
- Copy the entire contents of the report and paste it in your next reply.
Note - If You get this warning it is ok, just ignore it:
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
- Double-click the Gmer EXE
-
Hi and Welcome, MissS,
Please follow the directions in this topic and then copy/paste ALL requested logs into your next reply.
http://forums.malwarebytes.org/index.php?showtopic=9573
Before running any of the scans, disable all antimalware / antivirus /antispyware protection according to these directions, and re-enable once the logs are produced:
-
You're Welcome, Kati2U!
Should I turn my firewall and antivirus security back on now? Is AVG virus protection and firewall and malwarebytes malware protection enough? If so, I think I will take Advance System Care off since it didn't catch the Trojans anyway.Yes, and yes! Also, keep Vista's UAC ON at all times! I agree you should remove Advance System Care!! I noticed that You also have IOBIT on your system and You do NOT need that in addition to AVG and MBAM, especially since Vista comes with Windows Defender built-in.
Please beware of solicitations for programs that claim to Speed up your PC or Clean your registry like those that ESET found (many of these products are scamware). Do not become a willing victim!!
C:\Users\Pam\Downloads\speedupmypc(2).exe Win32/SpeedUpMyPC application deleted - quarantinedC:\Users\Pam\Downloads\speedupmypc(3).exe Win32/SpeedUpMyPC application deleted - quarantined
C:\Users\Pam\Downloads\speedupmypc.exe Win32/SpeedUpMyPC application deleted - quarantined
C:\Users\Pam\Pictures\New Folder\speedupmypc.exe Win32/SpeedUpMyPC application deleted - quarantined
Do NOT click on online advertisements for any programs like that. Always thoroughly research a program before downloading it. When You do download a program online always attempt to download it via the vendor's website and never through an ad link.
___________________
We have a few steps to finish up now.
You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 23, if you have not done that already.
You can check your currently installed JRE version here.
If you find you need to update to the Java Runtime Environment (JRE) 6 Update 23, then follow these steps:
1. Download the latest JRE version clicking the "Agree and Start Free Download" button.
2. Save the installer to your desktop.
3. Close any programs you may have running - especially your web browser.
4. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).
5. Reboot your system
6. Then from your desktop double-click on jxpiinstall.exe to install the newest version of the Sun Java Platform
7. "Install the Yahoo Toolbar' is prechecked by default, so be sure to UNCHECK it, if you do not care to have it, or You already have it installed - it is NOT part of the JRE install and it is NOT required for any Java applications.
8. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.
Now clear the Java cache (ESET detected and cleaned an infected item in there):
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
- Trace and Log Files
[*]Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
[*] Click OK to leave the Temporary Files Window
[*]Click OK to leave the Java Control Panel.
- Applications and Applets
As Java Cache can be an infection repository, You can quickly scan it periodically for infectious elements, by right-clicking the following folder and selecting the "Scan with <Your antivirus>" option:
The location of this folder usually is:
In Vista and Windows 7:
C:\Users\<user_name>\AppData\LocalLow\Sun\Java\Deployment\cache\
==
Now, we'll remove the tools we downloaded in the "cleanup":
If I asked you to download and run an ARK (Antirootkit program) such as Gmer, Rootkit Unhooker, or Root Repeal, then please uninstall it by doing the following:
- Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
- Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)
If I asked You to download exeHelper, RKill, OTL.exe,TDSSKiller, MBRCheck or mbr.exe, please delete these programs from your Desktop (or their download location).
To remove Combofix and it's quarantine folder:
Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:
"%userprofile%\desktop\combofix2.exe" /uninstall
This will do the following:
- Uninstall Combofix and all its associated files and folders.
- Flush your system restore points and create a new restore point.
- Rehide your system files and folders
- Reset your system clock
---
Here are some additional measures you should take to keep your system in good working order and ensure your continued security.
1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.
Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.
Note: If your firewall prompts you about access, allow it.
2. Keep MBAM as an on demand scanner because I highly recommend it, and the Quick Scan will find most all active malware in minutes.
3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.
You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.
The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.
However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.
Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.
Happy Surfing!
- On the General tab, under Temporary Internet Files, click the Settings button.
-
Yes, let me see all the logs you have - please copy/paste them (do not attach them) right into this topic.
I'm giving you some directions to follow - in the event you cannot access the websites to download the tools I direct you to use, please try to access a clean PC to download all the utilities (renaming the executables as you go) and then copy them over to the infected PC by using a CDROM or USB flash drive.
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Some background information on what we're planning to do next can be found HERE
Please read carefully and follow these steps.
- Download TDSSKiller and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Please run ExeHelper, again and then run the RKill program that You downloaded as part of the Bleeping Computer Antivirus Action removal steps.
Note:
If you used the iexplore.exe version of RKill the first time, download the WiNlOgOn.exe version this time because we're going to name Combofix to iexplore.exe (in the coming steps).
Please Run ComboFix by following the steps provided in exactly this sequence:
Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove on-board components so it is rendered ineffective:
http://www.bleepingcomputer.com/forums/topic114351.html
Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.
Using ComboFix ->
Please download Combofix from one of these locations:
I want you to rename Combofix.exe as you download it to iexplore.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
- Open Firefox
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers and programs.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
- If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!
1. To Launch Combofix
Click Start --> Run, and enter this command exactly as shown:
"%userprofile%\desktop\iexplore.exe" /killall
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post C:\ComboFix.txt in your next reply.
Do the following and ONLY if You have trouble running Combofix in normal mode, run it in Safe Mode with Networking instead:
How to get into Safe Mode:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode with Networking, then press Enter.
Choose your usual account.
- Download TDSSKiller and save it to your Desktop.
-
Hi Kati2U,
Good job!
I am not seeing anything malicious here.
You do not have an image selected for your desktop background. To do that follow these easy directions:
http://www.vistaknowledge.com/vista-how-to...-windows-vista/
I see you installed files related to Windows Live Mail today:
2010-12-16 05:54 . 2010-10-12 13:41 515584 ----a-w- c:\program files\Windows Mail\wab.exe2010-12-16 05:54 . 2010-10-12 15:53 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
2010-12-16 05:54 . 2010-10-12 13:41 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
2010-12-16 05:52 . 2010-11-03 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
Is your email working now?
Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:
http://www.eset.com/onlinescan/index.php
- ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
- Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
- Check the "Yes, I accept the terms of use" box.
- Click "Start"
- Approve the installation of the ActiveX control that's required to enable scanning
- Make sure the box to
- Remove found threats. is CHECKED!!
- Click "Start"
[*]Allow the definition data base to install
[*]Click "Scan"
- Remove found threats. is CHECKED!!
When the scan is done, please post the scan report in your next reply. It can be found in this location:
C:\Program Files\EsetOnlineScanner\log.txt
Note to Windows 7 and Vistausers, and anyone with restrictive IE security settings:
Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).
To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.
- ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
-
Thanks for the status update and don't worry about the double-post. So you see a blue edit button? That's how to edit your post but I'm not sure if that edit button is only present for staff replies.
-
What AV are you running?
TDSSKiller log shows all these AVG drivers are present on your system:
2010/12/15 13:50:06.0810 avgfwfd (d30b785ab801a0e2b0ad922d66f971f3) C:\Windows\system32\DRIVERS\avgfwd6x.sys2010/12/15 13:50:07.0091 Avgldx86 (1119e5bec6e749e0d292f0f84d48edba) C:\Windows\system32\DRIVERS\avgldx86.sys
2010/12/15 13:50:07.0122 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\Windows\system32\DRIVERS\avgmfx86.sys
Go to the Control Panel / Add Remove Programs and Remove ANYTHING that has AVG in the name!!
Download AVG Remover appropriate to your installation of Windows (32 bit or 64 bit) and run it:
http://www.avg.com/us-en/download-tools
Download OTL and save it on your desktop:
http://oldtimer.geekstogo.com/OTL.exe
- Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.
- In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
- Now click Run Scan at Top left and let the program run uninterrupted. The scan may take 5-10 minutes.
- Do NOT touch your keyboard until the scan is done!!
- It will produce two (2) logs on your desktop, one will pop up called OTL.txt; the other will be named Extras.txt.
- Copy/Paste OTL.txt and attach Extras.txt into your next reply,
- Exit OTL by clicking the X at top right.
Hold off completing the next set of directions until I look at your OTL log and give you the go ahead.
Then try to remove that AVG folder like this (but be absolutely sure that You are NOT running any installation of AVG before You do this) :
Open a Command prompt by clicking start -> Run, type cmd and hit Enter
Copy/paste the following command at the command prompt, and then hit enter:
rmdir /s /q C:\Users\Pam\Desktop\AVG\
Let me know if you receive any errors.
Then, try running Combofix again.
- Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.
-
You're very welcome and yes, re-enable the Defogger. Good luck to you!
-
Great and Excellent job!
We have a few steps to finish up now!!
If I asked you to download and run an ARK (Antirootkit program) such as Gmer, Rootkit Unhooker, or Root Repeal, then please uninstall it by doing the following:
- Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
- Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)
If I asked You to download TDSSKiller, MBRCheck or mbr.exe, please delete these programs from your Desktop (or their download location).
To remove Combofix and it's quarantine folder:
Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:
"%userprofile%\desktop\combofix.exe" /uninstall
This will do the following:
- Uninstall Combofix and all its associated files and folders.
- Flush your system restore points and create a new restore point.
- Rehide your system files and folders
- Reset your system clock
---
Here are some additional measures you should take to keep your system in good working order and ensure your continued security.
1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.
Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.
Note: If your firewall prompts you about access, please allow it.
2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find and remove most active malware in minutes.
3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.
You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.
The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.
However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.
Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.
Happy Surfing!
- Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
-
Run exeHelper.com (as described in post #4)
Download and Run Rkill from here -
http://www.bleepingcomputer.com/forums/topic308364.html
Try the "renamed" version that works for You, but since You renamed Combofix iexplore.exe, avoid that version.
Then try to download Combofix again (in normal mode). If you cannot download and run it successfully, try to download it to a USB stick or burn to CDRom and then transfer (copy) the renamed Combofix to the infected computer's desktop. That usually works because the malware does not impede the download. Let me know how it goes.
It is very important that your antivirus and antimalware protection is OFF because certain components of Combofix may be viewed as hacking tools by security programs, preventing a full download. You should turn off your firewall and enable the Windows Firewall through the Control Panel.
http://www.microsoft.com/windowsxp/using/n...infirewall.mspx
Please download Rootkit Unhooker (RKU) and save it on your desktop.
http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar
Since the RKU installer is in RAR format, if your unzipping program doesn't unzip RAR files, then you can download and install 7-Zip to accomplish that here.
Just right click the RAR file on your desktop and choose the 7-Zip -> "Extract Here" option from the context menu.
- Temporarily disable your antivirus and antimalware real-time protection before performing a scan by following the directions that apply HERE
- Double click RkU3.8.388.590.exe to run it
- Click the Report tab, then click Scan
- Check Drivers and Stealth Code
- Uncheck the rest, then click OK
- When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
- Wait till the scanner has finished then go File > Save Report
- Save the report somewhere you can find it. Click Close
- Re-enable your security programs
- Copy the entire contents of the report and paste it in your next reply.
- Temporarily disable your antivirus and antimalware real-time protection before performing a scan by following the directions that apply HERE
Can't Remove HDDTools Virus
in Resolved Malware Removal Logs
Posted
That is the old log because I did not specify any registry keys for deletion during the current scan so I think that error prevented the log from being created.
AT what point did You receive the svchost error during the execution of my directions?
Keep Adwatch and Teatimer disabled.
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Do NOT reboot!!
Please process this NEW OTL script - I'm going to remove the "k" driver deletions for now because deleting drivers can be touchy!
http://www.bleepingcomputer.com/forums/topic114351.html
Is FrontLine Registry Cleaner something you installed because I do no advocate the use of Registry Cleaners as they usually do more harm than good and they are absolutely unnecessary!
Please post the new OTL log and run a new and fully updated MBAM scan (there's a new version out so You may have to upgrade internally) and post the MBAM log!!!