-
Posts
329 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by aliB
-
-
In short svchost.exe is a legit process and there is nothing to worry about, its a windows file.
further reading here: http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/
-
why do you think svchost is a fake process ?
-
your system appears to be clean what are your current problems ?
-
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
-
hi
Step 1
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT3072253
IE - HKU\S-1-5-21-3699800534-3267415249-1966578606-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT3072253
O33 - MountPoints2\{a8f90f4e-ac67-11e1-9228-002185996bd1}\Shell - "" = AutoRun
O33 - MountPoints2\{a8f90f4e-ac67-11e1-9228-002185996bd1}\Shell\AutoRun\command - "" = H:\setup.exe -a
O33 - MountPoints2\{d6ae36f2-36eb-11e1-bd97-002185996bd1}\Shell - "" = AutoRun
O33 - MountPoints2\{d6ae36f2-36eb-11e1-bd97-002185996bd1}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
[2012/02/16 15:52:50 | 000,002,048 | --S- | C] () -- C:\Users\John Beck\AppData\Local\444dfd5c\@
:Files
C:\Users\John Beck\AppData\Local\444dfd5c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[Reboot] - Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Step 2
Download and Install Combofix
Download ComboFix from one of the following locations:
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Things I would like to see in your reply:
- OTL log
- Combofix.txt
- Under the Custom Scans/Fixes box at the bottom, paste in the following
-
hi
lets do some cleanup
Reset and Re-enable your System Restore
The following will implement some cleanup procedures as well as reset System Restore points:
- Click START then RUN
- Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
NEXT
- Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
- Click on the CleanUp button.
- Click Yes to begin the cleanup process and remove tools, including this application
- You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes
Recommendations
See Here for a list of recommendations for free Antivirus\AntiSpyware applications.
- Keep Your windows up to date by regularly checking their website at:
http://windowsupdate.microsoft.com/ - SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
- SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
- Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
[*]MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
[*]Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
- NoScript - for blocking ads and other potential website attacks
- McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
[*]Click Here to learn how to keep a backup of your important files
[*]FileHippo Update Checkker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
- Click Start > Run
Stay safe :wave:
- Click START then RUN
-
hi
- Download RogueKiller and save it on your desktop.
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
- The report has been created on the desktop.
- Next click on the ShortcutsFix
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
THEN[/b[
Download OTL to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
%systemdrive%\$Recycle.Bin|@;true;true;true
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT - Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Download RogueKiller and save it on your desktop.
-
your system is clean
-
Please post the OTL log, do not attach the logs unless instructed to do so
did you change the proxy settings ?
-
hi
- Download RogueKiller and save it on your desktop.
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
- The report has been created on the desktop.
- Next click on the ShortcutsFix
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
THEN[/b[
Download OTL to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
%systemdrive%\$Recycle.Bin|@;true;true;true
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT - Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Download RogueKiller and save it on your desktop.
-
hi
- Go to here
- Click the download button under Kaspersky Security Scan
- Download and run the file
- It will start to download the Kaspersky Security Scan program data
- Once downloaded the installer will begin
- Click Next
- Accept the License Agreement
- Click Install
- The program will now install
- Click Finish
- Kaspersky Security Scan will now start
- Click the Full Scan button
- The scan will take about an hour or two depending on the amount of data on your hard drive
- If the scan detects problems it will open a Problems found window
- Click Details to generate a scan results report
- Once the scan is complete do the following:
- For XP: Navigate to C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\KSS2\DataRoot
For Vista/7: Navigate to C:\ProgramData\Kaspersky Lab\KSS2\DataRoot - Right-click on the HtmlReport folder --> Click Send to --> Click Compressed (zipped) folder
- Attach the HtmlReport zipped folder to your next post
[*]You can now close Kaspersky Security Scan
- For XP: Navigate to C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\KSS2\DataRoot
- Go to here
-
lets see the AdwCleaner Log as well
-
ok thanks for letting me know
-
Ok I've decided its best to leave this partition and not delete it.
What are your current problems ? Update me on your system status
-
hi
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2011/11/30 09:15:52 | 000,069,120 | ---- | M] (SmartDraw.com) -- C:\Users\rmanickam.HERSEYMETERS\AppData\Local\Temp\sdcode.dll
[6 C:\Users\rmanickam.HERSEYMETERS\AppData\Local\Temp\*.tmp files -> C:\Users\rmanickam.HERSEYMETERS\AppData\Local\Temp\*.tmp -> ]
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[Reboot] - Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
NEXT
Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete
Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that
- Under the Custom Scans/Fixes box at the bottom, paste in the following
-
is this occurring when browsing a specific site or its irrelevant ?
-
Run OTL
Under the Custom Scan box paste this in
C:\Users\rmanickam.HERSEYMETERS\AppData\Local\Temp\*.*
Click the Quick Scan button.
Post the log it produces, if its too large to post please attach it.
-
Glad we could help
-
-
In Disk Management right click the third partition (7.94GB)
do you have the option delete ?
-
The picture is not clear please write down the location of the infected files
-
-
hi
Congratulations your logs appear clean :thumbsup:
Reset and Re-enable your System Restore
- Open OTL
- Under the Custom Scans/Fixes box at the bottom, paste the following:
:Commands
[clearallrestorepoints]
[createrestorepoint] - Click the Run Fix button at the top
- It might ask you to reboot, if so click YES
NEXT
- Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
- Click on the CleanUp button.
- Click Yes to begin the cleanup process and remove tools, including this application
- You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes
Recommendations
See Here for a list of recommendations for free Antivirus\AntiSpyware applications.
- Keep Your windows up to date by regularly checking their website at:
http://windowsupdate.microsoft.com/ - SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
- SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
- Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
[*]MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
[*]Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
- NoScript - for blocking ads and other potential website attacks
- McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
[*]Click Here to learn how to keep a backup of your important files
[*]FileHippo Update Checkker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
- Click Start > Run
Stay safe :wave:
- Open OTL
Need help with trojan dropper and false windows updates
in Resolved Malware Removal Logs
Posted
hi
Congratulations your logs appear clean :thumbsup:
Reset and Re-enable your System Restore
The following will implement some cleanup procedures as well as reset System Restore points:
NEXT
Recommendations
See Here for a list of recommendations for free Antivirus\AntiSpyware applications.
http://windowsupdate.microsoft.com/
[*]MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
[*]Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here
If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
[*]Click Here to learn how to keep a backup of your important files
[*]FileHippo Update Checkker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
Stay safe :wave: