Jump to content

Can't repair or remove 2 registry items......


Chris M

Recommended Posts

MBAM says that they get quarantined & removed but they keep coming back. Also I have an item on my Hijackthis file that should not belong...F2. Also, my Hijackthis.exe does not run when clicked on...I have to right click on it & press run as current user in order to get the program to run....any ideas, I'm out of them!

Malwarebytes' Anti-Malware 1.34

Database version: 1811

Windows 5.1.2600 Service Pack 3

2/27/2009 9:28:32 PM

mbam-log-2009-02-27 (21-28-28).txt

Scan type: Quick Scan

Objects scanned: 71759

Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\exefile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("C:\WINDOWS\system32

Link to post
Share on other sites

  • Root Admin

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

I have attached both files as well as posted them her.

oK...HERE'S THE ATTACH.TXT.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 2/13/2009 6:09:31 AM

System Uptime: 2/28/2009 3:50:54 PM (0 hours ago)

Motherboard: Micro Star International | | MS-7248R

Processor: Intel® Celeron® D CPU 3.20GHz | Socket 775 | 3199/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 89 GiB total, 53.889 GiB free.

D: is FIXED (FAT32) - 5 GiB total, 1.801 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

J: is FIXED (FAT32) - 7 GiB total, 2.755 GiB free.

K: is CDROM (CDFS)

N: is FIXED (NTFS) - 466 GiB total, 352.337 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Realtek RTL8139/810x Family Fast Ethernet NIC

Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_248C1462&REV_10\4&FB75CB&0&10A4

Manufacturer: Realtek Semiconductor Corp.

Name: Realtek RTL8139/810x Family Fast Ethernet NIC

PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_248C1462&REV_10\4&FB75CB&0&10A4

Service: RTL8023xp

==== System Restore Points ===================

RP8: 2/26/2009 2:19:19 PM - Software Distribution Service 3.0

RP9: 2/27/2009 1:02:53 PM - Working GREAT!

RP10: 2/27/2009 6:51:54 PM - RegCure Backup

RP11: 2/27/2009 6:55:08 PM - RegCure Backup

RP12: 2/27/2009 7:06:40 PM - RegCure Backup

RP13: 2/27/2009 7:57:27 PM - Restore Operation

RP14: 2/28/2009 1:24:08 AM - ComboFix created restore point

RP15: 2/28/2009 11:55:50 AM - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer

6400_Help

Abe's Exoddus

Abe's Oddysee

Adobe Acrobat 4.0

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe PhotoDeluxe Home Edition 4.0

Adobe Reader 7.0

Adobe Shockwave Player

AI RoboForm (All Users)

Alien Sky

AlienGUIse Theme Manager

Amazing Adventures Around the World

Amazing Adventures The Lost Tomb

American McGee's Alice

Ancient Secrets

ATI - Software Uninstall Utility

ATI Display Driver

ATI Parental Control & Encoder

Basta Computing Buzof

Beach Party Craze

Big Island Blends

BitTorrent

bpd_scan

BPDSoftware

BPDSoftware_Ini

BufferChm

Burger Island

Burger Rush

Burger Shop

CCleaner (remove only)

Chutes and Ladders

CloneDVD 4.3.0.2

CyberLink Power2Go

Destination Component

DeviceDiscovery

DeviceManagementQFolder

Digital Media Reader

Diner Dash 2

DocMgr

DocProc

DocProcQFolder

Drunk-Man (remove only)

DVD Solution

eSupportQFolder

Evidence Eliminator

Family Tree Maker 2005

Family Tree Maker 2009

Fax

FDNY Firefighter: American Hero

Firehand Ember Pro

FlashGet(JetCar)

Gateway Drivers and Applications Recovery

GEAR 32bit Driver Installer

Google Earth

Google Update Helper

GPBaseService

GPL Ghostscript 8.63

Heavy Weapon Deluxe

Hide IP Platinum 3.43

High Definition Audio Driver Package - KB888111

HijackThis 2.0.2

Home Plan Pro version 5.2.13.2

Hotfix for Windows XP (KB952287)

HP Document Manager 1.0

HP Imaging Device Functions 10.0

HP Officejet J6400 Series

HP Photosmart Essential 2.5

HP Smart Web Printing

HP Solution Center 10.0

HP Update

HPProductAssistant

iolo technologies' System Mechanic 4 Professional

J2SE Runtime Environment 5.0 Update 2

J6400

Java 6 Update 12

K-Lite Mega Codec Pack 1.33

Kyodai Mahjongg 2006 v1.42

Limewrie PRO Uninstall

Luxor

Malwarebytes' Anti-Malware

MDK2

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft .NET Framework 3.0 Service Pack 1

Microsoft .NET Framework 3.5

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office XP Professional with FrontPage

Microsoft Office XP Web Components

Microsoft Primary Interoperability Assemblies 2005

Microsoft Publisher 2002

Microsoft Visual C++ 2005 Redistributable

mIRC

MixMeister Fusion + Video 7.3.2

Mozilla ActiveX Control v1.7.12

Mozilla Firefox (2.0.0.7)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 Parser and SDK

Multimedia Keyboard Driver

Mystery P.I. - The Vegas Heist

Net Nanny Parental Controls 6.0

Norton Internet Security

OCR Software by I.R.I.S. 10.0

PDFill PDF Editor with FREE PDF Writer and Tools

PerfectDisk

PowerDVD

ProductContext

PSSWCORE

PxPlayer

Rainforest Adventure

RealPlayer

REALTEK GbE & FE Ethernet PCI NIC Driver

Recovery Software Suite Gateway

RegCure 1.5.2.7

RegistryFix v7.0

Restaurant Rush

ResumeMaker Professional

Rosetta Stone V3

Sally's Salon

Scan

Security Task Manager 1.7g

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows XP (KB913433)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

SmartWebPrintingOC

SnagIt 9

Snowy Treasure Hunter 3

SolutionCenter

SpongeBob SquarePants Employee of the Month

Stand O'Food

Status

Super GameHouse Solitaire

Tank-o-Box

The Neverhood

The Price Is Right

The_Pirate_Bay Toolbar

Toolbox

TrayApp

TuneUp Utilities 2009

Turbo Pizza

Twistingo

Uniblue RegistryBooster 2009

UnloadSupport

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

VideoToolkit01

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

VLC media player 0.9.8a

WebFldrs XP

WebReg

Wild West Quest

WildTangent Games

Winamp

Window Washer

Windows Backup Utility

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Media Format Runtime

Windows Media Player 10

Windows XP Service Pack 3

WinRAR archiver

World of Warcraft

XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

2/23/2009 9:47:58 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service hpqcxs08 with arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

2/23/2009 8:43:59 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

2/23/2009 3:03:35 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service ImapiService with arguments "-Service" in order to run the server: {520CCA63-51A5-11D3-9144-00104BA11C5E}

2/23/2009 1:29:05 PM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

2/23/2009 1:29:05 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ABBYY FineReader 9.0 PE Licensing Service service to connect.

2/23/2009 1:29:05 PM, error: Service Control Manager [7000] - The Norton 2009 Reset service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

2/23/2009 1:29:05 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Norton 2009 Reset service to connect.

2/23/2009 1:28:31 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

2/23/2009 3:47:33 AM, error: Service Control Manager [7000] - The TuneUp Theme Extension service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

2/26/2009 2:17:34 PM, error: Service Control Manager [7034] - The Window Washer Engine service terminated unexpectedly. It has done this 1 time(s).

2/26/2009 2:17:37 PM, error: Service Control Manager [7034] - The ABBYY FineReader 9.0 PE Licensing Service service terminated unexpectedly. It has done this 1 time(s).

2/26/2009 2:17:45 PM, error: Service Control Manager [7034] - The TuneUp Program Statistics Service service terminated unexpectedly. It has done this 1 time(s).

2/26/2009 2:29:42 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service dmadmin with arguments "/com" in order to run the server: {4FB6BB00-3347-11D0-B40A-00AA005FF586}

2/26/2009 2:29:56 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service helpsvc with arguments "" in order to run the server: {833E4010-AFF7-4AC3-AAC2-9F24C1457BCE}

2/27/2009 9:19:29 AM, error: Service Control Manager [7022] - The ContentWatch service hung on starting.

2/27/2009 3:13:26 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).

2/27/2009 5:55:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 ACPIEC adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp iaStor ini910u IntelIde mraid35x Pcmcia perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde

2/27/2009 7:25:13 PM, error: Service Control Manager [7031] - The ContentWatch service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

2/27/2009 7:44:27 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

2/27/2009 7:44:27 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

2/27/2009 7:44:27 PM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

2/27/2009 7:44:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP SRTSPX SYMTDI Tcpip Tcpip6 WS2IFSL

2/27/2009 7:45:02 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

2/24/2009 1:38:05 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file ctl3d32.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 2.31.0.0, the version of the system file is 2.31.0.0.

2/24/2009 11:28:22 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file opengl32.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.5512, the version of the system file is 5.1.2600.5512.

==== End Of File ===========================

Here's the dds.txt..........

DDS (Ver_09-02-01.01) - NTFSx86

Run by Owner at 15:53:47.50 on Sat 02/28/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1501 [GMT -5:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated)

FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe

C:\Program Files\AlienGUIse\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\ContentWatch\Internet Protection\cwtray.exe

C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32

DDS.txt

Attach.txt

DDS.txt

Attach.txt

Link to post
Share on other sites

  • Root Admin

STEP 01

You need to remove Adobe Reader 7.0 and update it.

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

STEP 02

You need to remove P2P file sharing software while we're helping you.

BitTorrent

Limewrie PRO Uninstall

The_Pirate_Bay Toolbar

Also remove these old programs that have code that has been exploited

Please go into the Control Panel, Add/Remove and for now remove J2SE Runtime Environment 5.0 Update 2 version of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

STEP 03

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

My Hijackthis log........

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:33:18 PM, on 3/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

C:\WINDOWS\system32

log.txt

log.txt

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
.norton2009Reset
MEMSWEEP2

File::
c:\documents and settings\All Users\Application Data\Norton\Norton2009Reset.exe
c:\windows\system32\848.tmp
c:\windows\system32\spupdsvc.inf
c:\windows\system32\xa8358171.exe
c:\windows\system32\xa8356296.exe
c:\windows\system32\xa4781218.exe
c:\windows\system32\xa4779125.exe
c:\windows\system32\xwr34307.dll
c:\windows\system32\wr34307.dll
c:\windows\iosys32b.dat
c:\windows\hpwins14.dat.temp
c:\windows\hpwmdl14.dat.temp
c:\windows\hpwins14.dat
c:\windows\hpwmdl14.dat
c:\windows\wmsysprx.prx

RegLock::
[HKEY_USERS\S-1-5-21-3930539666-2202951712-789337479-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
[HKEY_USERS\S-1-5-21-3930539666-2202951712-789337479-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{760A9D3F-FE37-5A76-5F75-8109ECD898E7}*]

RegNull::
[HKEY_USERS\S-1-5-21-3930539666-2202951712-789337479-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{760A9D3F-FE37-5A76-5F75-8109ECD898E7}*]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 03

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

  • Root Admin

Those scans look pretty good. A couple of potential items but best we scan with an Anti-Virus product to make sure.

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.