Jump to content

HJT log - all anti-malware software blocked


Recommended Posts

  • Root Admin

Well hopefully that gives some good results. If not then try to use this. If needed try renaming the file a few times.

If it still does not work then try booting into SAFE MODE by tapping the F8 key while the computer boots up. Then if needed try renaming the file in Save Mode to see if you can get it to run.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

DrWeb crashed in console mode. I think my computer (Dell) has some sort of power-saving features that are independent of the operating system. I've been turning off the monitor while these processes are running, and it seems to wake the machine up when I turn the monitor back on--even when running in the Linux shell that comes with the various recovery disks.

Regardless, here's the combofix file. Doesn't look like it found anything.

ComboFix.txt

ComboFix.txt

Link to post
Share on other sites

  • Root Admin

Well I would have to agree that I don't see anything obvious that would be causing such an issue with all these tools.

Please give this tool a try and it that does not work then you might need to try an in place Windows repair and if that does not work then you might be looking at rebuilding the box. You've tried numerous Boot AV scanners and they're clean, Combofix is clean pretty much too which leads me to think you must have something wrong with the actual OS or Registry messed up on the box.

Please download and run this program: Dial-a-fix

dialafix.png

Link to post
Share on other sites

Tried dial-a-fix; still wont run MB or RR.

Computer is working fairly well in other respects--this just makes me suspicious that it doesn't like to run particular anti-malware programs. I seem to recall some warning about the first installation of MB, some big "Don't do this!" thing--can't remember what it was--but the consequences were supposed to have been dire. Maybe I just screwed the pooch on my first installation attempt?

Interesting note: Reading up on doing a repair installation of XP, and MS says I should first uninstall IE7. I go to IE7 on my "add/remove programs" utility, and there is no "uninstall" option, just a support link. Click the support link, and it takes me to the IE8 download page. So how do I uninstall IE7? Or is this another thing that is screwed up on my box?

I have rebuilt this box at least once before. No fun!

Thanks for all your help.

Link to post
Share on other sites

Judging by the "system32" below, I guess that means I'm running 32-bit?

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Owner\Application Data

CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=BORG

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Owner

LOGONSERVER=\\BORG

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\CARIS\EASY-ENC\Bin;C:\Program Files\Common Files\Sonic Shared;C:\Program Files\QuickTime\QTSystem;C:\Program Files\ActivIdentity\ActivClient

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0209

ProgramFiles=C:\Program Files

PROMPT=$P$G

QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp

TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp

USERDOMAIN=BORG

USERNAME=Owner

USERPROFILE=C:\Documents and Settings\Owner

windir=C:\WINDOWS

Link to post
Share on other sites

It worked!

Quick scan found two items, per below. Rebooted and will now run a full scan. I think the problem's still there. As the system was booting up, I got a brief flash of "Your computer may be at risk. Security is disabled." Then it went away. Will report after full scan. Thanks very much!

Malwarebytes' Anti-Malware 1.36

Database version: 1964

Windows 5.1.2600 Service Pack 3

4/10/2009 10:22:01 PM

mbam-log-2009-04-10 (22-21-55).txt

Scan type: Quick Scan

Objects scanned: 85619

Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

So that was just something Norton was doing, not really a virus? Hmmm.

Well, here's the result of the full scan (below). The only problem found was in a system restore file, so I'm guessing it wasn't really active. The problem with my installs must then have been plain old corrupt file issues rather than malware.

In any case, sure beats rebuilding the box. Thanks again!

Malwarebytes' Anti-Malware 1.34

Database version: 1964

Windows 5.1.2600 Service Pack 3

4/11/2009 12:12:53 AM

mbam-log-2009-04-11 (00-12-53).txt

Scan type: Full Scan (C:\|)

Objects scanned: 177827

Time elapsed: 1 hour(s), 36 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{93B134E4-5BC7-4F05-B19F-CE6566F28B6F}\RP1092\A0195875.exe (Adware.MyWeb) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Here ya go:

Malwarebytes' Anti-Malware 1.36

Database version: 1966

Windows 5.1.2600 Service Pack 3

4/12/2009 11:35:23 PM

mbam-log-2009-04-12 (23-35-23).txt

Scan type: Full Scan (C:\|)

Objects scanned: 178175

Time elapsed: 1 hour(s), 40 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".
  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.
  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install hpHosts

Download it from here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1: If you are running Windows XP SP2, you should upgrade to SP3.

Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions

Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help

If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.