Jump to content

Dell C800 Latitude malicious files, XP OS


Recommended Posts

Hello, any assistance will be greatly appreciated. The Latitude has been moth-balled since about 2006. I'm sure the machine has bad mojo on it. Hopefully i haven't 'screwed the pooch' before I found this forum. To start with, I did attempt to clean things up all by myself, however I have not emptied the Recylce Bin. I did put MBAM on the machine and ran, then did the same with HiJack this, which I un-stalled but still have a log file. It appears that MBam quarintined a bunch of things on 1st run, but still see suspious programs loading and running. When I try to DDS I get error :  "c:\SYSTEM32\AUTOEXEC.NT. The system file is suitable for running MS DOS and Microsoft applications. Close to terminate". I am back between a clean machine and the problem child to try and fix things. If you can help, what should I do.

Thankfully,

farmer68623

 

I will attach initial MBAB logs and Hijack log

 

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post the log in next reply please...

 

Kevin

Link to post
Share on other sites

Hi Kevin, thanks for the help thus far. I ran Comfix as directed, successfully did the MS Win Recovery and then went to scan mode. The scan appeared to be running, but after 8 hours it appeared to be stalled. I had to shut down the machine. The scan did not finsish and no log file. The only thing that appears to been removed was FCAdvice.com. What do I do next?? Thanks

Link to post
Share on other sites

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.


The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Open Malwarebytes, check for updates then run Quick scan. Full instructions follow if  Malwarebytes is not installed:

 

Download Malwarebytes from the following link and save it to your desktop.:

 

 

http://www.malwarebytes.org/mbam.php 

 

Double Click mbam-setup.exe to install the application.


Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

 

Let me see those logs.....

 

fixlist.txt

Link to post
Share on other sites

Yep both suspicious and unwanted, stop entries in Task manager then uninstall from Add/Remove programs list, or use RevoUninstaller as follows:

 

Please download and install Revo Uninstaller Free

 

 

  •  

     

  • Double click Revo Uninstaller to run it.

     

     

  • From the list of programs double click on The Program to remove

     

     

  • When prompted if you want to uninstall click Yes.

     

     

  • Be sure the Moderate option is selected then click Next.

     

     

  • The program will run, If prompted again click Yes

     

     

  • When the built-in uninstaller is finished click on Next.

     

     

  • Once the program has searched for leftovers click Next.

     

     

  • Check/tick the bolded items only on the list then click Delete

     

     

  • When prompted click on Yes and then on next.

     

     

  • Put a check on any folders that are found and select delete

     

     

  • When prompted select yes then on next

     

     

  • Once done click Finish.

     

     

 

 

Next,

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

 

  •  

     

  • Double click on AdwCleaner.exe to run the tool.

     

     

  • Vista/Windows 7/8 users right-click and select Run As Administrator

     

     

  • Click on the Scan button.

     

     

  • AdwCleaner will begin...be patient as the scan may take some time to complete.

     

     

  • When it's done you'll see: Pending: Uncheck any elements you don't want removed.

     

     

  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.

     

     

  • Look over the log especially under Files/Folders for any program you want to save.

     

     

  • If there's a program you want to save, just uncheck it from AdwCleaner.

     

     

  • If you're not sure, post the log for review.

     

     

  • If you're ready to clean it all up.....click the Clean button.

     

     

  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.

     

     

  • Copy and paste the contents of that logfile in your next reply.

     

     

  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

     

     

  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine

     

     

  • To restore an item that has been deleted (if necessary):

     

     

  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

     

     

 

 

Next,

 

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that we may have missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

 

  •  

     

  • Turn off the real time scanner of any existing antivirus program while performing the online scan

     

     

  • click on the Run ESET Online Scanner button

     

     

  • Tick the box next to YES, I accept the Terms of Use.

     

    Click Start

     

  • When asked, allow the add/on to be installed

     

    Click Start

     

  • Make sure that the option Remove found threats is unticked

     

     

  • Click on Advanced Settings, ensure the options

     

     

  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

     

    Click Scan

     

  • wait for the virus definitions to be downloaded

     

     

  • Wait for the scan to finish

     

     

 

 

When the scan is complete

 

 

  •  

     

  • If no threats were found

     

     

  • put a checkmark in "Uninstall application on close"

     

     

  • close program

     

     

  • report to me that nothing was found

     

     

 

 

If threats were found

 

 

  •  

     

  • click on "list of threats found"

     

     

  • click on "export to text file" and save it as ESET SCAN and save to the desktop

     

     

  • Click on back

     

     

  • put a checkmark in "Uninstall application on close"

     

     

  • click on finish

     

     

 

 

close program

 

copy and paste the report in next reply

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Post the produced logs,

 

Thanks,

 

Kevin

Link to post
Share on other sites

Kevin

Ran the Revo, would have skipped if I knew what is, all programs in Add/Delete are legitimate. EQTraffic loads on startup or re-boot. AdwCleaner didn't show anything that I thought was important, but scanned and cleaned, relative txt files attached. I'm going to run eset AV and hopefully it finishes before you reply to my post.

I'm listing in short hand, sort of , the [Folder] {filename} from Explorer dir tree in Program Files:

[asys] = stb.exe  [Epicenter] {snuinst.exe} [CMAPP] {[Client]} {cmappstub.exe / cmETappupdate.exe} [CMMan] {cmappupdate.exe} [EQTraffic] {EQTraffic.exe +(uninstall.exe+2 txt's} [FCAdvice] {FCAdvice.exe} + uninstall.exe + patterns.dat}} [Micrprose] {Majesty}  [Zango Games] {David & Goliath}. I am tired and weary, hope this makes sense. Will post again when ESET finishes. I guess I'm a pain, but again thanks

 

 

Link to post
Share on other sites

When you have opened the relevant folder for each application in Program files double click on the uninstall.exe file, that should run the uninstaller process. Let me know if that is successful.

 

Post ESET log anytime you`re ready, I do not regard you as any type of pain, you`re a guy with PC issues, i`m here to help. We`ll get a solution eventually....

 

Kevin... :)

Link to post
Share on other sites

I'm back again ... Kevin.  Here is the ESETLog.  Programs running in Task Mgr seem to proper files. I noticed that in the ESET log a program named snuinst.exe is in FRST\Quarantine\.. This file is also present in Program Files\epicenter\snuinst.exe, also a Folder named CMMan contains the file cmappudate.exe, as well in Folder CMAPP. The ESET only referred to cmappstub.exe in the CMAPP Folder. Not sure it is relevant, but I noticed that EQTraffic.exe shows up in Windows\Prefetch\EQTraffic.exe-22F995EC.pf? I will await your guidance for the next steps to take. Thanks again!

 

Link to post
Share on other sites

See if any of the following show up in Revo Uninstaller, if so Uninstall each one. Use the instructions for Revo previously given. If not in Revo just continue...

 

asys
CMAPP
Movat&t

Next,

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files

    :FilesC:\Program Files\asysC:\Program Files\CMAPPC:\Program Files\Movat&tC:\WINDOWS\dsr.exeC:\WINDOWS\offun.exeC:\WINDOWS\pf78.exeC:\WINDOWS\visfxun.exeC:\WINDOWS\zpdzvrq.exeC:\WINDOWS\system32\COMMCOS2.DLLC:\WINDOWS\system32\rastmon.dllC:\WINDOWS\Temp\_avast_\unp234913443.tmp:Commands[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Next,

Regarding the file you mention in the "Prefetch" folder, navigate to that file and delete it...

Post log from OTM, let me know if any remaining issues or concerns...
 

Kevin....

Link to post
Share on other sites

This didn't work well for me. Running Revo gave no results. OTM.exe run did not show a code box or any log/txt file that I know of. Everything in yellow/green bars were empty. Tried several times. I probably messed up because I was so frustrated I hit the Clean button. Not sure where I'm at now, do not see the c:\_OTMove dir ....... HELP!

Link to post
Share on other sites

If you`ve hit the "Clean up" button OTM will do just that, problem is it will remove other tools such as Combofix, it will also remove itself and its folders...

 

Give me an update on your system, tell me exactly what issues and/or concerns are still remaining.....

 

Next,

 

Download Zoek.zip from here http://www.hijackthis.nl/smeenk/220813/zoek.zip and save that zip file to your Desktop.

 

Double click zip file and extract to your  Desktop:

 

 

Zoekd.jpg

 

 

you will now have 3 versions of the tool on the Desktop:

 

 

Zoeke.jpg

 

Before running Zoek make sure all Browsers are closed and Security is turned OFF. Check at the following link: http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html[/url

 

Double click on each in turn until one version of Zoek will run (accept UAC) The following window will open:

 

 

Zoekb.jpg

 

 

Copy and paste the following script from the code box and paste into the field.

 

 

standardsearch;autoruns;autoclean;emptyclsid;emptyalltemp;installedprogs;

 

 

Select the "Run Script" tab. The following window will open:

 

 

 

Zoekc.jpg

 

 

 

Please be patient and do not use the PC when the scan is in progress.

 

When complete you maybe asked to re-boot your PC, if so please do

 

Zoekf.jpg

 

Post the produced log in your next reply…..

Link to post
Share on other sites

Kevin, the offending files/folders still exist in Program Files directory.  Successfully ran Zoek. Hijack This is still installed on my machine and ran and produced a log file. attached are it and the Zoek log. I just realized after running Zoek why the OTM program failed to run as expected~ I failed to paste the Instructions for Files to be Moved into the box... thanks again, next?

 

Link to post
Share on other sites

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files

    :FilesC:\Program Files\asysC:\Program Files\CMAPPC:\Program Files\Movat&tC:\WINDOWS\dsr.exeC:\WINDOWS\offun.exeC:\WINDOWS\pf78.exeC:\WINDOWS\visfxun.exeC:\WINDOWS\zpdzvrq.exeC:\WINDOWS\system32\COMMCOS2.DLLC:\WINDOWS\system32\rastmon.dll:Commands[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Also you have no need to keep HJT installed, uninstall that at your convenience. HJT is somewhat dated and does not give a true picture of the operating system...

 

Kevin

Link to post
Share on other sites

Hope this took care of my woes! Here is the OTM log. All files appear to be removed, accept the CMman folder, which is now empty. The epicenter folder containing snuinst.exe appeared when I opened Explorer, and then disappeared. If this resolves my troubles, I thank you so much for your assistance and patience. Farmer68623 a/k/a The Mean Farmer :)

Link to post
Share on other sites

There is one update needed for your system, Service Pack 3 (SP3) It is in your own best interest to install that update at your earliest convenience.

 

Do this first...

 


Double-click OTM.exe to run it. Windows 7 or Vista accept UAC alert..
Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.
It should ask if you want to clean up, select Yes. You maybe asked to reboot, allow that to happen.

 

Next,

 

Download "Delfix by Xplode" and save it to your desktop.

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


  •    
  • Remove disinfection tools
       
  • Create registry backup
       
  • Purge System Restore
       
  • Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When SP3 is installed you delete that ERUNT back up folder...

 

Next,

 

Go here: http://www.microsoft.com/en-gb/download/details.aspx?id=24 for the SP3 d/l link and full instructions how to complete the update.....

 

Let me know if the above completes ok, also if any remaining issues or concerns...

 

Thanks,

 

Kevin

Link to post
Share on other sites

Kevin, been busy updating machine, now have SP3, trying to update any drivers that I can. This does not appear in Task Mgr, but in SyS Info/Running Tasks I see two same file names running which look suspious : helpctr.exe {FilePath] c:\windows\pchealth\helpctr\binaries\helpctr.exe .Not sure if this is legit or not, other than every else seems dandy. One other unrelated question would be : is there a way to get WPA on Dell TrueMobile 1150 series wireless LanMini PCI card? I know this machine is old ~ just curious. Thanks again.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.