zammer Posted June 2, 2009 ID:85963 Share Posted June 2, 2009 Mbam LogMalwarebytes' Anti-Malware 1.37Database version: 2207Windows 5.1.2600 Service Pack 32009/06/02 7:20:07 AMmbam-log-2009-06-02 (07-20-07).txtScan type: Quick ScanObjects scanned: 112359Time elapsed: 2 minute(s), 15 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 3Registry Data Items Infected: 2Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{c6c7b2a1-00f3-42bd-f434-00aaba2c8953} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c6c7b2a1-00f3-42bd-f434-00aaba2c8953} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6c7b2a1-00f3-42bd-f434-00aaba2c8953} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c6c7b2a1-00f3-42bd-f434-00aaba2c8953} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12zfg94-f641-2sf-k31p-5n1er6h6l2 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\njaffer\LOCALS~1\Temp\init.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)HJT LogLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:34:56 AM, on 2009/06/02Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Symantec AntiVirus\Smc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\Program Files\Utilities\Washer\WasherSvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Symantec AntiVirus\SmcGui.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Hummingbird\DM Extensions\papihost.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exeC:\Program Files\Utilities\Unlocker\UnlockerAssistant.exeC:\WINDOWS\system32\CTHELPER.EXEC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exeC:\Program Files\Utilities\ProcessExplorer\procexp.exeC:\Program Files\Hummingbird\DM Extensions\DM.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINDOWS\system32\cidaemon.exeC:\WINDOWS\system32\cidaemon.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.westnet2O15 - Trusted IP range: http://10.192.0.16O15 - Trusted IP range: http://10.192.0.16 (HKLM)O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CABO16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://96.1.14.50/VatDec.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1236892049844O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237905307470O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dwv.caO17 - HKLM\Software\..\Telephony: DomainName = dwv.caO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dwv.caO20 - Winlogon Notify: mhifrvl - C:\WINDOWS\SYSTEM32\mhifrvl.dllO23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exeO23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXEO23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exeO23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exeO23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXEO23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exeO23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXEO23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exeO23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeO23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Utilities\Washer\WasherSvc.exe--End of file - 12485 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 3, 2009 Root Admin ID:86234 Share Posted June 3, 2009 This does not look good. You have an indication of having the Virut virus. Please run the following and we'll see what it says. Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
zammer Posted June 3, 2009 Author ID:86308 Share Posted June 3, 2009 Thank You!!! Here's the combofix log and new hijackthis log...ComboFix.txthijackthis.log.txtComboFix.txthijackthis.log.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 4, 2009 Root Admin ID:86466 Share Posted June 4, 2009 STEP 01Download but do not yet run ComboFixIf you have a previous version of Combofix.exe, delete it and download a fresh copy.Download it to your DESKTOP - it MUST run from the Desktopdownload.bleepingcomputer.com/sUBs/ComboFix.exesubs.geekstogo.com/ComboFix.exeUsing your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank linesKILLALL::AtJob::Driver::nibtktfeccafgSmcinstFile::C:\wrfpv.exeC:\nhfly.exeC:\gvqn.exeC:\gvgfbscb.exec:\windows\system32\drivers\hzIdbovv.sysc:\windows\system32\drivers\tumj.sysOpen a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.Disconnect from the Internet. Disable your Antivirus software. If it has Script Blocking features, please disable these as well. A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed. When the scan completes Notepad will open with with your results log open. Do a File, Exit.A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.Post back the Combofix log on your next reply.STEP 02Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen post back the MBAM log and a new Hijackthis log.STEP 03Download DDS and save it to your desktophttp://download.bleepingcomputer.com/sUBs/dds.scrDisable any script blocker if your Anti-Virus/Anti-Malware has it.Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.Then double click dds.scr to run the tool.When done, the DDS.txt will open.Click Yes at the next prompt for Optional Scan.When done, DDS will open two (2) logs:DDS.txtAttach.txtSave both reports to your desktopPlease include the following logs in your next reply: DDS.txt and Attach.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 4, 2009 Root Admin ID:86575 Share Posted June 4, 2009 Please post a status update on this.Thanks. Link to post Share on other sites More sharing options...
zammer Posted June 4, 2009 Author ID:86672 Share Posted June 4, 2009 All done... here are the latest log files...Does this mean I'm clean.Fingers and toes crossedmbam_log_2009_06_04__07_21_59_.txtCombo_fix_log.txtDDS.txtAttach.txthijackthis.log.txtmbam_log_2009_06_04__07_21_59_.txtCombo_fix_log.txtDDS.txtAttach.txthijackthis.log.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 5, 2009 Root Admin ID:86851 Share Posted June 5, 2009 Not quite yet. Looks much better but you still have something that may not belong there.Please run the following and we'll see what is left. How is the computer running now compared to when you first posted here?STEP 01Download and install CCleanerCCleaner Double-click on the downloaded file "ccsetup220_slim.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log FilesClick on Run Cleaner button on the bottom right side of the program.Click OK to any promptsSTEP 02You may have corrupted files on your disk. Please try running the following.First close ALL Applications as this routine will automatically restart your computer.Click on START - RUN and copy / paste the following entry into the box and click OKCMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30STEP 03Click on START - RUN and type in SIGVERIF and click OKThis is a Microsoft File Signature Verification program that will check some file status for us.Click on the START button and let it run. It will popup a box when it's done to show the status, you can close that box.Close the File Signature Verification application.Find and attach the file C:\WINDOWS\SIGVERIF.TXT to your reply. DO NOT post the log directly into your reply, attach the file please.STEP 04Please create a BOOTLOGDelete the following file if it exists. C:\Windows\ntbtlog.txt Restart the computer and press F8 when Windows start booting. This will bring up the startup options.Select "Enable Boot Logging" option and press enter.Windows prompts you to select a Windows Installation (even if there is only one windows installation)This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows Link to post Share on other sites More sharing options...
zammer Posted June 5, 2009 Author ID:87044 Share Posted June 5, 2009 Sigh, looks like I've still got something...Here are the logs. Had to zip SIGVERIF.TXT cause it was too big...Looks like the F*****T word.... (lol - that's format for you folks with dirty minds)ActiveScan.txtntbtlog.txtSIGVERIF.zipActiveScan.txtntbtlog.txtSIGVERIF.zip Link to post Share on other sites More sharing options...
zammer Posted June 5, 2009 Author ID:87046 Share Posted June 5, 2009 Just ran Malwarebytes too and it came up with 9 infected entries...Seems like things got better and then everything went back to the way it was at the start of this process... Can a Trogan do that?mbam_log_2009_06_05__12_06_32_.txtmbam_log_2009_06_05__12_06_32_.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 5, 2009 Root Admin ID:87094 Share Posted June 5, 2009 The last MBAM log says you did not choose to allow MBAM to fix it. You need to check for program updates and do another Quick Scan and allow MBAM to fix it.Please run the following scanner.Please download and run the Trend Micro Sysclean Package on your computer.Shut down and disable your current Anti-Virus program and diconnect from the Internet while doing this scan.NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.Trend Micro Damage Cleanup EngineMake sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1stBasically there are 3 parts that need to be downloaded from these links:Sysclean PackageVirus Pattern FilesSpyware Pattern FilesAs an example on 2009-06-06 the files to download are: sysclean.com | lpt173.zip | tma777.zipNOTE! These file names are examples and you must visit Trend Micro for the very latest files which may have different names.Create a brand new folder to copy these files to.As an example: C:\DCEThen open each of the zipped archive files and copy their contents to C:\DCECopy the file sysclean.com to the new folder C:\DCE as well.Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.This self-extracting archive is a stand-alone fix package that incorporates the Trend Micro VSAPI Malware and Spyware scanning engines as well as the Trend Micro Damage Cleanup Engine and Template. This tool supports the following features: o Terminate all detected malware/spyware instances in memory o Remove malware/spyware registry entries o Remove malware/spyware entries from system files o Scan for and delete all detected malware/spyware copies in all local drivesHow To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in Vista Link to post Share on other sites More sharing options...
zammer Posted June 5, 2009 Author ID:87098 Share Posted June 5, 2009 Will do - but will have to wait, going away for the weekend...see you monday. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 5, 2009 Root Admin ID:87101 Share Posted June 5, 2009 Okay. Post back the results on Monday then and we'll continue. Link to post Share on other sites More sharing options...
zammer Posted June 8, 2009 Author ID:87782 Share Posted June 8, 2009 Morning,Ran Malwarebytes and selected clean after it was done - 9 objects deleted... Log attached.Then ran the sysclean from TM, attached is the log...sysclean.log.txtmbam_log_2009_06_08__07_16_33_.txtsysclean.log.txtmbam_log_2009_06_08__07_16_33_.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 8, 2009 Root Admin ID:87846 Share Posted June 8, 2009 Yes you had a main system file loading that was blocking detection and removal but it was found and removed.Please restart the computer and then UPDATE MBAM and run these scans please.STEP 01Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen post back the MBAM log and a new Hijackthis log.STEP 02Download DDS and save it to your desktophttp://download.bleepingcomputer.com/sUBs/dds.scrDisable any script blocker if your Anti-Virus/Anti-Malware has it.Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.Then double click dds.scr to run the tool.When done, the DDS.txt will open.Click Yes at the next prompt for Optional Scan.When done, DDS will open two (2) logs:DDS.txtAttach.txtSave both reports to your desktopPlease include the following logs in your next reply: DDS.txt and Attach.txtSTEP 03Run Eset NOD32 Online AntiVirusNote: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click Start When asked, allow the activex control to installDisable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.Click Start Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checkedClick ScanWait for the scan to finishRe-enable your Anvirisus software.A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post. Link to post Share on other sites More sharing options...
zammer Posted June 9, 2009 Author ID:88154 Share Posted June 9, 2009 Ok... Here's the new logs.The Eset NOD32 Online AntiVirus took quite a while - phew...mbam_log_2009_06_09__07_20_11_.txthijackthis.log.txtAttach.txtDDS.txtlog.txtmbam_log_2009_06_09__07_20_11_.txthijackthis.log.txtAttach.txtDDS.txtlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 9, 2009 Root Admin ID:88283 Share Posted June 9, 2009 Please download a NEW fresh copy of Combofix and run it and post back that log. Additional links to download the tool:ComboFix.exeComboFix.exeComboFix.exe Link to post Share on other sites More sharing options...
zammer Posted June 10, 2009 Author ID:88504 Share Posted June 10, 2009 Here's the new combofix log...Fingers and toes crossed log.txtlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 10, 2009 Root Admin ID:88594 Share Posted June 10, 2009 Still got a little something holding on there. I am removing some policies - if this is a work computer then they should put them back via a GPO on restart, otherwise if you set them yourself then you can put them back if you like but they're stopping some tools from showing.STEP 01Download but do not yet run ComboFixIf you have a previous version of Combofix.exe, delete it and download a fresh copy.Download it to your DESKTOP - it MUST run from the Desktopdownload.bleepingcomputer.com/sUBs/ComboFix.exesubs.geekstogo.com/ComboFix.exeUsing your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank linesKILLALL::AtJob::Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mhifrvl][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"NoMSAppLogo5ChannelNotify"=-"NoNTSecurity"=-[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoSMHelp"=-"NoSMMyDocs"=-"NoSMMyPictures"=-"ForceStartMenuLogOff"=-File::c:\windows\system32\mhifrvl.dllc:\nhfly.exeOpen a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.Disconnect from the Internet. Disable your Antivirus software. If it has Script Blocking features, please disable these as well. A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed. When the scan completes Notepad will open with with your results log open. Do a File, Exit.A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.Post back the Combofix log on your next reply.STEP 02Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen post back the MBAM log and a new Hijackthis log.STEP 03RESTART the computer. Once restarted please close ALL applications and as many items in the Task Tray that will close, some will exit by selecting Right Click Exit.Please download the following scanning tool. GMERDownload the randomly named EXE and copy the file to your Desktop. Remember what its name is.Double click on random named exe file and run it.It may take a minute to load and become available.Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOGZip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.Click OK and quit the GMER program.How To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in Vista Link to post Share on other sites More sharing options...
zammer Posted June 11, 2009 Author ID:88951 Share Posted June 11, 2009 Ok - here you go Fingers and toes still crossed and starting to cramp GMER.ziphijackthis.zipmbam_log_2009_06_10__14_14_59_.txtCombofix_log.txtGMER.ziphijackthis.zipmbam_log_2009_06_10__14_14_59_.txtCombofix_log.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 12, 2009 Root Admin ID:89077 Share Posted June 12, 2009 All the logs look good now.How is the computer running now?Are there still any signs of an infection? Link to post Share on other sites More sharing options...
zammer Posted June 12, 2009 Author ID:89282 Share Posted June 12, 2009 Everything seems to be working fine - folder options stay the way I want them and don't get reset upon reboot. By jove I think you've dunnit I want to express my deepest thanks to you Ron... I thought I was going to have to reformat and re-install everything!!!!!You're amazing - thanks!!!zammer Link to post Share on other sites More sharing options...
zammer Posted June 12, 2009 Author ID:89296 Share Posted June 12, 2009 Sigh... I think I spoke too soon - Ran a Malwarebytes scan with the latest update and had 8 problems... Seem to be the same as when we first started Here's the latest Mbam and HijackThis logs....hijackthis.zipmbam_log_2009_06_12__08_09_29_.txthijackthis.zipmbam_log_2009_06_12__08_09_29_.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 12, 2009 Root Admin ID:89391 Share Posted June 12, 2009 Okay... did you connect a USB drive to the system or visit some other site that did a drive by maybe? Are you on a network with other computers ?Please delete your current copy of Combofix.exe and download a NEW fresh one and run it again and post back the log.Additional links to download the tool:ComboFix.exeComboFix.exeComboFix.exe Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 13, 2009 Root Admin ID:89495 Share Posted June 13, 2009 Please post a status update on this. Link to post Share on other sites More sharing options...
zammer Posted June 15, 2009 Author ID:89942 Share Posted June 15, 2009 Morning Ron,Ran a Malwarebytes scan this morning and found the same 8 objects - selected clean and then followed the promtps to restart the PCThen ran combofix, attached is the log...As for your questions in the previous post,1. Yes - I do have a USB stick that I use to transfer documents and files to and from home and work. I scanned it with Malwarebytes and got nothing...2. I am connected to a network but rarely acess the network drive - I only store photo's on there.Hope this helps...Combofix_log_June_14.txtCombofix_log_June_14.txt Link to post Share on other sites More sharing options...
Recommended Posts