Jump to content

Think its infected - logs attached. Thanks!


Recommended Posts

Hi,

A friend has given me his laptop. I think its infected with something but with what?!.. not sure.. Problems experienced are as follows:

Internet explorer starts but then crashes

Firefox starts but then crashes

AVG Antivirus won't install

Malwarebytes won't run

The fact internet is seemingly broken and antivirus won't install makes me think something is present, when malwarebytes wouldn't run, but would when renaming the executable to winlogon I presume means its definately got something on it..

Got AVG to install in safemode but it doesn't load up when booting up normally.

Renamed Malwarebytes to winlogon and ran an update and a quick scan, removed all threats and rescanned (log below).

Ran Hijackthis (log below).

Any help would be much appreciated! Thanks!

---------------------------------------------------------------

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 6.0.6001 Service Pack 1

22/08/2009 16:38:06

mbam-log-2009-08-22 (16-38-06).txt

Scan type: Quick Scan

Objects scanned: 83697

Time elapsed: 7 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:40:35, on 22/08/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18294)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Internet Explorer\IEUser.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptop

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: (no name) - {C2E6F3CA-928B-4B18-9C71-D33FFDDCD5E1} - C:\Windows\system32\vtUnkiGw.dll (file missing)

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Startup: iPhoneRingToneMaker.lnk = C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 9137 bytes

Link to post
Share on other sites

Providing you have the Windows o.s. DVD with this system (or if the laptop has a Recovery partition on it), please consider a complete wipe and fresh install of Vista.

With the many problems you mention and especially when it has been "given" to you, it is much faster to do a wipe & new install. Be sure to have your antivirus "setup" program handy (on offline media) so you can install it as the second step.

You cannot ever be sure that your friend always had antivirus program that was always up-to-date.

Cheers.

Link to post
Share on other sites

Providing you have the Windows o.s. DVD with this system (or if the laptop has a Recovery partition on it), please consider a complete wipe and fresh install of Vista.

With the many problems you mention and especially when it has been "given" to you, it is much faster to do a wipe & new install. Be sure to have your antivirus "setup" program handy (on offline media) so you can install it as the second step.

You cannot ever be sure that your friend always had antivirus program that was always up-to-date.

Cheers.

Hi,

By given I mean given to me to try and fix because I said I had good results from here before with my sisters PC some months ago which didnt end up with a reformat (we dont have the disks), she had been duped into installing Antivirus 2009. The problems I have this time where no worse than with Antivirus 2009 and seemed quite similar to me with browsers and antivirus processes being attacked..? At least with this one everything works in safe mode! I know it had antivirus because he used one of my Kaspersky installs but its no longer installed :lol:/

Is there nothing that can be done please without wiping everything off?

Thanks for the reply.

Batfink

Link to post
Share on other sites

This was effectively without an antivirus program. You stated the Kasperksy was not there, and then you have issues with AVG, plus there's issues with 2 browsers not running right. You'd be better off in the long term by wiping and reloading Vista fresh. and it would be much safer long term and quicker.

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2693 or later. The latest program version is 1.40

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Next, Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/virusscanner

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.

2) Accept the agreement

3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )

4) For XP SP2-SP3, click the Install button when prompted

5) The necessary files will be downloaded and installed. Please have plenty of patience.

6) After Kaspersky AntiVirus Database is updated, look at the Scan box.

7) Click the My Computer line

8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Post back with copies of the the MBAM scan log

and the Kaspersky.txt report.

Link to post
Share on other sites

Hi, thanks for the reply. We are without the OS disks so formating is a little difficult :D I know exactly what you mean, I can't believe he uninstalled Kaspersky but this is the problem with people that don't appreciate the seriousness of virus'! Hopefully the next time he won't be so stupid.

As for the scans, I have done the Malwarebytes scan ok (renaming the .exe) along with an update.

Kaspersky online scan, I have had to do it in safe mode as in normal boot IE or Firefox won't work!

--------------------------------------------------------------

Malwarebytes' Anti-Malware 1.40

Database version: 2693

Windows 6.0.6001 Service Pack 1

25/08/2009 17:15:50

mbam-log-2009-08-25 (17-15-50).txt

Scan type: Quick Scan

Objects scanned: 85590

Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\gxvxccounter (Trojan.DNSChanger) -> Quarantined and deleted successfully.

-----------------------------------------------------------

-----------------------------------------------------------

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Tuesday, August 25, 2009

Operating system: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 1 (build 6001)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, August 25, 2009 18:15:56

Records in database: 2687150

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

Scan statistics:

Objects scanned: 143666

Threats found: 2

Infected objects found: 3

Suspicious objects found: 0

Scan duration: 02:04:49

File name / Threat / Threats count

globalroot\systemroot\system32\gxvxcrmrvgsrvjemweynchmytvvbojildkppx.dll/globalroot\systemroot\system32\gxvxcrmrvgsrvjemweynchmytvvbojildkppx.dll Infected: Trojan-Downloader.HTML.Agent.pi 1

E:\RECYCLER\S-6-7-90-100031863-100020808-100012085-3007.com Infected: Backdoor.Win32.TDSS.kh 1

F:\RECYCLER\S-6-7-90-100031863-100020808-100012085-3007.com Infected: Backdoor.Win32.TDSS.kh 1

Selected area has been scanned.

----------------------------------------------------

Thanks for your help in resolving this.. Much appreciated!

Link to post
Share on other sites

Hello batfink.

This system has a rootkit as one infection. There are likely more. That is why I mentioned the quickest and safest thing is to wipe and reload the system fresh. This system had to have come with a recovery partition on the HD.

Research with the manufacturer about how you'd access it.

To continue forward with attempt at removal of malware, with absolutely no waranties & no guaranties about it's longterm safety, then .....

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for this member only. If you are a casual observer, do NOT try this on your system!

If you are not thebatfink and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

=

icon_arrow.gifIf you have a prior copy of Combofix, delete it now icon_exclaim.gif

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe (the red lion icon) on your Desktop and select "Run as Administrator".

  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.

Note:

Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with a copy the C:\Combofix.txt log

There will certainly more to do later.

Link to post
Share on other sites

Hi, thanks for the reply.

I have a seemingly strange problem I don't understand. I begin the download and rename to Combo-Fix.exe the download completes but there is no program there? I can't see the program on the desktop within windows explorer either. I have also tried saving the file to C:\ and it doesn't appear there either?? One other strange thing I notice after trying a few times with the other links is that even if I click the don't close this window after downloading checkbox on the download box, it still disapears which seems wierd once the download hits 100%?

Incidently I am having to download this in safemode as obviously the browsers are getting attacked. Could this be the problem?? Would it be safe to download on another and move accross via usbstick?

I'll hang fire on doing anything else until you say.

Thanks

Batfink

Link to post
Share on other sites

As long as you can use a clean computer to do download, do that. Place downloads on CD/DVD or to a new/clean USB flash drive. Then copy to Desktop of problem system. Then run the tool.

Couldn't tell why your browser (are you using I.E. or Firefox) is having an issue.

But you should always pay attention to the SAVE dialog. You are the one saving it, or rather, guiding it to a place to save.

If you have already saved it as Combo-fix exe on desktop, you should be able to select Start button

then RUN

then type in combofix-exe and press Enter key

Try that. BTW, wherever you have it, it should show with a red licon icon

P.S. Combofix needs to be run in normal mode Windows (NOT safe mode)

Link to post
Share on other sites

Combofix has removed a TDSS/CLB rootkit. While I'm glad to hear your internet is working, please for your pc's safety, do NOT do websurfing. Only go to this forum and the sites I guide you to.

I need for you to do one specific scan and post that report.

I'll need to pore over your last logs and make further recommendations.

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Link to post
Share on other sites

Hi again, here is the log file...

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-08-27, 19:10:00, Auto-clean mode specified.

2009-08-27, 19:10:00, Running scanner "C:\DCE\TSC.BIN"...

2009-08-27, 19:10:14, Scanner "C:\DCE\TSC.BIN" has finished running.

2009-08-27, 19:10:14, TSC Log:

Link to post
Share on other sites

Sysclean found 1 item already in quarantine (fine) and 1 bogey.

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to C:\Windows\System32\jwfntkhkdvd.exe, then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

  • Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :files
    C:\Windows\System32\jwfntkhkdvd.exe
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler

    :Commands
    [purity]
    [emptytemp]
    [reboot]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 16 -"
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_16 from Sun Microsystems Inc.

=

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Please include the following logs in your next reply:

copy of the the Virustotal report

OTL MovedFiles log

DDS.txt

Checkup.txt

I do not need Attach.txt

Link to post
Share on other sites

Hi, thanks for the reply. I have however done something really stupid (and why I shouldnt wake up at 3am and start doing things like this)..

I ran the first tool BEFORE uploading the file requested to the website for checking :/ Im very sorry, I totally missed the instruction to do so and the tool has now removed the file so I'm not able to do that step. I have however done everything else as instructed.

I have also noticed something else strange, but I'm unsure if its a settings thing or virus related.. Whenever I use this machine to download a file either through firefox or IE to the desktop, whilst the download appears to complete fine in both browsers, there is never any file on the desktop. I have tried searching in windows start menu and its simply not there, like its not copied from the temp directory. Not sure if this means anything never had a machine do this before.. Incidently I see the last tool scanned for protection, I intend to remove anything thats currently on the machine and install the recommended Avira once this is all completed.

The logs as requested (minus the first one because I'm stupid)..

All processes killed

========== FILES ==========

C:\Windows\System32\jwfntkhkdvd.exe moved successfully.

File\Folder C:\recycler not found.

File\Folder D:\recycler not found.

e:\RECYCLER moved successfully.

f:\RECYCLER moved successfully.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: ARCHER

->Temp folder emptied: 35622 bytes

->Temporary Internet Files folder emptied: 27231786 bytes

->Java cache emptied: 42571491 bytes

->FireFox cache emptied: 59782525 bytes

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

Windows Temp folder emptied: 15776 bytes

RecycleBin emptied: 24510409 bytes

Total Files Cleaned = 147.01 mb

OTL by OldTimer - Version 3.0.10.7 log created on 08282009_033007

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

--------------------------------------------------------------

DDS (Ver_09-07-30.01) - NTFSx86

Run by ARCHER at 3:54:39.46 on 28/08/2009

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_16

Microsoft

Link to post
Share on other sites

Also, Adaware is not fully installed, its in the add remove programs list, but there are no items in the start menu and nothing ever seems to load up, I think its a botched uninstall.

AVG 8 is also still not running right, I don't think it installed correctly when I tried before contacting you guys, it never loads up when the machine starts.

Link to post
Share on other sites

Sorry forgot to mention, I tried removing the adaware entry in the add remove programs again before contacting you guys, it wont uninstall because of something to do with an installer so I can't get rid of it by uninstalling. (I havent attempted since starting this post).

Thanks

Batfink

Link to post
Share on other sites

AVG 8 is also still not running right, I don't think it installed correctly when I tried before contacting you guys, it never loads up when the machine starts.

I would susgest you un-install AVG via the following tool, and immediately follow that by re-installing AVG.

Make sure before you begin that you have at hand in a safe place the AVG setup program.

Sequence like this:

a) Save and close any of your open documents / files, and exit those apps.

b- Remove avg by getting and using this tool

AVG Remover Tool

http://www.grisoft.com/download-tools

This tool should ask for a reboot. Allow it to do so.

c) Logoff and restart system if it was not done before. Immediately run the AVG setup program.

Logoff and restart the system again.

Check up on AVG to see if it is normal once more.

Link to post
Share on other sites

De-install your Adobe Reader. Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should to un-install it.

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix icon_exclaim.gif), put that name in the RUN box stated just below.

The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

In the command prompt window, enter (or Copy and Paste) the following

c:\users\ARCHER\Desktop\Combo-Fix.exe /u

and press Enter.

Close/exit command window.

  • Please Right-click OTL.exe otlDesktopIcon.png and select Run As Administrator to run it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

We are finished here. Best regards.

The advice and procedures used here were only for this system. Do not use them on any other system.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.