Jump to content

Following a request from Advanced setup


Lecopi
 Share

Recommended Posts

here is the latest log

all Symantec app have been removed properly from the PC

______________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:03:58, on 25/09/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\Program Files\Outils PC\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\KEM.exe

C:\Program Files\Outils PC\SpeedFan\speedfan.exe

C:\Program Files\Outils PC\Mail Washer Pro\MailWasher.exe

C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE

C:\Program Files\Outils PC\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.afp.com/francais/home/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\OUTILS~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O2 - BHO: BHO Barre de Confiance CM-CIC - {988B07F5-7392-455A-8A1F-64935CB8B6ED} - C:\Program Files\BarreConfCMCIC\TAPBar.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Barre de confiance CM-CIC - {55BDF3B0-C0A8-481A-B8A6-01CD2BE0F3FD} - C:\Program Files\BarreConfCMCIC\TAPBar.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Outils PC\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE R

Link to post
Share on other sites

  • Root Admin

Please run the following and post back the log.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

HJT LOG

____________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:29:45, on 28/09/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\Program Files\Logitech\SetPoint\KEM.exe

C:\Program Files\Outils PC\SpeedFan\speedfan.exe

C:\Program Files\Outils PC\Mail Washer Pro\MailWasher.exe

C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Outils PC\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.afp.com/francais/home/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\OUTILS~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O2 - BHO: BHO Barre de Confiance CM-CIC - {988B07F5-7392-455A-8A1F-64935CB8B6ED} - C:\Program Files\BarreConfCMCIC\TAPBar.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Barre de confiance CM-CIC - {55BDF3B0-C0A8-481A-B8A6-01CD2BE0F3FD} - C:\Program Files\BarreConfCMCIC\TAPBar.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Outils PC\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: MailWasherPro.lnk = C:\Program Files\Outils PC\Mail Washer Pro\MailWasher.exe

O4 - Global Startup: KEM.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe

O4 - Global Startup: SpeedFan.lnk = C:\Program Files\Outils PC\SpeedFan\speedfan.exe

O8 - Extra context menu item: Ajouter au tueur de pub - C:\Program Files\Outils PC\Maxthon\config/blacklist.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\Outils PC\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\Outils PC\GetRight\GRbrowse.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Cr

Link to post
Share on other sites

I am back on another computer.

Here is the situation.

I run the script after adding the requested line.

When the computer re-start

- internet connection was not more possible ( in fact the IP adress is not correct and it appears that DHCP from the Netgear DG834G cannot attribute it anymore .

- very long time after choosing the user until I can use the PC (Was quick before)

- several missing icon in the Systray, including : keybord, speedfan, eset... but those app's are running

- ekrn.exe is running I don't know what it is.

That's all B)

If no other solution (As I don't use the windows restore point), I will restore my latest Acronis image. B)

Link to post
Share on other sites

1) ekrn.exe is an Eset program

2) Internet conection : the problems come from the fact that it is now the computer which assign the IP adress (for sure ) and not the Internet "box" .

I need to find how to change this.

3) systray - will see later. Not a big issue.

4) Rootrepeal : I will run it

5) STEP 3 - CHKDSK

Has aready completly and succesfully be performed upon exile 360 instructions some days ago.

Link to post
Share on other sites

Hello AdvancedSetup and thanks for your help.

I consume significant part of my time yesterday by restoring the image and re-installing various softwares which were requested .

The good news is : this is not the COMBO FIX which cause the Internet connection problem. This problem has been duplicated again, but is still under investigation. I have a turn-around solution for now.

As a summary

- the PC is clean (my opinion, but this is only an opinion)

- Rootrepeal does't run

a windows "inialyzing" is on the screen - Never change - they is disk activitie. - I wait 10 ' and kill the process.

Is this process very long ?

I have control on the PC.

What's your advice?

- The only problem is that MBAM freeze completly the PC ( I have no control at all of the PC - see specific post on this) in most of the situation (let say 50%).

MBAM run correctly only in safe mode.

Link to post
Share on other sites

  • Root Admin

If you're using any type of RAID controller then many of the RootKit scanners seem to have difficulty running correctly on them.

Uninstall or Disable MBAM from starting when Windows starts.

Then please run the following on the system and see if the Network works correctly afterwords.

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH FIREWALL RESET

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH int ip reset c:\resetlog.txt

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C netsh winsock reset catalog

What Anti-Virus are you currently running on the System?

Link to post
Share on other sites

1- The Intel Matrix stotrage is installed in the computer but they is no RAID configuration for now.

Has already be uninstalled, upon 360 advice. MBAM still froze.The Intel Matrix storage has been re-installed after.

2- As I have restore an Acronis Image, I have solve the network configuration.

3 - ESET smart Security 4

Link to post
Share on other sites

  • Root Admin

Well for MBAM you might need to add file exclusions to ESET - you can get an example of setting up file exclusions from here: Common issues and questions, and their solutions

For now please fully uninstall your ESET NOD32 AV (make sure you have your key to re-install later on)

Then after full removal of ESET and reboot try the following and let me know how it goes or post back the log.

Please try this on the computer that is having an issue.

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility. mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here. mbam-setup.exe

Note: You will need to reactivate the program using the license you were sent

Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.

Restart the computer again and verify that MBAM is in the task tray and that you can run a quick scan and all is working as expected.

Link to post
Share on other sites

hello Advanced Setup

1- removing anti-virus software

all ready done totaly with Norton before installing Eset. PC perfectly clean with no Norton application at all. ( documented initial post).

Despite this MBAM freeze time to time.

2- uninstalling, cleaning, installing MBAM - Done at least 5 times according the procedure. still unexpected freeze. ( initial post)

As this topics in on the HJT log ( malware) it's my understanding what you don't perceive any virus/malware in the combo-fix and HJT log.

At this point could we run once again a combo-fix or an HJT and I will appreciate your advice about what entries are not useful (exemples: old drivers.....) and could be removed.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.