Jump to content

Cannot remove Trojan/reminants from computer


Recommended Posts

Acquired a Trojan several months ago.

Was able to find and remove with Spybot, AVG & Malwarebytes, but still having so many issues, especially trying to open and use internet...usually takes several tries before it will open. Once open internet will run ok for a bit, but very quickly gets bogged down and many times freezes up and I have to end the process to get it to shut down. Was able to clean up a few things and it runs a bit better, but something is still interfering with system function. :)

Continuously run SB, AVG & MB checks and nothing turns up on scans.

Also, have been unable to start in safe mode to run additional checks.

Have attached ark.txt and all other logs/files hoping someone can help find what's going on here. :)

Thanks!

****************************************************************

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 21:51:58.43 on Sat 03/27/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1455 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/

uDefault_Page_URL = hxxp://www.aol.com/?ncid=customie8

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll

mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Java

Attach.zip

ark.zip

Link to post
Share on other sites

Hi pcemkr And Welcome to Malwarebytes!

Appears you might have a infected driver. Lets see.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please disable Tea Timer by right clinking it's icon in the system tray and selecting "disable Spybot S&D resident". It will reload on the next reboot without the user having to re-enable it.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

A couple of questions:

I cannot locate an icon for TeaTime.exe to disable & when I right click Spybot S&D Resident, it does not give an option to disable...is it best to select Exit Spybot S&D REsident? What do I do?

Alos, I am running Free AVG...does that need to be disabled?

Thanks Kenny94!

(ps. love the pic of the awesome dog!)

*********************************

Hi pcemkr And Welcome to Malwarebytes!

Appears you might have a infected driver. Lets see.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please disable Tea Timer by right clinking it's icon in the system tray and selecting "disable Spybot S&D resident". It will reload on the next reboot without the user having to re-enable it.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Here is the Combo-Fix log:

ComboFix 10-03-28.03 - Owner 03/29/2010 10:17:51.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1527 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-29 )))))))))))))))))))))))))))))))

.

2010-03-27 18:46 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-27 18:45 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-27 18:45 . 2010-03-27 18:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-27 16:52 . 2010-03-27 16:52 -------- d-----w- c:\program files\Trend Micro

2010-03-25 18:39 . 2010-03-25 18:40 -------- d-----w- c:\program files\Eusing Free Registry Cleaner

2010-03-13 14:55 . 2010-03-13 14:55 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-03-13 14:55 . 2010-03-13 14:55 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-03-13 14:55 . 2010-03-13 14:55 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-03-13 14:55 . 2010-03-13 14:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-10 22:28 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-29 14:16 . 2009-11-03 18:19 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat

2010-03-26 15:50 . 2008-09-26 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-26 12:39 . 2008-11-25 16:33 -------- d-----w- c:\program files\Google

2010-03-26 01:27 . 2008-06-20 23:56 -------- d-----w- c:\program files\SBC Self Support Tool

2010-03-26 01:26 . 2008-10-24 04:58 -------- d-----w- c:\program files\QuickTime

2010-03-23 16:29 . 2008-10-01 21:30 60 ----a-w- c:\windows\wpd99.drv

2010-03-23 16:28 . 2008-10-01 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995

2010-03-13 14:55 . 2009-11-03 16:42 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-13 14:55 . 2009-11-03 16:42 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-13 14:50 . 2009-11-03 16:42 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-02-26 15:18 . 2010-02-26 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-02-26 15:18 . 2010-02-26 15:18 -------- d-----w- c:\program files\NOS

2010-02-20 18:34 . 2008-06-18 14:09 -------- d-----w- c:\program files\Java

2010-02-20 18:31 . 2010-02-20 18:31 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2010-02-20 18:31 . 2009-11-20 18:05 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-02-08 15:29 . 2009-11-30 16:04 -------- d-----w- c:\program files\Rhapsody

2010-01-05 10:00 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2009-08-02 11:24 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2004-08-12 13:56 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2004-08-12 14:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-02-23 18:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="1" [X]

"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-13 14:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/3/2009 12:42 PM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/3/2009 12:42 PM 242696]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 10:54 AM 308064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.aol.com/

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

SSODL-SysNet-{03181861-7C2A-4807-8252-C7DE6D97F509} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-29 10:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

@=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

c:\windows\System32\MFC71.DLL

- - - - - - - > 'explorer.exe'(108)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\HPZipm12.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Apoint\HidFind.exe

.

**************************************************************************

.

Completion time: 2010-03-29 10:44:22 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-29 14:44

Pre-Run: 77,835,935,744 bytes free

Post-Run: 77,730,865,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 6EC3FE84DA5F686ED156B5C3D8F2A5C8

Link to post
Share on other sites

Your drivers is fine

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

MBAM found nothing and had me remove nothing and did not prompt to reboot...here is the report/log:

Malwarebytes' Anti-Malware 1.44

Database version: 3927

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

3/29/2010 11:11:14 AM

mbam-log-2010-03-29 (11-11-14).txt

Scan type: Quick Scan

Objects scanned: 116414

Time elapsed: 14 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

Next

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply.

Upgrading Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u6-windows-i586-p.exe and select "Run as an Administrator.")

Link to post
Share on other sites

The report from Kaspersky:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, March 29, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, March 29, 2010 11:25:42

Records in database: 3895780

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

F:\

Scan statistics:

Objects scanned: 48217

Threats found: 1

Infected objects found: 1

Suspicious objects found: 0

Scan duration: 03:35:51

File name / Threat / Threats count

F:\autorun.inf Infected: Worm.Win32.AutoRun.fac 1

Selected area has been scanned.

Link to post
Share on other sites

Make sure you plug in all your removable devices, otherwise you could spread this infecton into another computer.

Flash Drive Disinfector

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

How's the PC doing?

Link to post
Share on other sites

Removable flash/thumbnail drive. I keep it plugged in almost always & access it fairly often. Actually, around the time I was first infected and was close to losing the computer completely, I transferred several files to it in case my hard drive went down...hmmm.

Am curious to know what that little bugger is doing and why it's messing with my internet so much? :)

F:\autorun.inf is this a pen drive?
Link to post
Share on other sites

Still a lag in internet startup and especially changing browser pages...just looks like something is interfering as always and makes navigating, refreshing, opening, and (at times) typing very slow (typing here is perfect and moving very quickly).

Link to post
Share on other sites

Am curious to know what that little bugger is doing and why it's messing with my internet so much?

That flash is infected. You should fomat it. Before you have others PC's infected when you plug in this flash drive.

The PC itself is running fine...no errors, no issues (am waiting for the moment that my taskbar shortcuts reappear when this is all said & done

You need to add the shortcuts back on. Here's a helpful site:

http://www.worldstart.com/tips/tips.php/667

Link to post
Share on other sites

Still a lag in internet startup and especially changing browser pages...just looks like something is interfering as always and makes navigating, refreshing, opening, and (at times) typing very slow (typing here is perfect and moving very quickly).

LOL. We posted at the same time.... :) Let me look at something

Link to post
Share on other sites

  • Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file ccsetup220_slim.exe and install the application.
  • Keep the default installation folder C:\Program Files\CCleaner
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Next

There are some older versions of Java on your computer. These can be a source of infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 18 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_18 from Sun Microsystems Inc.

Next

1. open My Computer.

2. Rightclick on the C drive to defragment and select "Properties".

3. Click on the Tools tab.

4. Select Defragment Now....

And let me know how's your PC.

Link to post
Share on other sites

Download, install & run CCleaner - done!

Jave clean-up & update - done! (*I did see you suggested this on an earlier reply, but got distracted & overlooked the update earlier) :)

Defrag complete!

Task bar shortcut icons returned successfully (an easy fix - thx!)

PC is runnig well...internet is running a little better in some ways, but still something slowing down the internet connections trying to take place...could be all the new security alert windows popping up for every screen I go to (lol), but wondering if there are still more steps in the process & things to re-enable, etc. to come?

Will await your word what to do next. :)

Link to post
Share on other sites

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you pcemkr

Kenny (Kenny94)

Link to post
Share on other sites

LOVE THIS!!! Thanks for making me laugh out loud after a day of "playing" with all of this! :rolleyes:

Your Computer is Clean

CLEAN-1.jpg

Combofix is uninstalled.

I realize IE is not the best option, but will try your suggestions to see what helps & works. *Note: all of the Internet Secutiry options were properly set as you recommended with the exception of Navigate sub-frames.

Was able to install SpywareBlaster & will be interested to see it work it's magic!

FYI...Was unable to get Cookienator...it re-routed me to another link for ReImage.

A few additional questions -

* Is it appropriate for me to re-enable Spybot & AVG now?

* The initial instructions had me use DeFogger to disable my CD Emulation drivers...am I to leave those disabled?

Kenny, I appreciate your help & guidance through what could have been an extraordiarily stressful process...especially when it takes an entire day!! I am so grateful for everything and feel confident life will be back to "normal" soon. lol!

~peace~k

Link to post
Share on other sites

LOVE THIS!!! Thanks for making me laugh out loud after a day of "playing" with all of this!

LOL! Hey I'm bald and a few call me Mr clean/Mr K... :rolleyes:

Kenny, I appreciate your help & guidance through what could have been an extraordiarily stressful process...especially when it takes an entire day!! I am so grateful for everything and feel confident life will be back to "normal" soon.

Your Welcome pcemkr.

Link to post
Share on other sites

Am showing a marked improvement in internet performance thanks to your help!

Just wanted to follow-up with a few questions so I do not compromise the integrity of what we set in place yesterday...

A few additional questions -

* Is it appropriate for me to re-enable Spybot & AVG now?

* The initial instructions had me use DeFogger to disable my CD Emulation drivers...is it necessary to leave those disabled?

Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.