11 replies to this topic

[madmike283]

I've got this bug on my work laptop. I've read through the threads here and thought I'd do the scans as described in the Pre-HJT instructions thread. I'm running the Panda scan right now, but thought I'd go ahead and post the MBAM log...

Malwarebytes' Anti-Malware 1.31
Database version: 1589
Windows 5.1.2600 Service Pack 2

1/1/2009 1:27:03 PM
mbam-log-2009-01-01 (13-26-55).txt

Scan type: Quick Scan
Objects scanned: 56612
Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ffyhah.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ffyhah.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ftiltaoq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pmnljJbx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qoMeCUMC.dll (Trojan.Vundo) -> No action taken.

[madmike283]

Sorry, I added the wrong log file. This is the one that was after I tried repairing the found infections...


Malwarebytes' Anti-Malware 1.31
Database version: 1589
Windows 5.1.2600 Service Pack 2

1/1/2009 1:27:07 PM
mbam-log-2009-01-01 (13-27-07).txt

Scan type: Quick Scan
Objects scanned: 56612
Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ffyhah.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49ccc55d-fb75-4b43-bbf0-75cbb7d1975f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ffyhah.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ftiltaoq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnljJbx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMeCUMC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

[madmike283]

Here are the logs from Panda and HJT. Thanks for any help guys and gals.


;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2009-01-01 14:50:28
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
McAfee VirusScan Enterprise 8.5.0.781 No Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00000002 Virus 101 Virus/Trojan No 1 Yes No C:\TShelpCD\GCC\How to Add a User to a GCC.pdf
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\michmorgan\Cookies\michmorgan@com[1].txt
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location Q
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description Q
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:43 PM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Tyco Safety Products\Security Service\FirstService.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\NoteWhen\notewhen.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://simplexgrinnell.ia/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://simplexgrinnell.ia
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SimplexGrinnell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy1:9998;http=proxy1:9998;https=proxy1:9998
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ia;*.simplexnet.com;*.simplexgrinnell.net;10.*;*.dev;;E171593*;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - Startup: NoteWhen.lnk = C:\Program Files\NoteWhen\notewhen.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://simplexgrinnell.ia
O15 - Trusted Zone: http://ebsintf.ace.ia
O15 - Trusted Zone: http://ebsperf.ace.ia
O15 - Trusted Zone: http://ebsprod.ace.ia
O15 - Trusted Zone: http://ebsuat.ace.ia
O15 - Trusted Zone: http://prod.ace.ia
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecu...s/as2stubie.cab
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/im...r/SysProExe.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188222972937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188222964937
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.fallingro...sCamControl.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.tyco-training.com/SiteRoots/...aDownloader.cab
O16 - DPF: {EF40FB0A-F7D0-4971-8221-1EB2C81178D8} - http://www.flashpoin...hield/setup.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://bbi.simplexgr...ia/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sg.sgna.simplexgrinnell.net
O17 - HKLM\Software\..\Telephony: DomainName = sg.sgna.simplexgrinnell.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{B32F7A81-937B-467A-A90B-07682EF76889}: Domain = sg.sgna.simplexgrinnell.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{B32F7A81-937B-467A-A90B-07682EF76889}: NameServer = 10.36.17.50,10.36.102.143
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sg.sgna.simplexgrinnell.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sg.sgna.simplexgrinnell.net,sgna.simplexgrinnell.net,simplexgrinnell.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sg.sgna.simplexgrinnell.net,sgna.simplexgrinnell.net,simplexgrinnell.net
O20 - AppInit_DLLs: ffyhah.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: minhunk20x6 - Tyco Safety Products - C:\Program Files\Tyco Safety Products\Security Service\FirstService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9831 bytes

[madmike283]

Help please? Bump for the new day.

[AdvancedSetup]

Sorry for the Delay Mike, but the Holidays have impacted the amount and time of available users.

I will try to assist you later tonight, just hang in there.

[AdvancedSetup]

You need to remove the Adobe Acrobat Reader 8 and update to version 9. Older version were susceptible to Malware attacks.



[indent]Please make sure you have your files and data backed up first, and run the following.

PRE-STEP01
Run this file to repair file and registry permissions
fixacl.exe

PRE-STEP02
Run this file after to remove an invalid startup entry. Double click and say Yes to import the settings.
clearinit.reg

PRE-STEP03
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location.

RESTART YOUR COMPUTER Now then move onto Run ComboFix

Run ComboFix
[indent]You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member madmike283 only. If you are a lurker, do NOT try this on your system!
If you are not madmike283 and have a similar problem, do NOT post here. Start your own topic by
following the directions here

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.

STEP 01
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.

STEP 02
Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}


STEP 03
If you have a prior copy of Combofix, delete it now

Download ComboFix from one of these locations:

http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.

STEP 04
Start HijackThis. Do a Scan and Save, saving the log.

Reply with a copy of the C:\Combofix.txt,
the new HJT log,
and tell me, How is your system now ?

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.
[/indent][/indent]

[madmike283]

Thanks for the reply. I was about to run ComboFix but I can't seem to disable my McAfee anti-virus. I errantly tried to start ComboFix anyway and it warned me that it was still running. So I just restarted my computer. It's McAfee Virus Scan Enterprise and it seems that maybe they set it up so that it takes Administrator privileges to disable it. I'm I stuck, or might there be a way around this? I suppose I may need to start saving stuff off of this thing so that they can re-image it?

[madmike283]

madmike283, on Jan 4 2009, 10:40 AM, said:

Thanks for the reply. I was about to run ComboFix but I can't seem to disable my McAfee anti-virus. I errantly tried to start ComboFix anyway and it warned me that it was still running. So I just restarted my computer. It's McAfee Virus Scan Enterprise and it seems that maybe they set it up so that it takes Administrator privileges to disable it. I'm I stuck, or might there be a way around this? I suppose I may need to start saving stuff off of this thing so that they can re-image it?

Wait, maybe it did disable. I tried disabling the it in the startup section of the Sys Config Monitor. It seems to not be running now. Let me try ComboFix now.

[madmike283]

Nope, I still get the warning from ComboFix that my anti-virus is still running. The system tray icon is gone, but it must still be running in the background or something. Any recommendations? Thanks again for the assistance.

[AdvancedSetup]

Well if it's a work computer then it's probably best to have your IT team take care of it for you.

Offering advice on the McAfee removal when locked would upset many Companies that rely on this software.

The issue is that ComboFix could delete many part of the operating system if not run in the appropriate manner, so it's best not to do it.

[madmike283]

Thanks for your help. I was really wanting to avoid a re-image, but oh well. I guess I'll start organizing what I need to save off of here. Thanks again and you guys provide a great service for us!

Mike

[AdvancedSetup]

No problem Mike, you're welcome and sorry for the issues.