Teles

Trj/CI.A

13 posts in this topic

Hello,

I am using Panda Antivirus Pro 2009 which finds and detects the following virus.

V

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:49:07, on 11-02-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programas\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programas\Java\jre6\bin\jqs.exe

C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe

C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe

C:\Programas\Ficheiros comuns\Panda Security\PavShld\pavprsrv.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Programas\Internet Explorer\iexplore.exe

C:\Programas\Internet Explorer\iexplore.exe

C:\Programas\Internet Explorer\iexplore.exe

C:\Programas\Java\jre6\bin\java.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperliga

Share this post


Link to post
Share on other sites

After Running MBAM, it cleaned the problems it first detected but still the Trojan remains as shown by Kasperspy

Malwarebytes' Anti-Malware 1.33

Database version: 1749

Windows 5.1.2600 Service Pack 3

11-02-2009 18:31:05

mbam-log-2009-02-11 (18-31-05).txt

Scan type: Quick Scan

Objects scanned: 54557

Time elapsed: 2 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites
    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Java Version

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

ActiveX version

Run Kaspersky Online AV Scanner

Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Share this post


Link to post
Share on other sites

Hello AdvancedSetup. Thank you very much for your reply. I have since done all that you suggest:

CCleaner

System restore

DrWeb Cureit

Hijackthis

Here are the logs: DrWeb Cureit

ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe C:\Documents and Settings\Jorge\Ambiente de trabalho\ComboFix.exe/data002 Program.PsExec.171

data002 C:\Documents and Settings\Jorge\Ambiente de trabalho Archive contains infected objects

ComboFix.exe C:\Documents and Settings\Jorge\Ambiente de trabalho Container contains infected objects Moved.

SUPPORT.DOT C:\Programas\Microsoft Office\Office10\Macros W97M.Draw

A0000003.exe C:\System Volume Information\_restore{D0ECAE4B-EE60-47D0-9D25-D6C981C11494}\RP1 BackDoor.Bifrost.1218 Deleted.

A0001010.exe/data002\32788R22FWJFW\psexec.cfexe C:\System Volume Information\_restore{D0ECAE4B-EE60-47D0-9D25-D6C981C11494}\RP1\A0001010.exe/data002 Program.PsExec.171

data002 C:\System Volume Information\_restore{D0ECAE4B-EE60-47D0-9D25-D6C981C11494}\RP1 Archive contains infected objects

A0001010.exe C:\System Volume Information\_restore{D0ECAE4B-EE60-47D0-9D25-D6C981C11494}\RP1 Container contains infected objects Moved.

Ball.exe C:\WINDOWS BackDoor.Bifrost.1218 Deleted.

HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:30:43, on 12-02-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe

C:\PROGRAMAS\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programas\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programas\Java\jre6\bin\jqs.exe

C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe

C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe

C:\Programas\Ficheiros comuns\Panda Security\PavShld\pavprsrv.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE

C:\Programas\Yahoo!\Search Protection\SearchProtection.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programas\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE

C:\Programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programas\Messenger\msmsgs.exe

C:\Programas\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperliga

Share this post


Link to post
Share on other sites

I finished running Kasperspy and it came out clean. Although I did run Panda Antivirus Pro 2009 once again and it found spyware and the two files that Dr.Web Cureit quaranteened.

Share this post


Link to post
Share on other sites

HijackThis log after running Kasperspy

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:46:39, on 12-02-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programas\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programas\Java\jre6\bin\jqs.exe

C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe

C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe

C:\Programas\Ficheiros comuns\Panda Security\PavShld\pavprsrv.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE

C:\Programas\Yahoo!\Search Protection\SearchProtection.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programas\Messenger\msmsgs.exe

C:\Programas\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Programas\AutoCAD 2008\acad.exe

C:\DOCUME~1\Jorge\DEFINI~1\Temp\AdskCleanup.0001

C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe

C:\Programas\Ficheiros comuns\Autodesk Shared\WSCommCntr1.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\apvxdwin.exe

C:\Programas\Panda Security\Panda Antivirus Pro 2009\WebProxy.exe

C:\Programas\Windows Live\Messenger\msnmsgr.exe

C:\Programas\Internet Explorer\iexplore.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperliga

Share this post


Link to post
Share on other sites

LOL - Okay well slow down a bit. Sorry but doing this via logs takes a while.

You need to empty/delete the Quarantine from your Anti-Virus.

Reset the System Restore again as shown.

Delete the Combofix now that the Anti-Virus has damaged it and made it useless.

Delete this folder if it exists as well: C:\QOOBOX

Then run the following, making sure you disable your Anti-Virus so that it does not damage the program again.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Share this post


Link to post
Share on other sites

Hello AdvancedSetup. Ya, I guess doing this via logs does take a long time and on top of it, I'm in Portugal so our time difference is big. I have done what you suggested and enclose the logs.

ComboFix

HijackTHis

Once again thanks

ComboFix 09-02-12.03 - Jorge 2009-02-13 12:19:13.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.2070.18.2047.1575 [GMT 0:00]

Executando de: c:\documents and settings\Jorge\Ambiente de trabalho\ComboFix.exe

AV: Panda Antivirus Pro 2009 *On-access scanning disabled* (Updated)

* Criado um novo ponto de restauro

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-13 to 2009-02-13 ))))))))))))))))))))))))))))

.

2009-02-12 19:23 . 2009-02-12 19:23 <DIR> d-------- c:\programas\SecondLife

2009-02-12 11:45 . 2009-02-12 12:06 <DIR> d-------- c:\documents and settings\Jorge\DoctorWeb

2009-02-12 11:28 . 2009-02-12 11:28 <DIR> d-------- c:\programas\CCleaner

2009-02-12 11:00 . 2009-02-12 11:00 1,374 --a------ c:\windows\imsins.BAK

2009-02-11 18:47 . 2009-02-11 18:47 <DIR> d-------- c:\programas\Trend Micro

2009-02-11 17:57 . 2009-02-11 17:57 <DIR> d-------- c:\programas\Malwarebytes' Anti-Malware

2009-02-11 17:57 . 2009-02-11 17:57 <DIR> d-------- c:\documents and settings\Jorge\Application Data\Malwarebytes

2009-02-11 17:57 . 2009-02-11 17:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-11 17:57 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 17:57 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-13 13:49 . 2009-02-12 15:08 <DIR> d-------- c:\documents and settings\Jorge\Tracing

2009-01-13 13:14 . 2009-01-13 13:14 <DIR> d-------- c:\programas\Windows Live SkyDrive

2009-01-13 13:14 . 2009-01-13 13:14 <DIR> d-------- c:\programas\Microsoft

2009-01-13 13:07 . 2009-01-13 13:07 <DIR> d-------- c:\programas\Ficheiros comuns\Windows Live

.

((((((((((((((((((((((((((((((((((((( Relat

Share this post


Link to post
Share on other sites

One more detail. After running Combofix, the folder named "RECYCLER" in my C Drive disappeared but the a folder with the same name (and a hidden file inside) is still in my D drive.

Share this post


Link to post
Share on other sites

STEP 1

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
c:\windows\WLXPGSS.SCR
g:\recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\TsGh.exe


Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7d93a62-4059-11dd-a0df-0019db21b421}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{beda1abc-c781-11dd-a192-0019db21b421}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987892}]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 2

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Share this post


Link to post
Share on other sites

Hello AdvancedStartup,

I started to run combofix (with the script) as directed but I think that my computer blocked. The dos window stated that my computer would be restarting yet after 2 hours nothing happened so I suspected it was blocked and restarted my computer. As you say not to run combofix more then once, I did not. As this combofix was not completed, do I run it once again?

Share this post


Link to post
Share on other sites

Did Combofix leave a log file ?

If it won't run and no log then please try to run this Anti-Virus scanner again and see if it can find anything else now.

Are you sure you Disabled your AV and it didn't popup and damage CF ?

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.