Laptop acting up, log files attached

Status
Not open for further replies.

CrashTekk13

Posts: 20   +0
Hi guys! I hope you can help me like you did before :) (Thanks Mike!)

This is for a laptop that my significant other uses. I have finished the eight step removal instructions and the logs are attached. Some of the symptons are slowing down of Firefox that I had to use IE in order to update JRE (step 6). The USB mouse also becomes unresponsive.

The following 3 trojans and 1 virus were detected on McAfee:
- Detection name: FakeAlert-DS (trojan)
File: C:\Doments and Settings\Cecile\Local Settings\Temp\install[1].exe
Process: C:\Doments and Settings\Cecile\Local Settings\Temporary Internet Files\Content.IE5\H8YWZCDI\install[1].exe
Process Description: C:\Doments and Settings\Cecile\Local Settings\Temporary Internet Files\Content.IE5\H8YWZCDI\install[1].exe

- Detection name: Artemis!FB0DA2ADA35 (trojan)
File: C:\Doments and Settings\Cecile\Local Settings\Temporary Internet Files\Content.IE5\H8YWZCDI\pdrv[1].exe
Process: C:\windows\ld09.exe
Process Description: C:\windows\ld09.exe

- Detection name: Artemis!FB0DA2ADA35 (trojan)
File: C:\Doments and Settings\Cecile\Local Settings\Temp\stron_1245160155.exe
Process: C:\windows\ld09.exe
Process Description: C:\windows\ld09.exe

- Detection name: Artemis!938CD403F28C (virus)
File: C:\WINDOWS\FREDDY46.exe
Process: C:\Program Files\McAfee\MPF\MPFSrv.exe
Process Description: McAfee Personal Firewall Service

Thanks in advance!

Eugene
 
Hi Mike,

Im attaching the ComboFix log you requested. This is after I ran HJT and selected to Fix (no file) and (file missing) at the end of a line.

I also ran Dr. Web Cure It and got the following results:
- found adware.relevant.10 this is from kcleaner.exe
- above was also found on the system restore archive
- a BATCH virus was also found and was deleted.

Thanks a lot.

Eugene
 
OK my friend so how is the computer running now?

If all seems OK then do the below.

Do the beloe if you did not do it from the other thread, not for Malware but purely for performance..

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

Code:
@echo off
sc config Alerter start= disabled
sc stop Alerter

sc config AeLookupSvc start= disabled
sc stop AeLookupSvc

sc config ClipBook start= disabled
sc stop ClipBook

sc config Dfs start= disabled
sc stop Dfs

sc config FastUserSwitchingCompatability start= disabled
sc stop FastUserSwitchingCompatability

sc config TrkWks start= disabled
sc stop TrkWks

sc config TrkSvr start= disabled
sc stop TrkSvr

sc config DNSCache start= disabled
sc stop DNSCache

sc config ERSvc start= disabled
sc stop ERSvc

sc config HidServ start= disabled
sc stop HidServ

sc config PolicyAgent start= disabled
sc stop PolicyAgent

sc config CiSvc start= disabled
sc stop CiSvc

sc config IsmServe start= disabled
sc stop IsmServ

sc config kdc start= disabled
sc stop kdc

sc config LicenseService start= disabled
sc stop LicenseService

sc config Messenger start= disabled
sc stop Messenger

sc config Netlogon start= disabled
sc stop Netlogon

sc config NetTcpPortSharing start= disabled
sc stop NetTcpPortSharing

sc config mnmsrvc start= disabled
sc stop mnmsrvc

sc config NetDDE start= disabled
sc stop NetDDE

sc config NetDDEdsdm start= disabled
sc stop NetDDEdsdm

sc config NtLmSsp start= disabled
sc stop NtLmSsp

sc config SysmonLog start= disabled
sc stop SysmonLog

sc config RSVP start= disabled
sc stop RSVP

sc config SSDPSRV start= disabled
sc stop SSDPSRV

sc config upnphost start= disabled
sc stop upnphost

sc config WMPNetworkSvc start= disabled
sc stop WMPNetworkSvc

sc config WmiApSrv start= disabled
sc stop WmiApSrv

sc config WmdmPmSN start= disabled
sc stop WmdmPmSN

sc config RemoteRegistry start= disabled
sc stop RemoteRegistry

sc config RemoteAccess start= disabled
sc stop RemoteAccess

sc config SCardSvr start= disabled
sc stop SCardSvr

sc config TlnSvr start= disabled
sc stop TlnSvr

sc config UPS start= disabled
sc stop UPS

sc config WebClient start= disabled
sc stop WebClient

sc config DNSCache start= disabled
sc stop DNSCache

sc config JavaQuickStarterService start= disabled
sc stop JavaQuickStarterService
sc delete JavaQuickStarterService
attrib -h -s -r /s c:\jqs.*
del /f /q /s c:\jqs.*

sc config RpcSs start= Automatic
sc start RpcSs

sc config RpLocator start= Automatic
sc start RpcLocator

sc config MSIServer start= Automatic
sc start MSIServer
exit
exit

Post final HJT log!

Thread Closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. You may have this from the 8 Steps.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike
 
Hi Mike -

Thanks so much for your help on all of this.

I'm attaching HJT log as you requested. Will observe laptop in the following days.

Thanks again.

Eugene
 
Status
Not open for further replies.
Back