Solved 8-step Viruses/Spyware/Malware Preliminary Removal

Status
Not open for further replies.

ladyb75460

Posts: 18   +0
My computer (Vista) is infected with some Malware via a friend on Facebook. I am having trouble searching using any search engine, any browser (Firefox and IE). They redirect to other search sites and/or a site that starts scanning my computer. I have followed the 8 steps several times. However, I am still unable to search.

I have attached logs (both interim and final). Any help you can provide would be greatly appreciated.
 

Attachments

  • hijackthis.log
    5.2 KB · Views: 4
  • hijackthis021710.log
    3.7 KB · Views: 2
  • mbam-log-2010-02-17 (00-00-52).txt
    3.2 KB · Views: 5
  • mbam-log-2010-02-17 (07-35-24).txt
    868 bytes · Views: 3
  • SUPERAntiSpyware Scan Log - 02-17-2010 - 07-57-01.log
    983 bytes · Views: 4
Just so you know your post needs to be posted in the Virus and Malware removal forum. Contact the mods so that they can place it there. Good luck.
 
I asked moderator to move this thread to malware section.

ladyb
You don't have any antivirus program running.
Please, download and install one of these:
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html

- free Comodo Internet Security (firewall + AV): http://www.personalfirewall.comodo.com/
NOTE. During installation, Comodo will also allow you to install AV only, or firewall only, if you prefer to combine one Comodo product with some other product.

If you decide to install Avast, or Avira, make sure, Windows firewall is turned on, or use Comodo firewall..
If you decide to install Comodo Internet Security, or just Comodo firewall, make sure, Windows firewall is turned off.

IMPORTANT! Make sure, you use only ONE antivirus, and ONE firewall.

After installation, update the program and run full scan.

Post fresh HijackThis log.
 
Scan completed

I installed Comodo. I had another program installed, but had disabled it for the other scans. New hijackthis log is uploaded.

Thank you for your help!
 

Attachments

  • hijackthis.log
    3.6 KB · Views: 3
ladyb, you have installed the Comodo firewall. You still don't have an antivirus program. Please install either Avira or Avast using the links given.

I'd like to bring your attention to this:
You ran 2 HijackThis log. The second log was 12KB smaller than the first. This suggests that you removed some entries. While both Malwarebytes and Superantiapyware do have a place to check for removal of the entries that are found, HijackThis does not

It's our job to tell you which-if any entries in the log need to be removed. I have not compared the logs. After you get the antivirus program installed, please reboot the computer.

Rescan with HijackThis but do not remove any of the entries.

You might also want to know that each Forum has a button for New Topic at the top left. You do have to click on a forum first to see it.
 
I had another program installed
What program are you referring to?

Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
New HijackThis log??

ladyb, you have installed the Comodo firewall. You still don't have an antivirus program. Please install either Avira or Avast using the links given.

I'd like to bring your attention to this:
You ran 2 HijackThis log. The second log was 12KB smaller than the first. This suggests that you removed some entries. While both Malwarebytes and Superantiapyware do have a place to check for removal of the entries that are found, HijackThis does not

It's our job to tell you which-if any entries in the log need to be removed. I have not compared the logs. After you get the antivirus program installed, please reboot the computer.

Rescan with HijackThis but do not remove any of the entries.

You might also want to know that each Forum has a button for New Topic at the top left. You do have to click on a forum first to see it.


Okay, I installed Avira (although Comodo SAID it was both AV and firewall and it scanned the computer like it was an AV program <G>) and have scanned the computer again. (You can never scan it too many times.) I have a new HJT log. Do I upload it or proceed with the ComboFix or what????
 
Stalled

Okay, it has now been scanning for over an hour. I had trouble getting all of Comodo shut down and so may have screwed up the scan. How long do I wait and then what do I do if it keeps being stalled?
 
Finished Combofix

Okay, Combofix finished. Logs are attached.

Thanks so much for your help!
 

Attachments

  • ComboFix.txt
    22.9 KB · Views: 2
  • hijackthis.log
    3.9 KB · Views: 3
Combofix log looks good :)

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

Now, you have one too many security programs.
You need to uninstall either Comodo Internet Security, or Avira. Your choice. Both programs are equally fine. If you leave Avira, you must turn Windows firewall on.

How is redirection issue?
 
Oh, awesome! Thank you so much for all your help. I am able to search again and actually visit the results!!!

Thanks!
 
Very good, but....we need to perform couple more steps to make sure, your computer is 100% clean.

Did you uninstall one of those programs?

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.
 
Maybe someone can clarify this for me:
  • First, I didn't realize that Comodo had merged its antivirus program with Firewall Pro. My bad.
  • But all CIS components are optional when installing allowing the user to choose which components they wish to install. The components can be activated/deactivated by user preference.
    CIS-Summary.png
  • The standard version is available as a free download. There is also a paid professional version available, which includes TrustConnect and online support.

This member has the following Comodo processes running:

cmdagent.exe is a Comodo Agent Service from Comodo belonging to Comodo Firewall
cfp.exe is the The main control program for the free firewall, Comodo Firewall Pro.

That indicated to me that this member does not have the antivirus function enabled.

Any thoughts on this?
 
New scan finished

I removed Comodo because it was difficult to get shut down.

I ran TempFileCleaner.

I ran Kaspersky and HijackThis again. Both logs are attached.

Thanks again for your help!
 

Attachments

  • hijackthis.log
    3.6 KB · Views: 1
  • kasperksylog.txt
    5.9 KB · Views: 3
Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
:Processes

:Services

:Reg

:Files
C:\Program Files\mIRC\mirc.exe	
C:\ProgramData\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000DC-299FD630.av$	
C:\ProgramData\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000F3-E47846E4.av$	
C:\Users\All Users\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000DC-299FD630.av$	
C:\Users\All Users\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000F3-E47846E4.av$	
C:\Users\Betsy\Downloads\mirc635.exe	
F:\Betsy\Downloads\mirc632.exe	
F:\Betsy\Downloads\mirc633.exe	
F:\Betsy\Downloads\mirc634.exe	
F:\Betsy\Downloads\mirc635.exe	
F:\Program Files\Eudora\Emoticons\Pending.fol\Received.mbx	
F:\Program Files\Eudora\Filters\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx	
F:\Program Files\Eudora\Filters\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx	
F:\Program Files\Eudora\Filters\w-oldsta.fol\content.mbx	
F:\Program Files\Eudora\Out.mbx	
F:\Program Files\Eudora\Pending.fol\Received.mbx	
F:\Program Files\Eudora\Stationery\Pending.fol\Received.mbx	
F:\Program Files\Eudora\TECHNICA.MBX	
F:\Program Files\Eudora\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx	
F:\Program Files\Eudora\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx	
F:\Program Files\Eudora\w-oldsta.fol\content.mbx	
F:\Program Files\mIRC\mirc.exe	
G:\BETSYMAIN\Backup Set 2009-11-04 170629\Backup Files 2009-11-04 170629\Backup files 114.zip	
G:\BETSYMAIN\Backup Set 2009-11-04 170629\Backup Files 2009-11-04 170629\Backup files 121.zip	
H:\Users\All Users\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000DC-299FD630.av$	
H:\Users\All Users\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000F3-E47846E4.av$	
H:\Users\LENOVOUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0HBY9HLC\jquery-init[1].js	
H:\Users\LENOVOUser\AppData\Local\Temp\mirc635.exe	
I:\Betsy\Downloads\mirc632.exe	
I:\Betsy\Downloads\mirc633.exe	
I:\Betsy\Downloads\mirc634.exe	
I:\Betsy\Downloads\mirc635.exe	
I:\Program Files\Eudora\account.fol\correspondence.fol\freepages mail.mbx	
I:\Program Files\Eudora\account.fol\correspondence.fol\freepages mail.mbx	
I:\Program Files\Eudora\Emoticons\Pending.fol\Received.mbx	
I:\Program Files\Eudora\Filters\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx	
I:\Program Files\Eudora\Filters\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx	
I:\Program Files\Eudora\Filters\w-oldsta.fol\content.mbx	
I:\Program Files\Eudora\In.mbx.001	
I:\Program Files\Eudora\Junk.mbx	
I:\Program Files\Eudora\Out.mbx	
I:\Program Files\Eudora\Pending.fol\Received.mbx	
I:\Program Files\Eudora\Stationery\Pending.fol\Received.mbx	
I:\Program Files\Eudora\TECHNICA.MBX	
I:\Program Files\Eudora\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx	
I:\Program Files\Eudora\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx	
I:\Program Files\Eudora\w-oldsta.fol\content.mbx	
I:\Program Files\mIRC\mirc.exe
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

  • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
 
I hope you know how intimidating it is to run a program that looks like a nuclear explosion! :)

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Program Files\mIRC\mirc.exe moved successfully.
C:\ProgramData\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000DC-299FD630.av$ moved successfully.
C:\ProgramData\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000F3-E47846E4.av$ moved successfully.
File/Folder C:\Users\All Users\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000DC-299FD630.av$ not found.
File/Folder C:\Users\All Users\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000F3-E47846E4.av$ not found.
C:\Users\Betsy\Downloads\mirc635.exe moved successfully.
F:\Betsy\Downloads\mirc632.exe moved successfully.
F:\Betsy\Downloads\mirc633.exe moved successfully.
F:\Betsy\Downloads\mirc634.exe moved successfully.
F:\Betsy\Downloads\mirc635.exe moved successfully.
F:\Program Files\Eudora\Emoticons\Pending.fol\Received.mbx moved successfully.
F:\Program Files\Eudora\Filters\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx moved successfully.
File/Folder F:\Program Files\Eudora\Filters\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx not found.
F:\Program Files\Eudora\Filters\w-oldsta.fol\content.mbx moved successfully.
F:\Program Files\Eudora\Out.mbx moved successfully.
F:\Program Files\Eudora\Pending.fol\Received.mbx moved successfully.
F:\Program Files\Eudora\Stationery\Pending.fol\Received.mbx moved successfully.
F:\Program Files\Eudora\TECHNICA.MBX moved successfully.
F:\Program Files\Eudora\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx moved successfully.
File/Folder F:\Program Files\Eudora\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx not found.
F:\Program Files\Eudora\w-oldsta.fol\content.mbx moved successfully.
F:\Program Files\mIRC\mirc.exe moved successfully.
G:\BETSYMAIN\Backup Set 2009-11-04 170629\Backup Files 2009-11-04 170629\Backup files 114.zip moved successfully.
G:\BETSYMAIN\Backup Set 2009-11-04 170629\Backup Files 2009-11-04 170629\Backup files 121.zip moved successfully.
File/Folder H:\Users\All Users\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000DC-299FD630.av$ not found.
File/Folder H:\Users\All Users\Avira\AntiVir Desktop\TEMP\AVSCAN-20100218-160234-59FBD5CB\000000F3-E47846E4.av$ not found.
H:\Users\LENOVOUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0HBY9HLC\jquery-init[1].js moved successfully.
H:\Users\LENOVOUser\AppData\Local\Temp\mirc635.exe moved successfully.
I:\Betsy\Downloads\mirc632.exe moved successfully.
I:\Betsy\Downloads\mirc633.exe moved successfully.
I:\Betsy\Downloads\mirc634.exe moved successfully.
I:\Betsy\Downloads\mirc635.exe moved successfully.
I:\Program Files\Eudora\account.fol\correspondence.fol\freepages mail.mbx moved successfully.
File/Folder I:\Program Files\Eudora\account.fol\correspondence.fol\freepages mail.mbx not found.
I:\Program Files\Eudora\Emoticons\Pending.fol\Received.mbx moved successfully.
I:\Program Files\Eudora\Filters\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx moved successfully.
File/Folder I:\Program Files\Eudora\Filters\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx not found.
I:\Program Files\Eudora\Filters\w-oldsta.fol\content.mbx moved successfully.
I:\Program Files\Eudora\In.mbx.001 moved successfully.
I:\Program Files\Eudora\Junk.mbx moved successfully.
I:\Program Files\Eudora\Out.mbx moved successfully.
I:\Program Files\Eudora\Pending.fol\Received.mbx moved successfully.
I:\Program Files\Eudora\Stationery\Pending.fol\Received.mbx moved successfully.
I:\Program Files\Eudora\TECHNICA.MBX moved successfully.
I:\Program Files\Eudora\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx moved successfully.
File/Folder I:\Program Files\Eudora\w-oldsta.fol\account.fol\correspondence.fol\freepages mail.mbx not found.
I:\Program Files\Eudora\w-oldsta.fol\content.mbx moved successfully.
I:\Program Files\mIRC\mirc.exe moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Betsy
->Temp folder emptied: 98017568 bytes
->Temporary Internet Files folder emptied: 3781996 bytes
->Java cache emptied: 128123 bytes
->FireFox cache emptied: 80284207 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10190 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 174.00 mb


OTM by OldTimer - Version 3.1.9.0 log created on 02202010_091024

Files moved on Reboot...

Registry entries deleted on Reboot...
 
Note to Broni: I am glad to see the the saved emails with Worms can be moved in OMT. I've had three other members with similar logs, different mail programs. One attempted to delete the infected files in the Store boxes, but ended up deleting each Store folder! Learning something every day! I gave each of them some basics in safe mail-and attachment handling.
 
Can I find which email it thinks is infected in that mailbox? That one holds all my receipts, program ID codes, etc. I don't click on spoof emails which is what that is detecting, so would like to recover the rest of those emails.

Also, mirc is not a virus - it is just that all irc clients are susceptible. What do I do to run that program?

Thanks!
 
I hope you know how intimidating it is to run a program that looks like a nuclear explosion! :)
Hahahaha....

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

  • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
  • Click on the CleanUp! button and follow the prompts.
  • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
  • After the reboot all the tools we used should be gone.
  • The tool will delete itself once it finishes.

=======================================================================

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

========================================================================

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.
 
8 Step Malware removal

I found a thread to fix my exact issue but it is closed. I searched by removing Malware and this thread came up. I hope I am in the right thread...

I have Kaspersky running and updating daily and scanning daily. Last two day I get a video ad running in the back ground but I can't see it and it even runs with all Iexplorer windows closed. Looking at the task manager, there were like 8 iexplorer processes running. I found your thread and ran the 8 step malware removal instructions. Everything looked great. CCleaner found all kinds of stuff and cleaned em up. Somehow your process found like 9 malwares that Kaspersky didn't prevent??? I was able to remove all of those. Plus SuperAntivirus cleaned up more. Thought I would run your 8 step again just for grins and it found a Trojan. I even ran the MS Checkdisk tool. Everything still looks great but looking at the HJT log, dang! What is all this crap? Am I good to go? Can I clean out all these extra content and buttons? The O2 "BHO...'s" look remarkably like the malwares that were removed???

BTW, I even ran all the silly warning updates that the Kaspersky had noted.

Thanks for being out there guys!
 
DimensionalMan
You have to start your own topic.
I'll remove your post, as soon, as you let me know, you created new topic.
 
Status
Not open for further replies.
Back