8-Steps Complete: Are We Clear?

[mags]

Hi Everyone,

I've come seeking help fixing my girlfriend's laptop. It was browser-hijacked early last year and although it no longer redirects, the computer just kept getting slower - both processor and internet connection. It got so bad that we had to system restore it back to factory settings... but Avast STILL found a virus.

Full System Scan and Boot-time Scan both show no infection now, but the 8 Steps picked up lots of things. I've attached the logs below. Thankfully the laptop and its internet connection are both running quicker.

Thanks in advance

P.S. In order to restore the system, we had to move all of her photos and documents onto an external drive so as not to lose them. Is it likely they will be infected too? Can we safely move them back onto the laptop?

 

[Bobbye]

P.S. In order to restore the system, we had to move all of her photos and documents onto an external drive so as not to lose them. Is it likely they will be infected too? Can we safely move them back onto the laptop?

Please explain the 'restore'.

The system is still infected. If you moved files during the infection and if they were infected, then putting them back will reinfect the system-OR- the current malware will infect the files.

There is a MY Way Search infection on the system, still active in spite of some removals. See if this will remove more:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please attach the Combofix report and a new scan log from Hijackthis in next reply.
.

 

[mags]

Hi Bobbye,

Thanks for your help.

Please explain the 'restore'.

The laptop is a Dell Inspiron 9300, which has a built in PC Restore function - You just hold Ctrl and F11 during start up to launch it. It wipes all of your files and resets the system to its original operating state.

That's why I moved all of her photographs to an external drive before the restore. As a photographer, these files are her livelihood. I wanted to know how I can make sure that they are not infected so that they do not infect a client's computer or reinfect the laptop when I move them back.

Thanks again for your help, the requested logs are attached.

 

[Bobbye]

mags, a question:
Did you have the McAfee Security Suite on the system? Maybe it was preloaded. I ask because you have entries for the McAfee spam killer and also the firewall. Since you also have the Comodo firewall, you should remove left-over McAfee entries:

You can download this McAfee Removal and Save to your desktop.

Then
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Double click on the removal tool to run. Follow any on-screen prompts. Then reboot back in to Normal Mode.

The Combofix report shows the following were downloaded in 2004. I don't see the programs on your system that usually go with them. IF you do not use these programs, I can move the files for you: Note that they are legitimate files:
2004-08-10 05:00: chsbrkr.dll>> Microsoft Chinese bigram character breaker for Index Server.
2004-08-10 05:00: pmigrate.dll>> Microsoft Pinyin IME Migration DLL.
2004-08-10 05:00: korwbrkr.dll>> Korean WordBreaker.
2004-08-10 05:00: msir3jp.dll>> Japanese Wordbreaker and Stemmer

This was also loaded a while back- I can remove it also if it's not being used:
2004-08-03 23:08: c:\windows\system32\dllcache\usbstor.sys>> If the USB bus driver enumerates a mass-storage-class-compliant device on a computer running Windows, it automatically loads the USB storage port driver (usbstor.sys) for that device.

Please empty the Java cache as follows:
Control Panel> Java> Temporary Internet Files> Settings> Delete> then go to Update tab> Uncheck 'check for update automatically> Click Yes when asked to confirm> Apply> OK.

There is only 1 entry in the HijaxkThis log that I recommend you remove:
Please reopen HJT to 'do system scan only.' Check the following, if present:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway

Close all Windows except HJT and click on "Fix Checked."

To check the files you moved before you put them back on the clean system:
Right click on the file or folder> Scan with the AV program.

Let me know about the files I asked about.

 

[mags]

Thanks Bobbye,

We didn't install the McAfee Security Suite, I assume it was preloaded: The firewall blocked it attempting to connect to the internet, but it didn't appear on the Control Panel Add/Remove Programs list, so I couldn't uninstall it.

I ran McAfee Removal Tool, but got the following message:

Error obtaining full permissions for cleanup. Some products may not be fully removed.

The log exceeds the forum's filesize limit, do you need me to copy/paste the content to a reply?

We don't use any of the language files you listed, so please go ahead and move them. As for usbstor.sys, I have no idea whether we use it or not. We frequently use USB flash drives and an external hard drive, so I leave it to your judgement whether or not to move it.

A question about Java: When I unchecked Update Automatically, it pops up a warning that it strongly recommends letting Java periodically check for newer versions and gives two options: "Check Monthly" and "Never Check". I selected "Never". I assume I should continue to use the Java Checker link from Step 6?

HijackThis - done. Deleted.

 

[Archean]

Since Windows 2000, Microsoft provides native support for USB mass storage devices. The Usbstor.inf installation file contains device IDs for supported devices. If the USB hub driver enumerates one of these devices, operating system will automatically load USB storage port driver, i.e. Usbstor.sys. Therefore, IMHO you have nothing to fear about usbstor.sys. For the rest, just follow Bobbye's instructions.

 

[Bobbye]

Yes, you have to beat Java over the head not to do auto-updates! And every time you do an update or uninstall, it puts itself back. The process you'll see in the Task Manager is jusched if it's running. I don't have anything on auto-update except the AV. When I check the logs, I usually see 6-9 auto-updates. That means each of those programs are going to be contacting the internet multiple times every day!

Anything you can't paste in can be attached. The mods get strict sometimes.

For McAfee: suggest you download the Windows Installer Cleanup Utility HERE. Once you get it downloaded:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Then open the cleanup utility and zap all the McAfee files left.


Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  c:\windows\system32\dllcache\usbstor.sys
  c:\windows\system32\dllcache\chsbrkr.dll
  c:\windows\system32\chtbrkr.dll
  c:\windows\system32\korwbrkr.dll
  c:\windows\system32\dllcache\korwbrkr.dll	
  c:\windows\system32\dllcache\msir3jp.dll
  c:\windows\system32\msir3jp.dll
  c:\windows\system32\dllcache\pmigrate.dll
  c:\windows\system32\dllcache\agt0404.dll
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[mags]

I used the Windows Installer Cleanup Utility: It didn't show any entries for McAfee, but it did find and remove one entry for MyWay Search Assistant [1.0.1].

I ran OTMovit as described, the contents of the log are pasted below:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\windows\system32\dllcache\usbstor.sys moved successfully.
c:\windows\system32\dllcache\chsbrkr.dll moved successfully.
c:\windows\system32\chtbrkr.dll moved successfully.
c:\windows\system32\korwbrkr.dll moved successfully.
c:\windows\system32\dllcache\korwbrkr.dll moved successfully.
c:\windows\system32\dllcache\msir3jp.dll moved successfully.
c:\windows\system32\msir3jp.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\dllcache\pmigrate.dll
c:\windows\system32\dllcache\pmigrate.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\dllcache\agt0404.dll
c:\windows\system32\dllcache\agt0404.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: Isabella Day
->Temp folder emptied: 1112204 bytes
->Temporary Internet Files folder emptied: 69891477 bytes
->Java cache emptied: 1 bytes
->FireFox cache emptied: 60492788 bytes
->Google Chrome cache emptied: 95175529 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 35715 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 36975 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 216.00 mb


OTM by OldTimer - Version 3.1.8.0 log created on 02132010_181811

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...


Thanks for all your time and help, Bobbye.

 

[Bobbye]

That is good- those were the language entries from 2004. Before I clear you, I'd like to run an online AV scan and see one more HJT log:

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Give me the Eset log and new log for HJT.

 

[mags]

Done and done.
Logs attached.

 

[Bobbye]

mags, there a problem with the site. I've put the reply in x3 and lost it each time. Will try again.

 

[Bobbye]

Oh my goodness! What a frustration that was! mags, let's finish up now.

Open HJT to do system scan only. Check the following:
O4 - Global Startup: Digital Line Detect.lnk = ?
Close all but HTJ. Click on "Fix Checked."

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Using Windows Explorer: (Windows key+E):
Click on Tools> Folder Options> View tab> Check 'show hidden files & folders> Uncheck 'hide protected OS files- Recommended'> Apply> OK
Click on My Computer> Local Drive (C)> Docs. & Settings> your user name docs & settings
Double click on Application Data> find McAfee and do a right click> Delete.
Exit WE.
Go back and rehide the files & folders
-----------------------------------
You can now Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted:
  [o] Click START> then RUN
  [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• DownloadOTCleanIt by OldTimer
  [o] Save it to your Desktop.
  [o] Double click OTCleanIt.exe.
  [o] Click the CleanUp! button.
  [o] If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

[*]Set a new Restore Point to prevent infection from any previous Restore Points.

• 
  [o]Start > All Programs > Accessories > System Tools and click "System Restore".
  [o]Choose "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  [o]Start > All Programs > Accessories > System Tools>Disk Cleanup"
  [o] Select the partition or drive you want.(usually set to C)
  [o]Click the "More Options" Tab.
  [o]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if I can be of anymore help.

 

[mags]

Thanks for all your help, Bobbye.

I fixed the specified entry on HijackThis, but couldn't find any McAfee folder in Application Data. Or any folder, to be precise.

Uninstalled as per your instructions. The only app left is HijackThis, but I can remove that via control panel.

Just as a final reassurance, there's a lot of information about this computer (and my girlfirend's name) in this thread and logs. Should I remove/edit any posts, or is that unnecessary?

Thanks again. I can't tell you how relieved we are to have her computer back and working better than ever.

 

[Bobbye]

Her information should be okay. I doubt anyone else opens the logs but us 'cleaners'!
Here are some tips that you can both use:

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide

2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently.
  You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  OR
• ">Download Foxit Reader It is free and does the same thing as Adobe without the bloat.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use

• ATF Cleaner by Atribune or
• TFC

5. Use an AntiVirus Software(only one)

• This can save you a lot of trouble with malware in the future.It should be kept updated and used to scan regularly.
• See This link for a listing of some online & their stand-alone antivirus programs:
  Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall)
See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know.