TechSpot

8 steps completed, here's my logs

By nb1106
Jan 26, 2009
  1. mflynn

    mflynn TS Rookie Posts: 2,793

    10-4

    Fantastic!

    Mike
     
  2. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    Here's the log. The express after reboot was clean. The complete scan is just starting documents and settings and is clean.
     
  3. mflynn

    mflynn TS Rookie Posts: 2,793

    You are going to jump thu this computer screen at me when I ask you this, but when Full DrWeb is finished go back where you got DrWeb and D/L and run NOD32 cleaner in Safe mode!

    Now that we seem to be clean I want another very good and powerful program like NOD to confirm it even again!

    Mike
     
  4. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    Sounds good, will be some time I'd imagine before those are both done. At this time DrWeb has only found one infection during this complete scan and its inst.exe of aol and its marked as probably backdoor.trojan. Will post logs as they come.
     
  5. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    Second Complete scan. Letting NOD run through the night along with another express in the morning. Will post both logs.


    EDIT: NOD found a trace of virut. Guess that's bad news. But only one trace. And its in a .exe file that is locked in a rar file.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,793

    That is Great! I have always had great respect for DrWeb but this sends that thu the roof!

    If nod and drweb express both come up clean then....

    The following is to get your system back to normal and fix any missing Windows Components and dll's etc. And preparation for SP3 which will for sure finish up things.

    This has to be done in normal mode so after the SP3 download unplug network then turn off both Windows Firewall if on, and Zone Alarm, also turn off Avira. This is so they do not interfere with the install of SP3. I will tel you below when to do this.
    ----------------------------------------------------------------------------------------------------------------------------------
    Boot to Safe Mode

    Cleanup temps and Registry and System Restore (you should already have these programs from earlier)
    .
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner.
    ---------------------------------------------------------------------------------------------------------------------------------
    The issues were found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.

    Only after the above redownload SAS install update and run attach log.

    All of above in Safe Mode networking.
    ----------------------------------------------------------------------------------------------------------------------------------
    Boot back to Normal Mode

    Download Dial-A-Fix (DAF)
    http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
    http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

    Have XP CD available in case DAF needs a file.

    Check all boxes on the screen (clear any restrictions if it shows any)
    Then click GO!

    When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

    Here 1 at a time do the below

    Flush DNS
    Flush icons
    Process idle Tasks
    Reinstall Automatic Updates Service
    Reinstall BITS
    Reinstall Defrag
    Reinstall Help and Support service
    Reinstall Windows Firewall
    Repair Permissions

    Watch for any File not found or other errors and make note as this may lead to something needing to fixed!

    Then,,

    Download the full offline SP3 install from here.

    http://www.microsoft.com/DownLoads/...a8-5e76-401f-be08-1e1555d4f3d4&displaylang=en

    Then turn off items as indicated above and install SP3!

    When finished plug cable back up and reboot, when back up run in the order below..

    Paranoid check!

    Update MBAM run Quick Scan
    Update SAS run Quick scan
    Run ComboFix
    Then from Safe Mode run SDFix

    Post all logs.

    Mike
     
  7. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    Well I was just indicating that NOD had found a trace of the virut.56 in a rar file. It said it could not be quarantined then I manually deleted the rar file off that and the flash drive. Then until this point it found one more trace and successfully was cleaned. It also did not finish because NOD doesn't manually clean/delete/quarantine/ignore files until you verify which to do by a pop up. So it is only at oracle right this second. Still a lot to go hopefully clean. Then I'm not going to be here at all today until at least 8 tonight so I'm going to run another Dr.Web to be completely sure that its gone. I don't wanna do all that and then find out I have to do it all over again. Will let you know how it goes!
     
  8. mflynn

    mflynn TS Rookie Posts: 2,793

    Yep good idea! Leave it working while you are busy with other things.

    I feel good about this now!

    Mike
     
  9. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    Alright so I ended up running two more Dr.Web's complete. And in the middle of running a 3rd NOD32 scan. I'm pretty sure were good to go. So far on this scan NOD has only picked up a few viruses, which are the ones quarantined in rar files by Dr.Web. NOD has picked up a few Virut traces but from what I can see all of them are in rar files which I would image we do need to remove, besides the quarantined ones unless those should be removed as well? But if you think I'm ready for the next step let me know. Both Dr.Web scans were clean, if you'd like the NOD32 logs let em know.
     
  10. mflynn

    mflynn TS Rookie Posts: 2,793

    I would clean all Quarantines and delete any zips/rar files that still contain issues if possible.

    If there are important files and you think it is important I would extract them on another drive or partition and scan again immediatly with DrWeb.

    Yeah just in case I see something you don't postthe no32 logs.

    Mike
     
  11. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    How do you clean the quarantines in Dr.Web. Theirs no options for anything about the quarantines. Just physically delete it?
     
     
  12. mflynn

    mflynn TS Rookie Posts: 2,793

    Yes!

    Will check in tomorrow.

    Goodnight,
    Mike
     
  13. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    What should I do about rar files in system volume info. I had given myself access to it for a previous clean a while back. But let me know what you suggest. A lot of the rar files in there are the only remaining sources of the viruses. This NOD32 scan is pretty clean for the most part. Dr.Web has picked up some others. All in sdfix's quarantine.
     
  14. mflynn

    mflynn TS Rookie Posts: 2,793

    We are not completely finished but close enough to do the closing. part of this clears System Restore (System Volume Information).

    But first Update and run Quick scans in MBAM and SAS SDFix and ComboFix. With what all you had just being Paranoid..

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    Start-Run
    type
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.


    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    ----------------------------------------------------------------------------------------
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

    Mike
     
  15. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    I'm not really sure how to get the NOD32 log. It was enabled to save as nod32.log. I searched for it and couldn't find it. Installer works (Not sure about from add&remove) but it did uninstall the old SAS when I was prompted that there was an older version installed. SAS and SDFix sent me to the blue screen. So here are the two other logs, Combo and MBAM.
     
  16. mflynn

    mflynn TS Rookie Posts: 2,793

    Nod32 log does not work lately?

    Uninstall then redownload and reinstall SAS.

    Delete the SDFix folder that contains runthis.bat and the install on your desktop, then redownload and install and run.

    A new ComboFix was issued on 2/28 so if you uninstalled as part of the closing above redownload it and run again as it had finding I did not expect!

    We need to bring this together inorder to have you ready for classes.

    Mike
     
  17. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    I still have the old combo called 12cbf34 on my desktop from before. But I didn't use it I downloaded a new one because the uninstall wouldn't work it says no such program called combofix. And I did delete that folder of sdfix and reinstall and did remove SAS and reinstall and same outcomes.
     
  18. mflynn

    mflynn TS Rookie Posts: 2,793

    Rename the 12cbf34.exe back to ComboFix.exe then do the ComboFix /u

    Then get new Combofix and again rename it to 12cbf34.exe and run it.

    Then rename the SDFix RunThis.bat to12rt34.bat try to run again!

    Mike
     
  19. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    combofix still says unable to find after i change the name, it said it before we changed the name to 12cbf34 as well. I'll try sdfix now. gotta boot to safe.
     
  20. mflynn

    mflynn TS Rookie Posts: 2,793

    This is not good!

    Mike
     
  21. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    The combofix I downloaded today uninstalled after use. Along with the same for SDFix but SDFix went to blue screen, yet still uninstalled. The old combofix won't uninstall and when it runs it doesn't go through the steps like combofix normally does on a scan. It just opens says most machines take about 10 minutes badily infected machines can take longer. Says its scanning. Then eventually produces a log and reboots. I uninstalled then deleted all traces of SAS, downloaded again and still sent me to the blue screen.

    EDIT: Also noticed that this file of the MBAM log; C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    Was one of several I myself deleted 1 through 50.tmp's from the sys32 folder at the start of all this when I realized that those were the processes starting up when I would go on the internet. Prior to when I reposted about the infections coming back.
     
  22. mflynn

    mflynn TS Rookie Posts: 2,793

    OK let me see the log it did produce!

    mike
     
  23. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    I took that line out of the mbam log I posted up a few posts. The one with the combofix. I removed SAS through add and remove I'm going to try reinstall and run again.

    EDIT: SAS once again sent me to the blue screen. Whats next? I'm gonna run another combofix again I just redownloaded it, although 12cbf34 is still there because it will not remove, will deleting it off the desktop be good enough or no?
     
  24. mflynn

    mflynn TS Rookie Posts: 2,793

    Actually rename the new one to 12cbf345.exe.

    The rename the 12cbf34.exe back to ComboFix. exe then it should uninstall!

    Mike
     
  25. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    Here's a HJT log and a Combo log.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.