TechSpot

8 steps completed, logs attached, Critical error Popup

By sinko
Jan 1, 2009
  1. Dear TechStoppers plase help me with my Trojan/Spyware problems.

    I used 8 steps and my logs are attached (in addition to logs normally recommended for attachment, I have also attached Avira scan log, done in Step 1).

    Problem description before using 8 steps:
    I recently noticed that when I go into my windows explorer and click on any folder to access it a windows pops up with title CRITICAL ERROR! saying:

    Quote:
    Attention, <displays my name>! Some dangerous viruses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in C:\WINDOWS. Download protection software now!
    Click OK to download the antispyware. (Recommended)
    I always clicked NO and it sends me to: free-viruscan.com/id/4912933/4/1/ but since my Firefox recognizes that it is probably a bad website it shows ERROR message and cannot open it.

    However, these windows kept popping up until I read 8 steps on your website where I started cleaning the machine, and found bunch of Trojans. CRITICAL ERROR pop-up does not show anymore, but my optical mouse sometime starts jerking (which could be just the mouse or processor problem or it might mean that I still have Trojans). Hence, I posted my logs to see if you could please help me to completely clean the machine.

    Up until reading 8steps I used NOD32 but with 1.5 year old update, hence I was not protected. Also, I use Ad-Aware but with about 7 month old update, which also tells me I was not very well protected. Now, after 8 steps I have SuperAntiSpyware and Avira. I plan to uninstall NOD32 since my subscription expired 1.5 years ago and keep Ad-Aware in addition to Avira and SuperAntiSpyware. Any comments and suggestions about effectiveness of this plan?

    Thanks for your help and I look forward to your reply which I will be checking for regularly.
     
  2. rf6647

    rf6647 TS Maniac Posts: 829

    You have handle the infection well. Just touch up the HJT.

    Scan with HJT. Tick & fix. Restart the computer.
    Code:
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)   >> broken
    O2 - BHO: AvayaIEHlprObj Class - {7374d833-ab83-4e44-8784-377fba1a04e4} - (no file)  >> broken 
    O2 - BHO: (no name) - {F4B722AA-2A15-4874-B17A-8BAB87ABC586} - (no file)  >> not listed
    O3 - Toolbar: (no name) - {53829F91-1B06-4DB9-B13E-812A986169F9} - (no file)  >> broken (comcast)
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} – not listed
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} – not listed
    O18 - Filter hijack: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - (no file) >> malware
    Rescan with MBAM & SAS to demonstrate that the computer is clean.
     
  3. sinko

    sinko TS Rookie Topic Starter

    Still TROJANS found? Thanks rf6647....need more help...

    Thanks for the reply rf6647.

    I did follow steps you recommended and MBAM did not find anything. However, SAS has found two Trojans and what worries me both of them are in System Volume.... > RESTORE:

    Trojan.Unknown Origin
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1145\A0203570.DLL

    Trojan.Unclassified/CmdUtil
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1145\A0203571.DLL

    Could you or anybody else please look at the attached logs (MBAM done first, then SAS and then Hijackthis again) and help me figure out how to completely clean the computer?

    Kind regards
     
  4. rf6647

    rf6647 TS Maniac Posts: 829

    I missed this the first time -
    Code:
    O2 - BHO: (no name) - {E434D3C7-A673-4100-8140-79C020945017} - (no file)  >> comcast security manager
    Did you miss this one?
    Code:
    O18 - Filter hijack: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB}
     - (no file) ) >> malware
    [LIST]
    [*]If present remove this file: C:\windows\system32\[B]x3cqp0.dll[/B]
    [*]Reference found  [URL="http://www.systemlookup.com/lists.php?list=4&type=clsid&search=DA28E0DB-229C-4003-827E-96AE15AD90FB&s="]here[/URL]
    [/LIST]
    
    Establish a new clean restore point and Clear your existing System Restore points:
    • New
      • Go to Start > All Programs > Accessories > System Tools > System Restore>
      • Select Create a restore point> OK.
    • Clear Old
      • go to Start > Run > cleanmgr > Select the More options tab >
      • Choose the option to clean up System Restore > OK

        • This will remove all restore points except the new one you just created.
     
  5. sinko

    sinko TS Rookie Topic Starter

    Still cannot delete O18 Filter hijack? thanks rf6647

    rf6647,

    Thanks a lot for your help and quick reply.

    1) I was not able to delete the following line in hijackthis.log even when I tried again:
    O18 - Filter hijack: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - (no file)
    I would press fix checked and hijackthis would hang showing "fix checked" button grayed out for at least an hour, when I would stop restart try again but no luck.

    PLEASE HELP, how can I get rid of this malware?

    2) The file: C:\windows\system32\x3cqp0.dll WAS NOT PRESENT hence I did not take any action.

    3) I have immediately deleted without any problems O2 - BHO: (no name) - {E434D3C7-A673-4100-8140-79C020945017} - (no file) >> comcast security manager

    4) I have established a new clean restore point and cleared my existing System Restore points following your suggestions. How can I check whether only one restore point is there now?

    Attached is new hijackthis.log after cleaning O2 and not being able to clean O18, and after cleaning old restore points.

    Please help me get rid of O18 and let me know if you have any other suggestions for completely cleaning out the comp.

    Kind regards
     
  6. rf6647

    rf6647 TS Maniac Posts: 829

    I believe your system is clean.

    Ordinarily, Tick/fix of O18 entries is not a fix. It suppresses the appearance in the log (unless re-generated by some program action that is reflected here). See #O18Diag.

    However, since the supporting file was not found on your computer, it is not an active infection. I believe it is residue in its own right. HJT in safe mode has removed entries that were not touchable in normal mode.

    If this is not successful, then CCleaner has a 'registry' analyze/fix capability. I would single out this registry key to delete.

    If you have any doubts, Combo_fix scan can be used. In addition to its ability to root out stubborn infections, it picks out residue left by other scanners, and provides diagnostic information. (Combo_fix is spelled without '_' )

    System Restore Points -

    • Start > cmd > click inside command prompt window > >
    • cd C:\System Volume Information\_restore*
    • dir
    • Listing of files

    Other method:
    • Option Windows Explorer to 'unhide' system files.
    • C:\System Volume Information\_restore* where * = unique numeric expression

    Tag back with logs or other concerns.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...