TechSpot

8 Steps Completed Please Help

By seanpaulz
Jul 11, 2009
  1. Please let me know if you can help.

    Thanks.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for the delay.

    1. You are running two antivirus programs: Symantec and Avast. Please uninstall one of them. If you decide to remove the Symantec programs, you can use the Norton Removal Tool.

    2. It appears that you have or may have had the Cognizance Identity and Access Management Suite (Cognizance IAM). There is a temp entry left from it as well as a Registry entry.

    So lets remove the temp files:

    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    After you do those 2 things, please do the following:
    3. Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    After completing 1,2 and 3, please run a full system scan with the antivirus program you kept. Save the log. Attach to the next reply.

    Also include the report from Combofix and new log from a rescan with HijackThis.

    Then we'll see what, if anything is left and some HijackThis files will need removing. (I'll tell you which ones though-don't remove any on your own.

    Summary:
    Remove one of the AV programs.
    Do system scan with remaining AV and save, then attach log.
    Run the Temp File Cleaner
    Run Combofix, attach report
    Run new HJT and attach new log.

    One more thing: Click on Start> Run> type in services.msc> right click on Background Intelligent Transfer Service> Properties> set Startup type to Manual.
     
  3. seanpaulz

    seanpaulz TS Rookie Topic Starter Posts: 18

    Bobbye,

    Thanks for the reply.

    I did all of the steps as you requested and attached the logs.

    I could not figure out how to obtain a log from Avast.

    I also did the very last action you requested and it was already set to manual.

    Thanks again.
     
  4. strategic

    strategic TechSpot Paladin Posts: 1,020

    To obtain log from Avast, right-click the "a" icon in the the system tray, select "avast! log viwer" (3rd from the top) and most likely you'll be after the log under "warning" :)
     
  5. seanpaulz

    seanpaulz TS Rookie Topic Starter Posts: 18

    Thanks Strategic.

    Attached is the Avast log.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks for the assist strategic.

    Sean, you have malware in the restore points. Do not use System Restore. We will remove the old restore points when through and you will create a new, clean one.

    Malware is also in the temp files. Did you run the TFC?

    Please describe the problems you are having. That will help me determine which is the prevalent infection and if and which additional programs to have you run.
     
  7. strategic

    strategic TechSpot Paladin Posts: 1,020

    No problem, I'm not a pro but at least I can help speed things along with the simpler stuff.:D
    I'm fairly familiar with Avast, I've been using it for 4 years now, after giving Norton the boot (had enough of it)...Avast is far better, so is the price:)
     
  8. seanpaulz

    seanpaulz TS Rookie Topic Starter Posts: 18

    Yes I ran the TFC and it rebooted afterward.

    The initial problem was having the web browser open random websites on its own.

    It hasnt been doing it since I ran the 8 step procedure.

    My computer seems to be running fine, but I want to make sure that I got all of the virus/malware removed.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, let's try and wind things up:

    Can you clarify the above? Are you referring to a redirect where you request one site in the search but are directed to another? Or do you mean you're cruising along and some site you haven't asked for pops open?

    Please run SDFix:
    Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here

    When that has finished, run the AV scan again> before you do that however, delete any quarantined items that were previously in it.

    Follow with rescan using HijackThis. Attach the 3 logs. IF clean, we'll remove the cleaning tools.

    Reminder: don't use System Restore- restore points have malware.

    Attach logs for SDFix, Avast and new HJ log.

    Have you found any entries for Cognizance Identity and Access Management Suite (Cognizance IAM)? If not, please search in your system Files and Folders for Cognizance and/or IAM. If you do find any entries, do a right click> delete.

    Check the programs folders also and see if there is folder for this program. If so, do the right click> delete. (use Windows Explorer: Right click on start> Explore? Programs)
     
  10. seanpaulz

    seanpaulz TS Rookie Topic Starter Posts: 18

    The web pages were doing a redirect.

    I have attached the logs except for the AV.

    I loaded a new Symantec Endpoint program and removed the AV.

    I see where I can view the logs, but cant seem to save one as a .txt file.

    Also, I noticed when I started in "safe mode", there was an Administrator log in and my normal log in.

    Normally when I log in, my user account is the administrator.

    This administrator account was password protected and I could not get into it (tried all the basic passwords).

    Anyway, I hope this helps.

    Thanks again for all the support.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Still finding Trojan.

    Did you have Avast quarantine what it found? Did you then delete it?
    I'd like you to do an online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Save the log and attach to next reply.

    Then UPDATE and run Malwarebytes again> attach new log.
    So far, nothing is coming out clean!

    As far as the HijackThis log goes, I don't see any malware. But you are starting up many, many processes on boot and running them in the background- that you don't need. HP sprinkles their files all over, including the Digital Imaging. None of these need to start on boot!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...