8 steps done...anything else I should do?

By AGPubs
Jan 13, 2010
Topic Status:
Not open for further replies.
  1. Hello, and thank you for your invaluable help!

    The 8 steps were very clear and concise. I got rid of tons of malware and trojans that brought my computer almost to a standstill. I think I was a day away from a complete melt down. Now my PC is *much* faster and I'm not seeing the nexplore windows that were popping up.

    I've attached my logs for your perusal. Do they suggest that there's anything else that I should do? (The SASpyware log is from the second time I ran it. I'd turned back on things from step 3 before I ran it the first time. It did find lots of stuff the first time around.)

    Again, thank you!

    -AGPubs

    Attached Files:

  2. AGPubs

    AGPubs Newcomer, in training Topic Starter

    Ooops, forgot one more question.

    I've got an external hard drive that had been hooked up to the PC while it was infected. While I did the scanning/cleaning, it was disconnected.

    I assume that I should wipe the external drive and then do a full back up of the clean PC. Is this correct, or can I just reconnect and do a full back up?

    Thanks!
    -AGPubs
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot, AGPubs. I'll check the logs and help with the malware.

    To start, stay away from FunWebProducts. Every download you get puts adware on the system. Those Smileys, cursors and other 'free' stuff come with a price.

    You have malware in the System Restore points so don't use that feature. I will have to drop all the old restore points and set a new, clean one when the system is clean.

    I have noticed that you have multiple antivirus programs running.
    Avast
    McAfee

    You should decide which you want to keep and remove the others for the following reasons:
    • Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
    • Multiple antivirus programs can also slow down the system.

    If you are using a paid program, Consider removing the free programs. If you are using a Trial of a paid program, please decide which programs you would like to keep and remove the others. You will find the following removal tools helpful:Download only the Tool for the antivirus program you are going to remove and save it to your desktop. Don't run yet:

    Note:Security programs are best removed while in Safe Mode.
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Double click on the removal tool and run. Follow any screen prompts
    Please reboot the system when you have made the change..

    Now do this:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

    Important! Save the renamed download to your desktop.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    When finished, rescan with Hijackthis. Attach Combofix report and new HJT log to next reply.
  4. AGPubs

    AGPubs Newcomer, in training Topic Starter

    thanks for the extra tasks...but I've hit a snag.

    I downloaded and launched ComboFix. I agreed to install the program, and I saw a brief flash of a small progress bar, but no other window came up. After 20 mins, I restarted the computer and doubleclicked the combo exe file again. This time, I saw the flash of the progress bar, and nothing again. It's been an hour and the computer is pretty quiet.

    Is there a way to uninstall combofx and reinstall for another try?

    Thanks,
    -AGPubs
  5. AGPubs

    AGPubs Newcomer, in training Topic Starter

    Ooh, McAfee just found and isolated the Artemis!769EE35EF6D2 (trojan), which just happened to be in the Desktop\Combo-Fix(.exe).exe file!

    What now?
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    EDIT: Correction on previous Worm comment: This was caused by the member having the security running while attempting to use Combofix. It was a False Positive.(Generic!Artemis)

    Let's see if enough can be found and removed so that Combofix will run:

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  7. AGPubs

    AGPubs Newcomer, in training Topic Starter

    Bobbye, thanks for your continued help.

    I tried to uninstall ComboFix, but got message that "Windows cannot find "Combofix"...make sure you typed correctly" etc. McAfee did find/isolate the combofix exe file before. Do I need to do more here?

    Eset found two items. I've attached the log and I await your further instructions.

    -AGPubs

    Attached Files:

    • log.txt
      File size:
      1.1 KB
      Views:
      2
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Program Files\Juniper Networks\Network Connect 5.5.0\uninstall.exe	
      C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.jar	
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ---------------------------------------
    Then try installing and running Combofix again:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

      Important! Save the renamed download to your desktop.
      • Double click on the setup file on the desktop to run
      • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
      • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
        (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
      • Query- Recovery Console image
        [​IMG]
      • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
        [​IMG]
      • Click on Yes, to continue scanning for malware.
      • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
      Notes:

      • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
        2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
        3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
        4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

      When through, do a rescan with HijackThis.
      Attach the Combofix report and new HJT log to next reply.
      Let me know of any remaining system problems related to the malware.
  9. kritius

    kritius TechSpot Guru Posts: 2,087

    FYI Bobbye.

    Artemis is a false positive from McAfee, disable it fully before ComboFix is downloaded.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you kritius.

    Regarding this:
    McAfee should have been disabled: Correction has been made in Reply #6.
    AGPubs, please delete the file you saved to you desktop and be sure to do this before Combofix:
    Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

    Now you should be able to run Combofix.
    Run that first, then follow with the Eset scan.

    Leave Combofix report and Eset log on next reply.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.