TechSpot

8 Steps done - Log check please

By schwein11
Jan 22, 2009
  1. Ok, so two nights ago I had a very weird freezup of firefox, and was unable to close it without it remaining open. I then received some prompts from spybot s&d teatimer re: registry changes, that I denied, because at this point I was getting pretty concerned. After unplugging the power and restarting the computer, I began to get 0xd1 BSOD (Driver:IRQL_Not_Less_or_Equal). Figuring this was probably somehow related to the earlier weirdness, I did the 8 steps.

    Note that I installed the newest version of Java, and was unable to find any other version of java in my add/remove programs.

    Note also that my avast scan found 2 infected files that I deleted, but stupidly did not take note of their names (thinking there would be a log available later). I have not been able to find a log though.

    See attached logs.

    Thanks for any help you may provide, I truly appreciate how helpful this community is.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    NOTE: the malware is in the System Restore points. Do NOT do a System Restore while we're cleaning. We will drop the old restore points when the system is clean.

    You are running two antivirus programs:
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

    Decide which one you want on the system and uninstall the other. If you decide to uninstall the Symantec/Norton program, use the Norton Removal Tool HERE

    Temp files should be cleaned out occasionally:
    C:\DOCUME~1\OLDMAN~1\LOCALS~1\Temp\clclean.0001
    This is from "Creative Filter AudioControlMB Module"
    (ctmbha.dll, version 1.0.1.22).

    Please re-open HiJackThis> click on System Scan Only> Check the boxes next to all the entries listed below.:

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
    Poker Stars
    Any process related to win16dll, 44052 or cae4.exe
    > Apply> OK

    Open IE> Tools> Manage Add-on> find the Eset OnlineScanner Control> highlight> Disable.

    Control Panel> Add/Remove Programs> UNINSTALL the following if present:
    PokerStars
    win16dll, 44052 or cae4.exe

    Reboot into Normal Mode. NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

    Run the VundoFix:
    Please download VundoFix.exe and Save to your Desktop.from HERE to your desktop.
    Then run SDFix:
    * Download SDFix from HERE and save it to your Desktop.
    * Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Boot into Safe Mode
    * Restart your computer and start pressing the F8 key on your keyboard.
    * Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
    Rescan with HijackThis AFTER VundoFix and SDFix. Attach all logs and reports.
     
  3. schwein11

    schwein11 TS Rookie Topic Starter

    Logs are attached.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Much Better! A little overkill in the extra programs but it appears we got all the malware entries. Technically, TeaTimer should have been disabled before the scans. This was covered in the Steps.

    The HijackThis log is clean, but I would like to advise that you have many unnecessary processes starting on boot and running in the background. For instance, there are numerous 'Creative' processes. NONE of these need to start on boot. The last 2 are Services and they can be set to Startup type Manual instead of Automatic.
    You have 3 Media Players starting up: NONE need to start on boot.
    I use to help people stop these nuisance startups, but it got to be too time consuming. Just know that the ONLY processes you need to start on boot are:
    All else can be started manually as needed.

    Something else to consider: If you don't use the Dell preloaded processes, get rid of them. I have found few do!

    Please disable TeaTimer BEFORE you run the Kaspersky scan.

    SPYBOT TEATIMER
    I'd like you to run the Kaspersky online scan just to make sure what you found is gone:
    Kaspersky' online scan
    Open Kaspersky Online Scanner in Internet Explorer using this link:
    http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

    Attach the scan report. If it's clean, we'll remove the cleaning tools and old restore points. Now is the time to tell me if you are still experiencing the problem you started with.
     
  5. schwein11

    schwein11 TS Rookie Topic Starter

    Note that the only noticeable symptom (0xd1 BSOD) I was having disappeared at some point during the 8 steps.

    Kaspersky report is attached.
     
  6. schwein11

    schwein11 TS Rookie Topic Starter

    hm, was getting "invalid file" for kaspersky report (as html) when trying to attach it. I've copied and pasted what was found into a txt and attached it here.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It looks like your Norton has quarantined Trojan-Downloader.JS.Agent.hv1. Delete the contents of your antivirus programs quarantine folder.

    There is some discussion as to whether this finding actually is a Trojan, but since it's been quarantined, best to delete it.

    But you did have malware! IF the system is stable now, please delete the above and you can remove the cleaning tools and old restore points:

    Download OTCleanIt HERE & save it to your desktop.
    Clear your existing system restore points and establish a new clean restore point:
    Please let us know if we can be of any more help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...