TechSpot

finished removal processes, log files attached

By Maureen
Jul 1, 2007
  1. hope i got all the junk out, only problem i encountered was i couldnt turn off system restore before safe mode,said encounterd error trying to disable one or more drives, said to restart and try again, still wouldn't let me. i hope it isn't restoring all the bad stuff back
    also ran rootkit, was clean, no rootkits installed
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Step 1:

    Navigate to virusscan.jotti.org.

    Enter the following into the text box at the top of the page.

    C:\Program Files\TTC.dll

    Click the Submit button.

    Then do the same with the following:

    C:\WINDOWS\system32\S4\iasdll.exe

    Please post the results here.

    Step 2:

    Run HJT with no other programs open and do a system scan. Place a check in the box next to the following entries (if there):

    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

    O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)

    O2 - BHO: (no name) - {E11D9DDB-5E8A-4857-899E-A95BB8FFAED8} - \

    Click the Fix Checked button. Close HJT.

    Step 3:

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
    Drag the Combofix-Do.txt over on to Combofix.exe and release.

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job.

    Step 4:

    You are running an outdated version of HJT. Please follow the instructions here to obtain the newest version.

    Step 5:

    Post fresh HJT, ComboFix, and AVG Anti-Spyware logs, as well as the results of the Jotti virus scan.

    Regards :)

    This thread is for the use of Maureen only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  3. Maureen

    Maureen TS Rookie Topic Starter

    new logs

    I have all the attached new logs, and the file I checked TCCdll , i couldnt find the other file in windows/system32/s4, there are no s-number files. could they have been quarantined and deleted? i have noticed some of my programs are acting funny, like sonic and ie
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I suspect you did not execute the Combofix-Do instructions properly. Please follow these instructions carefully.

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

    Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release. (drag the .txt icon over on to the exe icon)

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply. Also attach a fresh HijackThis log.


    Regards,
    Your friendly momok =)

    This thread is for the use of Maureen only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Maureen

    Maureen TS Rookie Topic Starter

    I downloaded the file and dragged ontop of combofix.exe it said please wait then went off screen. i ran combo fix exe after that and attached both files. is that what is supposed to happen?
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Something could be wrong with combofix. Let's use avenger for now.

    Please follow these instructions carefully.

    1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh ComboFix log.


    Regards,
    Your friendly momok =)

    This thread is for the use of Maureen only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Maureen

    Maureen TS Rookie Topic Starter

    here's the new log files, i read the avenger one, it said some failed to delete, i hope it worked
     
  8. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Download my attachment "script2.txt" and save it to desktop.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > Control Panel > Add and Remove Programs.
    Remove anything related to the following:

    SystemDoctor 2006

    I would like you to run avenger again, this time using the "script2.txt" from my attachment.

    Also, set your next reboot to normal mode so that when avenger reboots, it boots into normal mode. (via the same ms-config utility that you used to set your system to safe boot up)

    Rehide your system files after the reboot.

    Once again, please post C:\avenger.txt and a fresh Combofix log in your next reply. Thank you.


    Regards,
    Your friendly momok =)

    This thread is for the use of Maureen only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Maureen

    Maureen TS Rookie Topic Starter

    didn't see any programs for systemdoctor, did everything else , new files attached, thanks
     
  10. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
    Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply. Also attach a fresh HijackThis log in you next reply.


    Regards,
    Your friendly momok =)

    This thread is for the use of Maureen only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Maureen

    Maureen TS Rookie Topic Starter

    I finally got the combo txt file thing to work, it wouldnt let me run it from a folder, i put them both on desktop and then it ran fine. both requested log files attached thanks
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Well done, your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    You may also delete the C:\avenger and C:\VundoFix Backups folder and its contents.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of Maureen only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. Maureen

    Maureen TS Rookie Topic Starter

    Thanks for helping me, this must get old for you after a while :)

    I still cant disable my system restore though, still gives error code disabling one or more drives.

    and i think i lost some random files somewhere, still checking for damage. i know the comp shuts down randomly while on line, but not if i disable connection. i'll keep reading up. im finding all sorts of tidbits here. that link alone about the user habits was good.
     
  14. momok

    momok TS Rookie Posts: 2,265

    Hi,

    If you believe you had had some system files destroyed/corrupted by your infections, it would be good to do a system repair.

    For information on how to repair your Windows XP/2000 system files, please see HERE.

    Hope it solves the problems for you.


    Regards,
    Your friendly momok =)

    This thread is for the use of Maureen only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...