TechSpot

Followed 8 step Viruses/Spyware/Malware Removal, need confirmation of logs

By kyleM5214
Dec 21, 2009
  1. Hey guys,

    I'm new to this site and this will be the first time I've ever posted anything on a forum, so if I'm breaking any rules I apologize and please let me know. I have run the 8 steps to remove viruses and malware. My system had only malwarebytes on it and detected a rootkit.agent. I ran the 8 steps and found I had much more and have cleaned it out, Now I have Avira, SuperAntirspyware and CCCleaner on my system but now I need someone to help me understand my highjack this log and if there is anything I should remove on it as I have taken no action on it. One particular entry that disturbs me is an R1 entry that has Proxy Override in it as I do not have specific proxy settings. Any help would be much appreciated.

    Here are my Logs after the cleaning and please don't be alarmed if the highjack this log is not titled as it would normally be I elected to save it under a name that I could recognize the date. Thank you again.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot Kyle. My apology for the delay.

    P2P Warning:
    I notice that you have C:\Program Files\uTorrent\uTorrent.exe.
    And you have ut loading on startup:
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

    This is a P2P program. P2P (person to person) programs are also called 'file sharing' programs.
    In earlier computer days, these programs did not have much threat. But as they progressed, so did the dangers of using them. For that reason, we do not permit discussion of this type of program, not do we support it. The exception is to suggest you uninstall and P2P programs for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Running a P2P program while trying to clean a system is a contradiction.
     
  3. kyleM5214

    kyleM5214 TS Rookie Topic Starter

    I understand, I will do so immediately and repost all my logs. Thank you for your reply.
     
  4. kyleM5214

    kyleM5214 TS Rookie Topic Starter

    Hey guys so here are the reports after removing the p2p program.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Kyle, the logs are clean. Are you having any system problems that were related to the malware? I do advise that you get at least one more spyware/adware program ad a firewall. Here are some recommendations:

    Firewall: Use a good, bi-directional firewall(one software firewall)
    See Understanding and Using Firewalls including links to download a firewall.

    We frequently recommend Comodo or ZoneAlarm

    Anti-malware (spyware/adware):
    Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

    It would be best to also run an online AV scan now, just to make sure the system is clean:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Attach the Eset log to your next reply. If it's clean and if the original problems have been resolved, I'll have you remove the cleaning tool and old restore points.
     
  6. kyleM5214

    kyleM5214 TS Rookie Topic Starter

    Hey there Bobbye,

    I scanned with Eset and it found 2 negligible threats on my D: partition of which I have now removed those files but otherwise it found nothing else. Here is my log. So just to be clear with the hijackthis log I posted earlier, you saw that R1 entry that reads "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local". Is that anything to be concerned about?


    Thank you for your time and effort :D.
    PS. ESET log is attached just forgot to relabel it.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    R1 entry is fine.


    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      D:\Kyle's Files\Miscalaneous\USBStuff\MSN Polygamy\msnpolygamy-universalpatch(www.mess.be).zip	
      D:\Kyle's Files\Miscalaneous\USBStuff\MSN Polygamy\msn_messenger_polygamy_5.exe	
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ---------------------------------------

    The MSN file indicate a patch or code was used to modify the program to be used by more than one user. So whatever system shared it, will also have this malware.

    Run Eset again to make sure the files were moved.
     
  8. kyleM5214

    kyleM5214 TS Rookie Topic Starter

    Here we go Bobbye,

    As requested I ran OTM with the code you gave me and eset and it seems to be all good for now. Thank you for you help I reaaly appreciate it, here are the logs. If there's anything else I should do please let me know.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    One more Kyle:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Attach the report from Combofix on next reply.
     
  10. kyleM5214

    kyleM5214 TS Rookie Topic Starter

    Hey Bobbye,
    I downloaded combofix and named it as you said but when i run is it shows combofix and a little bar runs across and then disappears and nothing else happens. No combofix folder or log is created in C: I did however discover a folder named "32788R22FWJFW" inside of which has a bunch of random files, including dos batch files and there are a couple of exececutables with combo-fix attached to the name. Not sure what's going on here.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Now try the install and scan again. Be sure to follow the naming instructions. See Post 9.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...