TechSpot

Getting close? 7 steps of 8

By BrianMT
Dec 3, 2008
  1. Hi all. Big thanks in advance to anybody who can help run me through this. I've followed 7 of the 8 steps to the letter --- I seem to be prevented from updating Java somehow, though I did uninstall the old version using the remove programs menu. Only other symptom seems to be a general slowness. Here are my logs.

    Big, big thanks again.
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Some concerns in your HJT log sadly :(

    Try these easy steps first

    CCleaner (some strange Temp stuff needs to be removed)
    Norton removal tool (unless you have symantec stuff installed, but it's running anyway)
    Restart
    Malwarebytes (Yes I know its been run already, but trust me, update it, and run it again)
     
  3. BrianMT

    BrianMT TS Rookie Topic Starter

    Done and done. Thanks a million. Here are new logs. Perhaps I'm inching my way forward?
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Update both below even if you did it already to day, and Run

    1st SAS we have no log
    2nd MABM get new log to confirm it is in fact clean now and finds nothing else.
    3rd After above new HJT log.

    Mike
     
  5. BrianMT

    BrianMT TS Rookie Topic Starter

    Any guess as to why I can't seem to update Malwarebytes (or SAS, for that matter) from using the software's update tab? It just won't connect to either of the offered mirror sites (tried taking down my Windows Firewall to see if that made a difference -- no dice).

    Yesterday I updated the database at gt500.org, but it's a version 1442 that's up there now and some Googling suggested to me there's already a 1443...
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  7. BrianMT

    BrianMT TS Rookie Topic Starter

    Nice. Mom always told me I was special. For the record, I can run both programs, just can't seem to update without separately downloading and installing the new ones. Still cool for me to follow the procedure on the link?

    Thanks thanks thanks...

    Hmm... Followed through with the instructions re: TDSSserv.sys. It's disabled, I've restarted, double-checked it. Still unable to update MBAM or SAS using the their respective Update tabs.
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well that "read here" link above should work
    But I've had users also say that they needed to rename Malwarebytes executable (mbam.exe), like to MBAM2 or something
    It's found here: Start->Run-> C:\Program Files\Malwarebytes' Anti-Malware
     
  9. BrianMT

    BrianMT TS Rookie Topic Starter

    Yeah, no dice. I click "Check for Updates," I get a window telling me "Looking for SecurityWonks.net (or Malwarebytes.org)" ... then nothing. The window stays for as long as I care to leave it open with no movement in the status bar. SAS tells me, "There was an error trying to retrieve definitions. Make sure your firewall is not blocking SUPERANTISPYWARE.exe from accessing the Internet." But I'm running no firewall at the moment. This is maybe related to why I can't download the Java Installer?

    Again, though, I was able to separately download each of the most recent definitions databases just fine, then run and install them from the desktop. Just can't seem to connect from "inside" either program.
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Hmm

    That special link above, also has a reply by another member
    And in his big reply you should see some blue writing, this is clickable
    Please click it, then locate the "Fixit" file
    Download it, and run it

    No it's not the Firewall off issue
     
  11. BrianMT

    BrianMT TS Rookie Topic Starter

    Check. It gave me the attached two logs and two shortcuts that don't lead anywhere when I try to proceed with the instructions on that page (runmbam.exe and sas.exe).
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Now do they update :confused:
     
  13. BrianMT

    BrianMT TS Rookie Topic Starter

    Aha. No, Fixit had no effect, but I'm getting somewhere. I opened Internet Explorer (which I usually don't do --- been conducting this through Safari and Firefox) and I was told I was offline. Was prompted to connect or remain offline (despite an otherwise functioning wireless connection). I chose connect, and I can now update both piece of software properly (and install Java).

    As an added symptom, though, I now notice that embedded images are not appearing at all in Explorer. I don't use Explorer anyway, but that's probably not normal, huh?

    I'm running the requested (above) scans again, and I'll post the logs shortly...
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    Enter the Fixes folder and attach the bfu.log.

    Mike
     
  15. BrianMT

    BrianMT TS Rookie Topic Starter

    Here are the three logs asked for above.

    BFU.exe (the "Brute Force Uninstaller") did run when I extracted the FixIt folder and followed Fixit.cmd, but no such bfu.log appears in here now. The BFU restarted Windows when it was through, and when I returned to my desktop, it had on it the two logs and the two shortcuts I mentioned above. That's it, though (unless this bfu.log could be elsewhere, but I ran a search for it with no results).

    Sorry this is turning out to be so complex. For what it's worth, images are still not appearing in Explorer, though other browsers seem to be having no trouble.
     
  16. BrianMT

    BrianMT TS Rookie Topic Starter

    For what it's worth, I just ran another SAS --- just for fun --- and found another handful of infections. So here's that log, too.
     
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Brian

    OK you are getting some where at least.

    Do the below steps and post the logs, if one don't run and the other does then after the one that does go back to the first after a reboot.
    ----------------------------------------------------------------------------------------------------------------------------------
    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall
    ----------------------------------------------------------------------------------------------------------------------------------

    When above is complete

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    Mike
     
  18. BrianMT

    BrianMT TS Rookie Topic Starter

    Thanks Mike, et al. Here are some logs.

    I checked in on Internet Explorer, and for what it's worth, it's displaying images again. I've decided that's probably a good thing.
     
  19. mflynn

    mflynn TS Rookie Posts: 2,655

    OK run HJT Scan Only select and remove the below entries

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O20 - AppInit_DLLs: anfhoa.dll

    Then Combofix again to confirm clean. Post that log then.....

    UPDATE SAS and run it again. It should be clean this time! Post me a clean log!

    Mike
     
  20. BrianMT

    BrianMT TS Rookie Topic Starter

    >> Post me a clean log!

    I'm trying, brother, I'm trying. So close. SAS found two tracking cookies, but no more rootkits.
     
  21. mflynn

    mflynn TS Rookie Posts: 2,655

    Looks like you did it!:cool:

    So lets take one more deep look at the system.

    Download RSIT
    http://images.malwareremoval.com/random/RSIT.exe

    Run it, when finished it will open a log Maximized on the screen, copy/paste the contents of this log back here then close that log.

    Then the 2nd log is Minimized so Max it and post it also.
    The logs will contain a HighJackThis log also so no need to paste anothe.

    Mike
     
  22. BrianMT

    BrianMT TS Rookie Topic Starter

    Oh, this is exciting. Okay, here they are (attached instead of pasted, since they far surpass the character count).
     
  23. mflynn

    mflynn TS Rookie Posts: 2,655

    You are so clean you squeak!

    Great job!

    Browse here and delete this: C:\Documents and Settings\All Users\Application Data\NortonInstaller

    Might want to look at: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

    Below are some cleanup of the tools we used to clean up as they need to be re downloaded if needed again.

    Thread closing-------------------------------------------------------------------
    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.
    These tools update so often they require downloading again later if needed.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.

    If prompted to Reboot click Yes.
    OTCleanit will delete itself when finished, if not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

    http://www.majorgeeks.com/ATF_Cleaner_d4949.html
    -------------------------------------------------------------------------------------
    The issues found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------

    Every 2 weeks or so run mbam and sas until clean They take a while so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be schedules not to interfere with computer time.

    If they find something they can not clean then get back to us.

    Additionally run CCleaner.

    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to co-exist with other Virus scanners.

    Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
    Hostman http://www.abelhadigital.com/2008/07...-released.html

    A Disk scan and Defrag are in order.

    Mike
     
  24. BrianMT

    BrianMT TS Rookie Topic Starter

    Beautiful! I owe it all to you and kimsland. Name a favorite charity for me, and I'll make a modest donation in your honor. I will follow all of the above steps and keep up with Avira, SAS, and MBAM religiously for a couple weeks. Big, big thanks again!
     
  25. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    :grinthumb .
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...