TechSpot

Health check

By Frustated
Jun 23, 2009
  1. Could somebody please help? I have had a packed rolex problem, which seems to have stopped after folling the 8 step rule. could somebody please have a look at the attached log files and give any advice on wether my pc is now free from infections.

    thanks for your time.

    Frustrated
     

    Attached Files:

  2. ChrisDown

    ChrisDown TS Rookie Posts: 125

    The following looks like it is just a left over entry from the infection, you can safely remove it:

    Code:
    O23 - Service: ujs46r5y3hjq3tejetushti8w4asa80 - Unknown owner - \ujs46r5y3hjq3tejetushti8w4asa81.exe (file missing)
    lich.exe looks interesting, although the file doesn't exist, again, probably a leftover.

    After any infection like this, I always run ComboFix.

    Could you please download ComboFix from here, rename it to a few random letters (to stop malware noticing it), and then run it? The log that ComboFix produces should give more of an idea of what is going on, and ComboFix may even be able to remove more of the offending malware (if it is still there).

    Please do not click on the ComboFix window itself -- the program has been known to stall on occasions if you do this.

    After you're done, please upload the log. Thanks. :)
     
  3. Frustated

    Frustated TS Rookie Topic Starter

    Thanks for taking the time to view the post, I will follow the instructions.
     
  4. Frustated

    Frustated TS Rookie Topic Starter

    Combofix log

    Please could you advise on the log results.

    many thanks for your time.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm going to help out here as the logs have not been checked.

    Your system has been badly infected. Mbam has removed much of it. The restore points are infected with SmitFraud. Do NOT use System Restore. When the system is clean, the old restore points will be dropped.

    You are using a file sharing program-Azureus- now called Vuze : Bittorrent Client. As long as you use these types of programs, you are going to get malware. It is suggested that you uninstall it.

    It also appears you are using a program called RegFix Prop which is doing backups. The backups have malware. Please disable this program now.

    You also have tmp files with malware- this should have been cleaned when you used CCleaner- if you used it per the removal steps.

    Please reopen the HijackThis to 'do system scan only'.
    Put a check by the following processes> NOTE: Do no click on Fix Checked until you have put all the checks in:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - *{C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
    O23 - Service: lich - Unknown owner - C:\WINDOWS\DUALXP\system32\lich.exe (file missing)
    O23 - Service: ujs46r5y3hjq3tejetushti8w4asa80 - Unknown owner - \ujs46r5y3hjq3tejetushti8w4asa81.exe (file missing)

    Now close all Windows except HijackThis and click on 'Fix Checked'

    Boot into Safe Mode
    [*] Restart your computer and start pressing the F8 key on your keyboard.
    [*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Do the following:

    • [1] Start> Run> type in services.msc> right click on each Service below> Properties> Set Startup type to Disabled> Stop the Service:
      Service: lich - Disable (This may be for WOW but it isn't correctly configured)
      Service: ujs46r5y3hjq3tejetushti8w4asa80 - Disable

      [2]Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK the following if found:
      Any Ask bar related entries

      [3]Control Panel> Add/Remove {Programs> UNINSTALL any Ask Bar entries

      [4]Right click on Start> Explore> Windows> system 32> right click on lich.exe> delete

      [5]Right click on Start> Explore> Programs> right click on the Ask folder> Delete.
    Reboot into Normal Mode: NOTE: ignore and close the nag message after checking 'son't whow this message again.' Stay in Selective Startup.

    Empty the Recycle Bin when through.
    Please UPDATE Malwarebytes and run new scan> attach log.
    Please rescan with HijackThis and attach new log.
    Please run full system scan with AVG> save log> attach to next reply.

    Question: Are you dual-booting with Windows XP?
     
  6. Frustated

    Frustated TS Rookie Topic Starter

    Ok firstly thanks for your time Boobe. I have tried to follow the instuctions to my best ability. The system now shows no bugs or infections after re-scans,here are the new log files. could you please take a look

    Many thanks
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...