TechSpot

Is my computer clean?

By jmyzik
Dec 24, 2008
  1. Hi everyone,

    I used to have this nasty thing which kept redirecting me to ad pages when I clicked on search result links in Google. I downloaded some malware removal programs and somehow managed to get rid of it. Or at least so it seemed. Today some of the symptoms reappeared:
    - when I start the system, after the desktop has loaded with all the icons, the bar at the bottom of the screen is still inactive for some time, i can't open the Start menu for example
    - the Avira AntiVir Guard is deactivated after the system startup
    - the Comodo icon does not appear automatically in the system tray (although the process is running)

    I followed the 8 steps, but the scanners have not found anything. Maybe you will be able to spot something in the Hijackthis log.

    Thanks for help and merry Christmas, of course :)

    Janusz
     

    Attached Files:

  2. gillianbrown

    gillianbrown Banned Posts: 141

    All your logs appears to be clean, though you really need to rename HijackThis.exe as follows.

    You need to rename HijackThis.exe to Crusty.exe. This is because some malware can hide from HijackThis.exe. Follow these instructions in order to do so.

    Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.

    Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".

    You can now close the HJT directory.

    I suggest you uninstall and reinstall both Avira AntiVir and Comodo as they may both have been damaged by the malware you had.

    Then, post a fresh HJT log after renaming HijckThis.exe as above.
     
  3. jmyzik

    jmyzik TS Rookie Topic Starter

    I've done as you advised (only this time I installed another firewall). This seems to have solved the problems with Avira and the firewall, but the startup is still unusually slow.

    Now here's the new log.

    Thanks for your help!
     
  4. gillianbrown

    gillianbrown Banned Posts: 141

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).


    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

    O20 - AppInit_DLLs: karna.dat

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\WINDOWS\karna.dat
    C:\WINDOWS\system32\karna.dat

    Reboot your system and rehide your protected OS files.


    Download combofix.exe to your desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Combofix will automatically save the log file to C:\combofix.txt

    Please post the Combofix log as well as a fresh HJT log.
     
  5. jmyzik

    jmyzik TS Rookie Topic Starter

    Here are the logs you requested. Unfortunately the symptoms I described earlier have not gone away.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Some assistance if you don't mind. you have to temporarily disable Real Time Monitoring to run the scans. For you, this means disabling the Spybot Teatimer:

    To Disable Spybot's TeaTimer
    I would also like to have you run Malwarebytes again- in English:
    http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

    It also appears that a some time you had the Symantec/Norton security. You may have uninstalled it but there are still three processes loading:
    Please handle this as follows:
    Download the Norton Removal Tool and Save it to your desktop- don't run yet:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

    Boot the computer into Safe Mode:
    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK any Symantec or Norton processes> Apply> OK

    Double click on the setup for the Norton Removal and run.
    When finished, reboot the machine into Normal Mode.

    Please do the Malwarebytes scan (in English) and rescan with HijackThis with Teatimer off. Attach both logs.

    Question: can you identify this from the HijackThis log?
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = £¹cza
     
  7. gillianbrown

    gillianbrown Banned Posts: 141

    Your HJT log is clean.

    Please do the following.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this:

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:



    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
     
  8. jmyzik

    jmyzik TS Rookie Topic Starter

    I attach the new logs.

    The Norton Removal Tool seems not to have done the job - I ran it successfully, but these items are still in the Hijackthis log.

    "Łącza" is Polish for "Links" - it's a standard IE toolbar containing links to Hotmail, Windows Media etc.
     
  9. gillianbrown

    gillianbrown Banned Posts: 141

    Your logs are now clean.

    Unless you're still having problems, you should be good to go.

    If you're not having any problems, then please do the following.


    Please download OTMoveIt by OldTimer OTMoveIt.exe, unzip it and place it on your desktop.

    1. Double click OTMoveIt.exe to launch it.
    2. Click on the CleanUp! button.
    3. OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. You will be prompted to allow the clean up procedure, click Yes
    5. When finished exit out of OTMoveIt
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I still don't know if this is a legitimate entry in the HijackThis log:
    I found a similar entry on a different log:
    The entry appears to be Polish in origin. IF it is your link, no problem. If it is not, it should be removed. I can't identify it.

    For the Symantec entries:
    BEFORE you run the removal tool, do this:
    Open IE> Tools> Manage add-ons. find, highlight and disable the entry for this:
    webdl.symantec.com/activex/symdlmgr.cab
    I'm not sure how it's listed, but should be recognizable from the above.

    Then: Start> Run> services.msc> right click on this Service- however it's listed:
    Harmonogram automatycznej us³ugi LiveUpdate\ALUSchedulerSvc.exe > Properties> Set the Startup Type to Disabled> Stop the Service

    When done, after removing the cleanup tools with OTCleanIt:
    Clear your existing System Restore points and establish a new clean restore point:
    NOW run the Norton Removal Tool.
     
  11. jmyzik

    jmyzik TS Rookie Topic Starter

    Everything's working fine now :) Thanks for your help!

    Janusz
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. No final HijackThis log?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...