Is my computer clean?

[jmyzik]

Hi everyone,

I used to have this nasty thing which kept redirecting me to ad pages when I clicked on search result links in Google. I downloaded some malware removal programs and somehow managed to get rid of it. Or at least so it seemed. Today some of the symptoms reappeared:
- when I start the system, after the desktop has loaded with all the icons, the bar at the bottom of the screen is still inactive for some time, I can't open the Start menu for example
- the Avira AntiVir Guard is deactivated after the system startup
- the Comodo icon does not appear automatically in the system tray (although the process is running)

I followed the 8 steps, but the scanners have not found anything. Maybe you will be able to spot something in the Hijackthis log.

Thanks for help and merry Christmas, of course

Janusz

 

[gillianbrown]

All your logs appears to be clean, though you really need to rename HijackThis.exe as follows.

You need to rename HijackThis.exe to Crusty.exe. This is because some malware can hide from HijackThis.exe. Follow these instructions in order to do so.

Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.

Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".

You can now close the HJT directory.

I suggest you uninstall and reinstall both Avira AntiVir and Comodo as they may both have been damaged by the malware you had.

Then, post a fresh HJT log after renaming HijckThis.exe as above.

 

[jmyzik]

I've done as you advised (only this time I installed another firewall). This seems to have solved the problems with Avira and the firewall, but the startup is still unusually slow.

Now here's the new log.

Thanks for your help!

 

[gillianbrown]

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).


O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O20 - AppInit_DLLs: karna.dat

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\karna.dat
C:\WINDOWS\system32\karna.dat

Reboot your system and rehide your protected OS files.


Download combofix.exe to your desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Please post the Combofix log as well as a fresh HJT log.

 

[jmyzik]

Here are the logs you requested. Unfortunately the symptoms I described earlier have not gone away.

 

[Bobbye]

Some assistance if you don't mind. you have to temporarily disable Real Time Monitoring to run the scans. For you, this means disabling the Spybot Teatimer:

To Disable Spybot's TeaTimer

* Run Spybot and click Mode in the top menu
* Select Advanced Mode.
* Then expand the Tools selection in the left pane by clicking on it.
* Now in the left pane Resident.
* Now in the right window pane, uncheck TeaTimer. Keep the Resident "SDHelper" option checked.
* Now quit Spybot and REBOOT your PC.

I would also like to have you run Malwarebytes again- in English:
https://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

It also appears that a some time you had the Symantec/Norton security. You may have uninstalled it but there are still three processes loading:

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
(this is for Symantec and was previously told to remove, but it will come back until you complete the uninstall.)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: Harmonogram automatycznej us³ugi LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

Please handle this as follows:
Download the Norton Removal Tool and Save it to your desktop- don't run yet:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Boot the computer into Safe Mode:
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK any Symantec or Norton processes> Apply> OK

Double click on the setup for the Norton Removal and run.
When finished, reboot the machine into Normal Mode.

Please do the Malwarebytes scan (in English) and rescan with HijackThis with Teatimer off. Attach both logs.

Question: can you identify this from the HijackThis log?
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = £¹cza

 

[gillianbrown]

Your HJT log is clean.

Please do the following.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this:

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
c:\program files\Common Files\nujykofi.reg
c:\windows\uxowevegik.dll
c:\documents and settings\All Users\Dane aplikacji\qewyx.com
c:\documents and settings\All Users\Dane aplikacji\wuxal.reg
c:\program files\Common Files\nihalacu.lib
c:\program files\Common Files\veqyduzi.sys
c:\documents and settings\All Users\Dane aplikacji\kuhe.pif

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

 

[jmyzik]

I attach the new logs.

The Norton Removal Tool seems not to have done the job - I ran it successfully, but these items are still in the Hijackthis log.

"Łącza" is Polish for "Links" - it's a standard IE toolbar containing links to Hotmail, Windows Media etc.

 

[gillianbrown]

Your logs are now clean.

Unless you're still having problems, you should be good to go.

If you're not having any problems, then please do the following.


Please download OTMoveIt by OldTimer OTMoveIt.exe, unzip it and place it on your desktop.

1. Double click OTMoveIt.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. You will be prompted to allow the clean up procedure, click Yes
5. When finished exit out of OTMoveIt

 

[Bobbye]

I still don't know if this is a legitimate entry in the HijackThis log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = £¹cza

I found a similar entry on a different log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = £¹cza

The entry appears to be Polish in origin. IF it is your link, no problem. If it is not, it should be removed. I can't identify it.

For the Symantec entries:

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: Harmonogram automatycznej us³ugi LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

BEFORE you run the removal tool, do this:
Open IE> Tools> Manage add-ons. find, highlight and disable the entry for this:
webdl.symantec.com/activex/symdlmgr.cab
I'm not sure how it's listed, but should be recognizable from the above.

Then: Start> Run> services.msc> right click on this Service- however it's listed:
Harmonogram automatycznej us³ugi LiveUpdate\ALUSchedulerSvc.exe > Properties> Set the Startup Type to Disabled> Stop the Service

When done, after removing the cleanup tools with OTCleanIt:
Clear your existing System Restore points and establish a new clean restore point:

:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created

NOW run the Norton Removal Tool.

 

[jmyzik]

Everything's working fine now Thanks for your help!

Janusz

 

[Bobbye]

You're welcome. No final HijackThis log?