TechSpot

I've finished all eight steps. Can someone check up on me?

By Crotchet
Feb 14, 2010
  1. Last night I came home to find that someone had completely ravaged my computer. There were error messages all over the place, and there was this weird program claiming to be "protecting" the computer that one of my family members must've downloaded. Let's just say there were a lot of bright red "alert" and "warning" messages.

    I instinctively went for the task manager - and that didn't work. When that didn't work, I turned to Google, which brought me to your forum! I followed all eight steps, saved all three logs, and now I'm hoping that someone here can check my stuff to make sure everything's gonna be okay.

    I have a really bad feeling - my brothers are both technologically slow, and have recently taken to perusing some of the darker corners of the internet. I'm afraid they've done their worst. Thanks for your patience!
     

    Attached Files:

  2. Archean

    Archean TechSpot Paladin Posts: 5,682   +86

    Please re-run (clean out if it finds any thing) mbam repost its log; I will let you know what I've found in your hijackthis log asap. Also re-run superantispyware and clean out all the suspicious files it found; and post its log as well.

    Edit (update):
    I've found nothing of suspicion in your hijacklog. However, once you post the above requested logs; and tell if there any other persisting problem(s), enabling me to advise you further on the situation.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Crotchet, this should be a better approach to your problem:

    Your HijackThis log is not complete. The entire middle section is missing. If that's all you got, then malware is suppressing the entries:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console. If you do not have this, I recommend you put it on the system. If you do have it ComboFix will continue it's malware removal procedures.)
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    You can attempt to run an online virus scan when finished:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please attach the Combofix report and Eset log to next reply.

    Rescan with HijackThis and include a new log.

    Archean, it would be in the best interest of the members if you let Broni and I handle the cleanings.
     
  4. Crotchet

    Crotchet TS Rookie Topic Starter

    Thank you so much! Here are my new logs.

    *** However, it will not let me post my new HijackThis log. I renamed it HijackThis2, but it is saying that I already posted that document in this thread.

    Also, when I open HijackThis and it attempts to scan, I get this message:

    "For some reason your system denied write access to the Hosts file. If any hijacked
    domains are in this file, HijackThis may NOT be able to fix this.

    If that happens, you need to edit the file yourself. To do this, click START, RUN and type:

    notepad C:\Windows\System32\drivers\etc\hosts

    and press Enter. Find the line(s) HijackThis reports and delete them. Save the files as 'hosts.' (with quotes), and reboot.

    For Vista: simply exit HijackThis, right click on the HijackThis icon, choose "Run as administrator."


    I have Vista. Should I do what it says for Vista? I don't fully understand what it is telling me about the host file.


    EDIT: (Update)
    I did as it said and ran HijackThis as the administrator... it provided me with a new log that wasn't identical to the one I got on the 14th, which is apparently what it had been giving me before. I've attached it to this post.
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When you ran Combofix, did you overlook this line?
    The only program that shows disabled is Superantispyware. The antivirus is running (Norton/Symantec)- if this includes a suite with a firewall, it is also running. You should also disable the Symantec eraserutilrebootdrv.sys until the cleaning is finished. This is Symantec security suite eraser utility system driver file. Windows Defender also is running. What this means is that the report from the scan might not show information we need.

    The HijackThis log run under the Administrator account looks more 'normal.' There is 1 016 (Active X) entry.

    About your brothers and those 'dark corners' they may have visited:
    If you are Colleen, they made those visits using your account. And it appears that they soon lowered your security to visit some of the sites. Checking the Tracking Cookie found in Superantispyware is a handy way of checking sites visited.

    If others are going to have access to your computer, I strongly advise you to set up a 'guest' account for them to use. Make sure the security level is higher While the Tracking Cookies are mostly those we see frequently, ones for 'porn.com' are more specific.

    Since they are from both Internet Explorer and Firefox, the following should help block them:

    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    To be on the safe side, I'd like you to rescan with Combofix, making sure to disable the security as instructed. Delete the current log on your desktop first, then include the new report in the next reply.

    Please advise which of the original problems remain and of any new problems that could be malware related.
     
  6. Crotchet

    Crotchet TS Rookie Topic Starter

    I disabled my firewall and Norton, and I also disabled SuperAntiSpyware... Then I ran Combo-fix again. I've attached my new log.

    Perhaps it is important to tell you that this particular machine is a laptop, and while the username says "Colleen," it is actually the "user" that my entire family uses... All five of us. So mom does banking, I do facebook, teenage brother does porn, little brother does games, dad does music, all under "Colleen."

    As of the latest scan, I've had little to no issues with my machine. Some slowness at times, but other than that, everything is significantly better than before I did the first few scans.

    Overall, no real noticeable symptoms - none that I can detect, being a novice.
    I hope the new Combo-Fix log was done correctly on my part!
     

    Attached Files:

    • log.txt
      File size:
      23.7 KB
      Views:
      3
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    5 people using the same account, especially when one of them does internet banking is like dangling over the open mouth of an alligator and daring it to bite you!

    Please update and run Malwarebytes again and attach new log to next reply.
     
  8. Crotchet

    Crotchet TS Rookie Topic Starter

    I never really considered the consequences... :blush:
    Here's the new log file!
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We need to either finish this up or start over. Spanning a week's time with 5 users makes it very difficult to make sure the malware has been found.

    Please Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Then do new scan wirg HijackThis. Attach both logs in next reply.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...