Laptop acting up, log files attached

By CrashTekk13
Jun 17, 2009
  1. Hi guys! I hope you can help me like you did before :) (Thanks Mike!)

    This is for a laptop that my significant other uses. I have finished the eight step removal instructions and the logs are attached. Some of the symptons are slowing down of Firefox that I had to use IE in order to update JRE (step 6). The USB mouse also becomes unresponsive.

    The following 3 trojans and 1 virus were detected on McAfee:
    - Detection name: FakeAlert-DS (trojan)
    File: C:\Doments and Settings\Cecile\Local Settings\Temp\install[1].exe
    Process: C:\Doments and Settings\Cecile\Local Settings\Temporary Internet Files\Content.IE5\H8YWZCDI\install[1].exe
    Process Description: C:\Doments and Settings\Cecile\Local Settings\Temporary Internet Files\Content.IE5\H8YWZCDI\install[1].exe

    - Detection name: Artemis!FB0DA2ADA35 (trojan)
    File: C:\Doments and Settings\Cecile\Local Settings\Temporary Internet Files\Content.IE5\H8YWZCDI\pdrv[1].exe
    Process: C:\windows\ld09.exe
    Process Description: C:\windows\ld09.exe

    - Detection name: Artemis!FB0DA2ADA35 (trojan)
    File: C:\Doments and Settings\Cecile\Local Settings\Temp\stron_1245160155.exe
    Process: C:\windows\ld09.exe
    Process Description: C:\windows\ld09.exe

    - Detection name: Artemis!938CD403F28C (virus)
    File: C:\WINDOWS\FREDDY46.exe
    Process: C:\Program Files\McAfee\MPF\MPFSrv.exe
    Process Description: McAfee Personal Firewall Service

    Thanks in advance!

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Run HJT and select to Fix (no file) and (file missing) at the end of a line!

    Rename ComboFix to 1cfix and run 1cfix post log!

    D/L DrWeb Cureit :
    Run it in Safe Mode!

  3. CrashTekk13

    CrashTekk13 TS Rookie Topic Starter Posts: 20

    Hi Mike,

    Im attaching the ComboFix log you requested. This is after I ran HJT and selected to Fix (no file) and (file missing) at the end of a line.

    I also ran Dr. Web Cure It and got the following results:
    - found adware.relevant.10 this is from kcleaner.exe
    - above was also found on the system restore archive
    - a BATCH virus was also found and was deleted.

    Thanks a lot.

  4. mflynn

    mflynn TS Rookie Posts: 2,655

    OK my friend so how is the computer running now?

    If all seems OK then do the below.

    Do the beloe if you did not do it from the other thread, not for Malware but purely for performance..

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    @echo off
    sc config Alerter start= disabled
    sc stop Alerter
    sc config AeLookupSvc start= disabled
    sc stop AeLookupSvc
    sc config ClipBook start= disabled
    sc stop ClipBook
    sc config Dfs start= disabled
    sc stop Dfs
    sc config FastUserSwitchingCompatability start= disabled
    sc stop FastUserSwitchingCompatability
    sc config TrkWks start= disabled
    sc stop TrkWks
    sc config TrkSvr start= disabled
    sc stop TrkSvr
    sc config DNSCache start= disabled
    sc stop DNSCache
    sc config ERSvc start= disabled
    sc stop ERSvc
    sc config HidServ start= disabled
    sc stop HidServ
    sc config PolicyAgent start= disabled
    sc stop PolicyAgent
    sc config CiSvc start= disabled
    sc stop CiSvc
    sc config IsmServe start= disabled
    sc stop IsmServ
    sc config kdc start= disabled
    sc stop kdc
    sc config LicenseService start= disabled
    sc stop LicenseService
    sc config Messenger start= disabled
    sc stop Messenger
    sc config Netlogon start= disabled
    sc stop Netlogon
    sc config NetTcpPortSharing start= disabled
    sc stop NetTcpPortSharing
    sc config mnmsrvc start= disabled
    sc stop mnmsrvc
    sc config NetDDE start= disabled
    sc stop NetDDE
    sc config NetDDEdsdm start= disabled
    sc stop NetDDEdsdm
    sc config NtLmSsp start= disabled
    sc stop NtLmSsp
    sc config SysmonLog start= disabled
    sc stop SysmonLog
    sc config RSVP start= disabled
    sc stop RSVP
    sc config SSDPSRV start= disabled
    sc stop SSDPSRV
    sc config upnphost start= disabled
    sc stop upnphost
    sc config WMPNetworkSvc start= disabled
    sc stop WMPNetworkSvc
    sc config WmiApSrv start= disabled
    sc stop WmiApSrv
    sc config WmdmPmSN start= disabled
    sc stop WmdmPmSN
    sc config RemoteRegistry start= disabled
    sc stop RemoteRegistry
    sc config RemoteAccess start= disabled
    sc stop RemoteAccess
    sc config SCardSvr start= disabled
    sc stop SCardSvr
    sc config TlnSvr start= disabled
    sc stop TlnSvr
    sc config UPS start= disabled
    sc stop UPS
    sc config WebClient start= disabled
    sc stop WebClient
    sc config DNSCache start= disabled
    sc stop DNSCache
    sc config JavaQuickStarterService start= disabled
    sc stop JavaQuickStarterService
    sc delete JavaQuickStarterService
    attrib -h -s -r /s c:\jqs.*
    del /f /q /s c:\jqs.*
    sc config RpcSs start= Automatic
    sc start RpcSs
    sc config RpLocator start= Automatic
    sc start RpcLocator
    sc config MSIServer start= Automatic
    sc start MSIServer
    Post final HJT log!

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt

    Save to desktop.

    This will remove all the tools we used to clean your computer.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    Run CCleaner (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. You may have this from the 8 Steps.

    Run ATF-Cleaner Temp and Registry, repeatedly until no more found.

    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

    Yes! Even if you use system restore and other backups Registry and Images.

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.
    Look at

    Run SpyBot ocassionally and use the Immunize function.

    I highly reccomend Hostman: Hostman

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

  5. CrashTekk13

    CrashTekk13 TS Rookie Topic Starter Posts: 20

    Hi Mike -

    Thanks so much for your help on all of this.

    I'm attaching HJT log as you requested. Will observe laptop in the following days.

    Thanks again.

  6. mflynn

    mflynn TS Rookie Posts: 2,655

    OK but report back!

  7. CrashTekk13

    CrashTekk13 TS Rookie Topic Starter Posts: 20

    Will do. Thank you!

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...