Malware removal

Solved
By chukmane
Feb 11, 2012
  1. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Good :)

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O3 - HKU\S-1-5-21-3309254217-1751005206-3801968897-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ==============================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ============================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  2. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    after i reboot it will the log come up then ?
  3. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Yes..............
  4. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    will the log on the notepad name be something like 02132012_191010
  5. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    The log should pop-up after restart.
    If it didn't re-run the fix.
  6. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry value HKEY_USERS\S-1-5-21-3309254217-1751005206-3801968897-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Touchi
    ->Temp folder emptied: 150822 bytes
    ->Temporary Internet Files folder emptied: 7342572 bytes
    ->Java cache emptied: 15614 bytes
    ->FireFox cache emptied: 290533159 bytes
    ->Google Chrome cache emptied: 348017794 bytes
    ->Flash cache emptied: 3879 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 525552 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 617.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: Touchi
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: Touchi
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 02132012_191010

    Files\Folders moved on Reboot...
    File move failed. C:\Users\Touchi\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
    File\Folder C:\Windows\temp\TMP00000089FED2C9A1A1CDB948 not found!

    Registry entries deleted on Reboot...
  7. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Good. Go on....
  8. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    Results of screen317's Security Check version 0.99.24
    Windows 7 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    avast! Internet Security
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 30
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Malwarebytes' Anti-Malware mbamservice.exe
    Malwarebytes' Anti-Malware mbamgui.exe
    Symantec Norton Online Backup NOBuAgent.exe
    AVAST Software Avast afwServ.exe
    AVAST Software Avast AvastUI.exe
    ``````````End of Log````````````
  9. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    Farbar Service Scanner Version: 13-02-2012
    Ran by Touchi (administrator) on 13-02-2012 at 19:49:49
    Running from "C:\Users\Touchi\Downloads"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
  10. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    does the ESET scan take a long time
  11. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    It may......
     
  12. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    it has now been scanning for 10 hours is this normal ?
  13. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Does it show progress?
    Is computer clock running?
  14. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    yes the clock is running , but last night it was at 23% for about 15 minutes i went to sleep woke up this morning and it was at 46% went to school for about 9 hours and came back and its still at 46%
  15. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Stop the scan....

    Please, run F-Secure Online Scanner

    • Disable your Antivirus program.
    • Checkmark I have read and accepted the license terms.
    • Click on Run Check button.
    • Quick scan (recommended) option will come pre-checked. Don't change it.
    • Click on Start button.
    • When scan is done, in Step 3: Clean the files, leave all settings as they're.
    • Click Next button.
    • Click Full report... button.
    • Copy report's content and paste it into your next reply.
  16. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    i just read your reply and the scan is now at 94% should i let it finish or should i stop the scan
  17. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    when my scan was finished scanning List of found threats did not show up the window just closed
  18. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
  19. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    should i run the F-Secure scanner first or just Run OTL.
  20. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Just OTL....
  21. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Touchi
    ->Temp folder emptied: 182724 bytes
    ->Temporary Internet Files folder emptied: 53919 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 52247701 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 900 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 700 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 50.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: Touchi
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: Touchi
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.31.0 log created on 02142012_194836

    Files\Folders moved on Reboot...
    File\Folder C:\Users\Touchi\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

    Registry entries deleted on Reboot...
  22. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    thank you so very much my computer is doing great it has honestly sped up since meeting with you and i am so very thankful of you and i am still having that problem when i open my avast software it says the avast program has been stopped , when i try to start it again nothing happens what do you suggest i do i am fearing that my computer is vulnerable to virus's
  23. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Reinstall it.
    Some files for probably corrupted.
    Let me know.
  24. chukmane

    chukmane Newcomer, in training Topic Starter Posts: 74

    this occured before you helped fix my computer
  25. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Reinstall it and let me know if it worked.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.