My Log Files after cleaning?

[pmrider]

Hey guys,

Followed the 8 steps for getting rid of viruses/spyware/malware -- the problem started with Antivirus 360 popups-- then after trying to search the net for fixs I got flooded with random other "ligit" looking popups for other virus checkers like norton and stuff.Also sometimes when I would start the computer I lost all my icons and start button and had to open everything with task manager.
Now it looks like everything is good, and my computer speed is back to normal (I think). But was hoping someone could look at my logs. Also took note of two errors that I get on start-up -- perhaps I deleted the file-- but was hoping someone could shed some light on what is missing (that attachement labled startupbox)

Thanks a bunch guys!!!

I really appreciate the help this sight has givin me!!

Also please beware that I have little computer skills but can follow directions pretty well.

Thanks again for the help in advace!! you rock

 

[mflynn]

Good job with the cleanups.

The Startup error is a missing Malware that you cleaned that is still listed in the startups. So it is good that it is not starting.

Run HJT Scan only select and remove the below.
O2 - BHO: (no name) - {13f58ea4-2929-42ab-8e99-d88453fc1bd2} - C:\WINDOWS\system32\hilemebu.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Filter hijack: text/html - {9c8c46a0-483a-4819-a0b3-ef7add85bed1} - C:\WINDOWS\system32\msziptools.dll

UPDATE MBAM and run again, it will find more that were exposed by the first run and not seen at all. Attach log.

UPDATE SAS

Click Preferences-Repairs

Then counting down from top do the following entries
Numbers 6, ,8 11, 12, 13, 15, 18, 19, 20, 23 and 24!

Reboot!

Then do another scan with SAS. Attach log.

Mike

 

[pmrider]

Thanks-- I followed the steps and my logs are attached

 

[mflynn]

OK found more!

So one more run each with MBAM and SAS

UPDATE the run MBAM and SAS once more Quick Scan. SAS put chek in Tracking cookies to delete.

We need completely clean logs.

After you post these logs do the below, these 2 don't take as long to run...

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[pmrider]

Thanks Mike for your help so far !!!

So I posted the 4 logs-- crossing my fingers

also, I have been using the web during this process to check email and do some things for school-- is this ok?? ( I havn't downloaded anything or done anything like that though)


Thanks again!

 

[mflynn]

Hi pmrider

Looking good so far. But there were remaining issues that were cleaned.

Run HJT select and remove the below
O2 - BHO: (no name) - {028fe12a-1a7a-409a-ae7b-99f0a48d0260} - (no file)

Where is the ComboFix run (see bottom of my last post)? If it is clean we are finished.

As far as using the computer do you see any remaining issues.

Clean and update Java
Cleanup old Java and update to newest version this program will do it all for you.

Download JavaRa http://prm753.bchea.org/JavaRa.html

Unzip it, run it, to update chose Jucheck (Suns updater) first, and if you do not have Jucheck then chose Update using Sun from here: https://www.techspot.com/downloads/6463-java-se.html

After update chose Cleanup old versions. Give it a minute and after it pops up the log file you will see what it removed.

Then click "Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

After that run Search for Updates again to confirm you are up to date.
After that run remove older versions again. This time the Log file should be empty.

Mike

 

[pmrider]

Here is my combofix log-and my javaRa log--

also- everything seems to be running great!! the only thing that is still noticable is the "fingerprint software error" I get on start up.

Detals: Code-0xe72c0007 rnpipe:svr(00000000fusserver) not found

 

[mflynn]

We will get back to fingerprint issue.

Run JavaRa again and do

"Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

The run remove older versions and the log should be clean.

Folder::
C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

FileLook::
c:\windows\system32\drivers\Lbd.sys

File::
c:\windows\system32\AAWService_2009_01_30_23_09_45.dmp
c:\windows\system32\AAWService_2009_01_30_09_23_33.dmp

Cut for pasting pull to bottom watch the side slider, the above text inside the box.Then open new Notepad document on Desktop then paste and save as CFscript.txt to the Desktop

EXIT ALL BROWSERS before continuing!
You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
Now use your mouse to drag CFscript.txt on top of ComboFix.exe

Follow the prompts.
When it finishes, a log will be produced named c:\combofix.txt. Attach that back here.

Mike

 

[pmrider]

Heres the logs--- I don't know if the JavaRa log was clean -- it seemed like it dectected a bunch of stuff, I ran it twice too?

 

[mflynn]

Hi

I think Adaware was damaged possibly by Malware, update it (may need to reinstall) and run it to confirm OK!

In JavaRa
"Additional tasks" and check "remove Useless JRE files and Check Remove JavaRa log files.
This removes the old log file.
Now run Search for Oldversions again log file should be empty!

Do above and let me know the results.

Get me a status report on the computer and update me on what else we need to address.

Mike

 

[pmrider]

So I installed a new adware and ran it twice. The log attached is the after the 2end run. I checked the Remove JavaRa logfile box and my log still seems to have stuff in it??

 

[mflynn]

OK one more ComboFix to confirm the last removals are really gone and no more found, and I think we will be clear and finished.

Mike

 

[pmrider]

Hey Mike, heres the combo fix log. The only other thing I can see is that I am still getting that error on startup about the fingerprint software.

Also-- should I be running all these cleaners on a weekly basis-- or what would you recommend to keep from getting so infected again. Also does just surfing the net in general put me at risk or is it certain sites on the net I should be avoiding. (I never open pop ups though but I do watch a lot of little web movies like you tubes and the like)

Thanks

 

[mflynn]

Found one more bad boy! psqlpwd

Download install and runAutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Run it let it scan, then when it says ready at bottom left corner, make sure the EVERYTHING Tab is selected and then click File at top and then Find.

Here type or copy paste psqlpwd into the Find box search and delete any line with this in it.

From here down is optional but I advise it.

Click the top entry of Everything so the search begins there then Click File-Find.

Type in the find box file not found and hit enter and delete all lines that have file not found.

There are a bunch of old stuff that M$ thought you might or would need that no longer exist or for computers that are assumed to have SCSI or AMD processors but do not!

After the file not found search scroll back to the top and highlight the very first entry so you are searching from the top and click Find and search for Trojan delete any entries related to Trojan.Security Toolbar.

Back to top click 1st entry and repeat Find for SiSoftware if you are removing it.

Then look carefully through all the other entries and delete anything that you may have had but uninstalled and thought was gone. If you are sure delete these also.

Next

Then get install and run:
RunScanner http://www.runscanner.net/download.aspx
Click Scan computer
Double click all Red lines to select, then click Item fixer and remove them.

Then click Extra stuff again select all Red lines. Then click back to Malware hunting and Click the Item fixer again and remove these.

Same as already said on AutoRuns stuff that was assumed to be need but you do not have.

None of these items can run as the file is missing so most of the improvement you may see comes as a quicker startup as windows no longer searches or tries to load some of these. But some have noticed a faster shutdown also.

Reboot and recheck with both AutoRuns and RunScanner.

Mike

EDIT: I will address your questions abot what to run in my closing.

 

[pmrider]

Hey mike- I think were looking good. Deleated psqlpwd (only found in one or two files), no Trojans were found in the autorun and got rid of all the file not founds w/ both scanners per directions

 

[mflynn]

Great you did a fantastic job. Pat yourself on the back!

Thread closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.


Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner.
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike

 

[pmrider]

Mike-- THANK YOU!!! my computer seems to be running faster then ever!!

One last question though-- I am still reciving that same fingerprint software error on start up-- is there anyway to get rid of that?

 

[mflynn]

Oh yes! Forgot.

Can you get me a screen or the full wording of the error?

Get http://mlin.net/StartupCPL.shtml

The very best way to handle Startup programs. If you see it in one of the Startup Tabs then just uncheck it. This just disables it, uncheck it and it is back.

After a day or 2 and no issues then come back and delete it if you want.

Some of these type things do not show up here. let me know!

Mike

 

[pmrider]

The figerpring sofware error code is : 0xe72c0007
the Description is : rnpipe: svr(00000000fusserver) not found


I didn't see it listed in the start- up ?

 

[mflynn]

Look at this: http://www.upek.com/support/customersupport/faq/Topic.asp?ID_Topic=27

Likely uninstall Protector Plus, reboot if error gone, then reinstall Protector Plus and reboot when requested.

Mike

 

[pmrider]

Mike -- Thanks a ton!!!

I ended up just going though the control panel, change/remove hardware, went to the protector suite, and then had it repair itself and that worked- no error on restart!!!

This has been kinda a fun process in that I learned alot sometimes I wish I had gone to school for IT-- pretty cool stuff- - I envy your skills !! Well I am sure I will be back on the forum one day in the future, I will be checking in to see what is new anyway- but hopefully I won't have any more bugs for some time-- I will take your instructions and continue running the progs suggested bi-weekly and whathave you

Again-- thank you !!

 

[mflynn]

Great pmrider!

Mike

jlow2006

So we don't clutter up pmrider's thread make yourself a Thread and describe what part of this entire post you relates to you!