TechSpot

My logs after doing the 6 steps

By crozdog
Jul 31, 2010
  1. hi,

    attached are my logs. Appreciate it if one of you generous folk can tell me what to do next.

    I had to rungmer in safemode as it kept hanging in normal mode.

    Looking forward to getting a stable system back.

    Thanks in advance
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Tell me what problems you are having please.

    I note that you are running multiple antivirus programs. This will make you system more vulnerable and also slow it down. Please remove all but one of the following:
    AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
    AV: avast! Antivirus *On-access scanning enabled* (Outdated)
    McAfee
    Threatfire

    Here are tools to help- only download those for the AV programs you are not going to keep:
    Avast Removal
    AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.
    McAfee Removal
    Sorry- I don't have one for Spyware Doctor or Threatfire..
     
  3. crozdog

    crozdog TS Rookie Topic Starter

    Hi,

    thanks for the reply.

    I'll attempt to remove AVG, avast & mcafee. FYI, I tried several progs cause none of em fixed the issues, then found I couldn't remove em - grrrr. Don't recall installing Threatfire, so will have to look into it.

    My issues include:
    - Slow response,
    - Processes such as firefox running high CPU - notebook fan runs constantly machine heats up & freezes.
    - Processes such as firefox running high memory utilisation
    - when I click on Google search results I get taken to sites which are not what the result showed ie i'm taken to unrelated sites.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, in this forum I'll help you with the redirects.

    High CPU (I think you mean high memory) in Firefox has always been a problem. It will also be influenced by how many and which add-ons you have.

    Fan problems are usually heat related.

    After you have finished with the antivirus problem- a tip for that: security programs that are running don't like to be removed. So download whatever tools you need, then boot into safe mode to uninstall:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Reboot the computer when you have finished.

    You can go ahead and run the following also:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
     
  5. crozdog

    crozdog TS Rookie Topic Starter

    Thanks.

    Forgot to say that firefox randomly opens up a new tab & connects to an unknown site - even when I haven't clicked on a link.

    Firefox chews lots om memory, but has also been using a lot of CPU. I think that because the cpu has been running at up to 100%, the fan has kicked in to try & keep the system cool.

    I've removed mcafee, AVG & avast using the appropriate tools. From what I've found, threatfire is part of spyware doctor (both by PCTools), so I have left em both.

    I then dl'd combofix & ran after a reboot & disabling spyware dr. Combofix advised that avast was still running. I did a couple of searches but couldn't find what was running to cause that. No services appear to belong to avast.

    I then proceeded to run combofix at my own peril. It has run for about 2 hours & has been sitting on a screen saying "scanning for infected files.... this typically doesn't take more than 10 minutes however scan times for badly infected machines may easily double"

    should I kill it & retry?

    cheers

    crozdog
     
  6. crozdog

    crozdog TS Rookie Topic Starter

    had to power down to get out of combofix. re-ran it after a restart, did an update then it successfully did a number of tests. The log file it produced is attached.

    before running combo fix, dl'd "perfect uninstaller" to try & eliminate avast - unsuccessfully.

    after running combofix, I restarted spyware dr which reported 22 x trojan-downloader.murlo infections & 5 x spyware.known bad_sites infections (for perfect downloader)!! have just cleaned em

    Look forward to your response.

    thanks again, crozdog
     

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Firefox has always been a big memory user. I've used it for several years- since the first public release and with each update, I hoped this would be better. But I haven't seen any improvement in the memory usage.

    The CPU is something else. I have never seen my Firefox using the CPU. I don't have a lot of add-ons and I would guess with some confidence, that what you are seeing for Firefox/CPU is one or more add-on running. It looks like you may have gone into about:config and customized Firefox.

    A good way to check for CPU use is to prepare the system for shutdown by closing any running programs and active Windows. At this point, the Task Manager should only be showing processes running for taskmgr, System and System Idle. These 3 should add up to 100% in the CPU column. Anything else over 1-2% should be investigated. You can the launch Firefox, check the CPU> play with the add-ons and see what using the CPU.

    I would have referred you hadn't downloaded and run two uninstallers while I was helping you clean.
    =====================================
    Please download System Look from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
       kbdclass.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    =========================================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\avastSS.scr
    
    Folder::
    c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
    c:\program files\alwil software
    
    Registry::
    
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Xanthic\{1246792F-C12E-81AE-FE96-35D2FC917677}*_]
    
    Driver::
    mpldvdfj
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please PASTE in your next reply.
    ====================
    Are you using the freestanding McAfee Site Advisor?
    Do you have the homepage in IEset to come up as a blank page?
    It appears that PCTools uses the ThreatFire antivirus program. Confusing as there is also a free standing version.
     
  8. crozdog

    crozdog TS Rookie Topic Starter

    thanks bobbye.

    didn't mean to stuff things up by dl'ing those uninstallers - was just attemping to get rid of avast as combo fix was still reporting it running - even after using the avast uninstaller.

    In answer to your Q's
    - I was running the mcafee site advisor, but think I deleted it using one of the tools above
    - I no longer use IE, so can't comment on the blank start page....
    - let me know if you want me to remove threatfire too

    the systemlook log is attached

    I had to attach the log from combofix running with the CFScript as I received the following error when I pasted it: The text that you have entered is too long (71744 characters). Please shorten it to 20000 characters long

    Thanks Crozdog
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, looks good. Here the removal for Avast in the Combofix header:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    SecCenter::
    {7591DB91-41F0-48A3-B128-1A293FD8233D}
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    If redirects are resolved:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
  10. crozdog

    crozdog TS Rookie Topic Starter

    done all that....log file attached.

    i've done several searches & no more redirects!!! Looking good.

    FYI when I started spyware dr again it detected a couple more instances of trojan-downloader.murlo infections which I removed

    let me know if there is any thing else to do.

    Thanks heaps for your help so far - legendary!!
     

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Message from Bobbye:

    =======================================================================

    Let's do some more checking...

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  12. crozdog

    crozdog TS Rookie Topic Starter

    Hi Broni,

    thanks for stepping in. Hope all goes well with bobbyes family.

    As requested, the 2 txt files are attached.

    cheers

    Crozdog
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    You're welcome :)
    I hope so too :)

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ====================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - Reg Error: Key error. File not found
      O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
      O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} http://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab (Reg Error: Key error.)
      O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
      [2010/06/26 14:23:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SITEguard
      [2010/06/26 14:19:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
      [2010/06/26 14:19:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\STOPzilla!
      @Alternate Data Stream - 2960 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\sdpsenv.dat:naughtypirates
      @Alternate Data Stream - 218 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9A870F8B
      @Alternate Data Stream - 209 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
      @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:52BA26F1
      @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8ADE5D8
      
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  14. crozdog

    crozdog TS Rookie Topic Starter

    Did all that. Interestingly explorer didn't start after the reboot. had to start it from task manager.

    here are the 2 OTL logs as requested
     

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Good :)

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  16. crozdog

    crozdog TS Rookie Topic Starter

    Hi Broni,

    sorry about the delay, life got in the way then the scan took a long time to run....

    security check & kaspersky logs attached as requested.

    forgot to mentin earlier that wjen I open explorer or other MS apps I get a window saying something about configuring MS Office. It then gathers data and closes.

    philip
     

    Attached Files:

  17. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    OK, we have couple of issues here.
    You have some baddies in your mail:
    C:\Documents and Settings\philip.LAPPY\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
    T:\philip\Outlook.pst
    I don't want to delete your whole mail folder, so you'll have to be very careful with your current mail.
    Don't click on any unknown links and make sure to scan every attachment before opening it.

    Now, you have to be really careful, what you download and from where. You have several infected files in your downloads folder.

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      :Services
      
      :Reg
      
      :Files
      T:\philip\downloads\apps\Able2Extract Pro 5.0 PDF to Word Excel HTML & Text Converter.zip	
      T:\philip\downloads\apps\cd DVD Software\Ripping Tools\aoadvdcopy.exe	
      T:\philip\downloads\apps\Data Recovery\Mount Image Pro\MIP-Setup.exe	
      T:\philip\downloads\apps\download manager\pdfprint multiple setup.exe
      T:\philip\downloads\apps\gps\Garmin\tools and maps\Garmin Unlock Utility.rar
      T:\philip\downloads\apps\gps\Garmin\tools and maps\Garmin Unlock Utility.zip
      T:\philip\downloads\apps\gps\Garmin\tools and maps\wgmaptool039.zip
      T:\philip\downloads\apps\daemon403-x86.exe
      T:\philip\downloads\apps\Directory_Opus_9[1].1.1.7_3307.rar
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
     
  18. crozdog

    crozdog TS Rookie Topic Starter

    attached is the OTL log.

    any suggestions re cleaning the contents of the PST file?
     

    Attached Files:

  19. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    You may try to run this...

    Please run a BitDefender Online Scan

    • Disable your antivirus program.
    • Click Start Scanner button.
    • Click Start scan button
    • Allow browser plug-in to be installed when prompted.
    • Click I Agree to agree to the EULA.
    • Please refrain from using the computer until the scan is finished.
    • When the scan is finished, click on View log.
    • Notepad will open with scan results.
    • Save the report to your desktop and post its content in your next reply.

    It MAY show you, which piece of mail is infected.
    If it won't, the only way...
    Now....

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    ======================================================================

    Your computer is clean [​IMG]


    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI). The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
     
  20. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    The issue seems to be resolved.
     
  21. crozdog

    crozdog TS Rookie Topic Starter

    thanks!

    system quicker & no re-directs.

    beers
     
  22. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Thanks for (finally :)) letting me know :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...