Problems after html/infected.webpage.gen virus

Solved
By bkfuhrer
Mar 1, 2010
Topic Status:
Not open for further replies.
  1. bkfuhrer

    bkfuhrer Newcomer, in training Topic Starter Posts: 76

    Combofix does not seem to want to uninstall even with TF turned off, even after restart... I get the green bars, some hourglasses etc but...Icon still there. Can I proceed with the other stuff in #23 or does Combofix need to be gone?
  2. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Delete Combofix manually....
    Delete Combofix, Qoobox folders,and Combofix.txt file from C:
    Delete 7cdh7ej8.exe from your desktop
  3. bkfuhrer

    bkfuhrer Newcomer, in training Topic Starter Posts: 76

    Funny, Combofix was already gone... I deleted the rest and flushed...
  4. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Cool :)
    Proceed with the other steps.
  5. bkfuhrer

    bkfuhrer Newcomer, in training Topic Starter Posts: 76

    I completed the TFC step and the restart but now something weird again, everytime I try to go to Kaperskys website firefox shuts down, I will try to enter from IE and begin scan but may not get there, I have to be out the door by 12:30....
  6. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
  7. bkfuhrer

    bkfuhrer Newcomer, in training Topic Starter Posts: 76

    Well, this is interesting... I was kicked off the dialup connection twice now during the eset scan both times while it was scanning in the application data/ Thunderbird profs/ drafts.msf or something like that... The first time, when I got back online it seemed to be stalled there for a very long time so I started the scan over and poof! it kicked me offline again at the same point... reconnected again and then it moved forward into the inbox and shows 1 infected file with multiple threats! I dont know if getting kicked off is coincidental but it is curious... Has now been scouring the inbox for about 20 mins now.... Oh, now it has found another one also with multiple threats and now we are moving much faster...
  8. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    OK........
  9. bkfuhrer

    bkfuhrer Newcomer, in training Topic Starter Posts: 76

    The scan found one more infected scan and is speeding right along now. It says "probably unknown NewHeur_ PE virus
  10. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    I'll be around. Don't worry :)
  11. bkfuhrer

    bkfuhrer Newcomer, in training Topic Starter Posts: 76

    Thank you so much! The scan is at 70% now and moving fast...
     
  12. bkfuhrer

    bkfuhrer Newcomer, in training Topic Starter Posts: 76

    Ta da :)

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=15ffb193000adf40a1bc53058efe7ea0
    # end=stopped
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-03-04 03:13:54
    # local_time=2010-03-03 07:13:54 (-0800, Pacific Standard Time)
    # country="Canada"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 67027432 67027432 0 0
    # compatibility_mode=1026 16777214 0 2 32691843 32691843 0 0
    # compatibility_mode=1797 16775141 100 100 0 43988644 27469 0
    # compatibility_mode=2560 16777215 100 0 0 0 0 0
    # compatibility_mode=3073 16777213 80 100 10785396 39671901 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=7157
    # found=0
    # cleaned=0
    # scan_time=2257
    ESETSmartInstaller@High as downloader log:
    all ok
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=15ffb193000adf40a1bc53058efe7ea0
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-03-04 05:29:13
    # local_time=2010-03-03 09:29:13 (-0800, Pacific Standard Time)
    # country="Canada"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 67030686 67030686 0 0
    # compatibility_mode=1026 16777214 0 2 32695097 32695097 0 0
    # compatibility_mode=1797 16775141 100 100 0 43991898 0 0
    # compatibility_mode=2560 16777215 100 0 0 0 0 0
    # compatibility_mode=3073 16777213 80 100 10788650 39675155 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=102794
    # found=3
    # cleaned=3
    # scan_time=7121
    C:\Documents and Settings\Barbara Fuhrer\Application Data\Thunderbird\Profiles\9xqtclnq.default\Mail\Local Folders\Inbox multiple threats (contained infected files) 00000000000000000000000000000000 C
    C:\Documents and Settings\Barbara Fuhrer\Application Data\Thunderbird\Profiles\9xqtclnq.default\Mail\Local Folders\Junk multiple threats (contained infected files) 00000000000000000000000000000000 C
    C:\NetIdea\addicons.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C
  13. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    I don't want to mess with your mail, so make sure, you empty "Junk" folder.
    There are also some threats listed in your "Inbox", so be very careful with the mail, especially regarding any mail with attachments.
    Always, always scan any attachment with your AV program before opening it.

    =========================================================================

    I need fresh HJT log.
  14. bkfuhrer

    bkfuhrer Newcomer, in training Topic Starter Posts: 76

    I hope you don't mind me pasting this, getting a little burnt out here trying to find it in C drive....

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:48:32 PM, on 03/03/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ThreatFire\TFService.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\ThreatFire\TFTray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.secure-by-design.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.secure-by-design.com/
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,56/mcinsctl.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099443584203
    O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/teleport/simcity/MaxisSimCity3TeleX.cab
    O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4468/mcfscan.cab
    O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3CEBC318-B8ED-4A40-84B4-A59E4CAD6135}: NameServer = 216.113.192.3 216.113.192.4
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

    --
    End of file - 7111 bytes
  15. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Not at all. I even prefer pasted logs :)

    Verify your Java version here: http://www.java.com/en/download/installed.jsp
    Update, if necessary.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

    ========================================================================


    Your computer is clean [​IMG]

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
  16. bkfuhrer

    bkfuhrer Newcomer, in training Topic Starter Posts: 76

    I will get to that a little later after a restart, my poor old computers' memory is not what it used to be and the Junk mail in T-bird is resisting deletion. Thanks a million, I will update you later :)
  17. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    OK :).....
  18. bkfuhrer

    bkfuhrer Newcomer, in training Topic Starter Posts: 76

    Thanks Broni, for all your help. I have followed the last steps you outlined with the exception of installing WOT, I'm busy trying to get rid of old crap on this computer....Have many old games and apps that don't need to be here anymore...
    A few questions if you don't mind...
    Should I worry about installing the Recovery Console? It was resistant to installation during my last go around with Malware so it makes me wonder...
    Was it the malware that made certain apps so difficult to work with (combo fix, etc) or is it just the fact that this is an older computer and the dial up factor?
    Do you see any other issues I should deal with from the HJT log- unnecessary start-ups, buttons etc ?
    Any other scans to do?
    Computer is running much, much better now...
    I think there must be a special place in heaven for the techs on this board who help us half-witted surfers from the dangerous waves of malware :)
     
  19. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Hahahaha :)

    I'd strongly suggest installing WOT. It's just an add-on, so it practically doesn't take any space.
    On the other hand it's extremely helpful with staying away from bad websites.
    Websites used to safe. It's not the case anymore. Your computer can get infected just by visiting a website.

    It's very helpful, when computer becomes not bootable, but you still can create bootable CD, which will allow you to access recovery console.

    Computer age doesn't have any impact here. Dial-up sucks, but what can you do...LOL

    We took care of those.

    I'm glad, your computer is doing fine :)
    Happy computing :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.