TechSpot

Removing malware. Done 8 step process. logs attached

By bellodee
Feb 21, 2010
  1. Hi
    hope this is the right place. I have carried out the 8 step malware removal process and I am attaching the logs. Please let me know what to do next.

    thanks
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    What are the issues?

    You don't have any antivirus program installed.
    Please, download and install one of these:

    - Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html

    - free Comodo Internet Security (firewall + AV): http://www.personalfirewall.comodo.com/
    NOTE. During installation, Comodo will also allow you to install AV only, or firewall only, if you prefer to combine one Comodo product with some other product.

    If you decide to install Avast, or Avira, make sure, Windows firewall is turned on, or use Comodo firewall..
    If you decide to install Comodo Internet Security, or just Comodo firewall, make sure, Windows firewall is turned off.

    IMPORTANT! Make sure, you use only ONE antivirus, and ONE firewall.

    After installation, update the program and run full scan.

    Post back, when you're done.
     
  3. bellodee

    bellodee TS Rookie Topic Starter Posts: 54

    Hello Broni

    thanks for your advice. will do the suggested and let you know how I get on. The issues were 1. slow connection speed to my wireless router - i get a reading of about 11 - 18 Mbps whereas with my laptop I get 54 Mbps and
    2. I had the xp 2010 virus which prevented me from accessing the web and swithching on my windows firewall.

    One last thing I thought the microsoft security essentials has a built in antivirus. should I leave it installed ro get rid of it before installing the firewall and anti virus tiu suggested.

    Thanks
     
  4. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Ooops, I didn't see Microsoft Security Essentials installed. You're fine then.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. bellodee

    bellodee TS Rookie Topic Starter Posts: 54

    Thanks very much. I am about to start the process. Will post the logs when I am done.
     
  6. bellodee

    bellodee TS Rookie Topic Starter Posts: 54

    I have just discovered a new problem. When I am logged on using my regular log in I cant access control panel and other programmesfor instance, and when I downloaded Combofix and tried to start it it asks which programme to use to run it. When i am logged on using my administrator log in I do not have these problems. Should I proceed using the administrator log in or are there steps to take before i do/
     
  7. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Yes, please.
     
  8. bellodee

    bellodee TS Rookie Topic Starter Posts: 54

    Thankyou. I have done the combofix and hijack this scans.Please find attached
    the log files.
     

    Attached Files:

  9. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ======================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
  10. bellodee

    bellodee TS Rookie Topic Starter Posts: 54

    Thanks once again. I will do this after work and send feedback.
     
  11. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    No problem :)
     
  12. bellodee

    bellodee TS Rookie Topic Starter Posts: 54

    Hello
    The scans took a while ut finally here are the logs the Kapersky scan and the recent hijack this scan which I have called hikackthis2.
    thanks
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    The above indicates, you have some suspicious mail in your inbox. We can't delete a whole folder, so just be careful, when you open your mail, especially when any attachment is involved.

    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    
    :Services
    
    :Reg
    
    :Files
    C:\ISP\BT_Openworld\Narrowband\Signup\Anytime\signupLt.exe	
    C:\ISP\BT_Openworld\Narrowband\Signup\Reinstall\SignupLt.EXE	
    C:\ISP\BT_Openworld\Narrowband\Signup\Reinstall\SignupLt.EXE	
    C:\ISP\BT_Openworld\Narrowband\Signup\Standard\SignupLt.exe
          
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]
    
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
  14. bellodee

    bellodee TS Rookie Topic Starter Posts: 54

    Thanks Broni.
    I will do so and get back to you.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    No problem :)
     
  16. bellodee

    bellodee TS Rookie Topic Starter Posts: 54

    Hi Broni, I have done the OTM 'scan' and the log is included below
    Thanks.




    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\ISP\BT_Openworld\Narrowband\Signup\Anytime\signupLt.exe moved

    successfully.
    C:\ISP\BT_Openworld\Narrowband\Signup\Reinstall\SignupLt.EXE

    moved successfully.
    File/Folder

    C:\ISP\BT_Openworld\Narrowband\Signup\Reinstall\SignupLt.EXE not

    found.
    C:\ISP\BT_Openworld\Narrowband\Signup\Standard\SignupLt.exe

    moved successfully.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 41 bytes

    User: All Users

    User: Amina
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 41192 bytes

    User: Ayesha
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 28009 bytes

    User: Bello
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 300 bytes

    User: Bello.FAMILY
    ->Temp folder emptied: 12400290 bytes
    ->Temporary Internet Files folder emptied: 58406496 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 2013723 bytes

    User: BELLO~1~FAM

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 41 bytes

    User: localroot
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 300 bytes

    User: my admin account
    ->Temp folder emptied: 98440566 bytes
    ->Temporary Internet Files folder emptied: 2499087 bytes
    ->Java cache emptied: 131563 bytes
    ->Flash cache emptied: 1146 bytes

    User: Nabilah
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 25911 bytes

    User: NetworkService
    ->Temp folder emptied: 18892 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 300 bytes

    User: Tariq
    ->Temp folder emptied: 985546 bytes
    ->Temporary Internet Files folder emptied: 3129383 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 18452 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 24838 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp

    folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local

    Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 2849 bytes

    Total Files Cleaned = 170.00 mb


    OTM by OldTimer - Version 3.1.10.0 log created on 03012010_194557

    Files moved on Reboot...
    File C:\Documents and Settings\Bello.FAMILY\Local

    Settings\Temp\~DF6247.tmp not found!
    File C:\Documents and Settings\Bello.FAMILY\Local

    Settings\Temp\~DF62A1.tmp not found!
    File C:\Documents and Settings\Bello.FAMILY\Local

    Settings\Temp\~DFA252.tmp not found!
    File C:\Documents and Settings\Bello.FAMILY\Local

    Settings\Temp\~DFA296.tmp not found!
    C:\Documents and Settings\Bello.FAMILY\Local Settings\Temporary

    Internet Files\Content.IE5\UN2H75W3\iframe-v169[1].htm moved

    successfully.
    C:\Documents and Settings\Bello.FAMILY\Local Settings\Temporary

    Internet Files\Content.IE5\UN2H75W3\mine-32280343[2].htm moved

    successfully.
    C:\Documents and Settings\Bello.FAMILY\Local Settings\Temporary

    Internet Files\Content.IE5\UN2H75W3\xd_receiver[1].htm moved

    successfully.
    C:\Documents and Settings\Bello.FAMILY\Local Settings\Temporary

    Internet Files\Content.IE5\0FZGY0ZF\sh11[1].html moved successfully.
    C:\Documents and Settings\Bello.FAMILY\Local Settings\Temporary

    Internet Files\Content.IE5\08QHRREO\login_status[1].htm moved

    successfully.
    C:\Documents and Settings\Bello.FAMILY\Local Settings\Temporary

    Internet Files\Content.IE5\08QHRREO\topic143365[1].html moved

    successfully.
    C:\Documents and Settings\Bello.FAMILY\Local Settings\Temporary

    Internet

    Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat

    moved successfully.
    C:\Documents and Settings\Bello.FAMILY\Local Settings\Temporary

    Internet Files\SuggestedSites.dat moved successfully.

    Registry entries deleted on Reboot...
     
  17. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Good :)
    Please, disable "word wrap" in Notepad, because last log was hard to read.

    =============================================================

    Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
    • Click on the CleanUp! button and follow the prompts.
    • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
    • After the reboot all the tools we used should be gone.
    • The tool will delete itself once it finishes.

    ======================================================================

    Verify your Java version here: http://www.java.com/en/download/installed.jsp
    Update, if necessary.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

    ==========================================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O2 - BHO: (no name) - AutorunsDisabled - (no file)
    - O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
    - O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    - O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    - O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    - O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    - O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    - O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    - O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    - O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    - O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    - O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
  18. bellodee

    bellodee TS Rookie Topic Starter Posts: 54

    Thanks and sorry about the word wrap. I will disable and post the log later.
     
  19. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    OK.........
     
  20. bellodee

    bellodee TS Rookie Topic Starter Posts: 54

    Hi Broni,
    I have done as recommended and the latest hijackthis log is attached.
    Thanks
     

    Attached Files:

  21. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Re-run HJT. Checkmark:
    O1 - Hosts: ÿþ127.0.0.1 localhost
    O1 - Hosts: ::1 localhost

    Click "Fix checked" button.

    When done....


    Your computer is clean [​IMG]

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  22. bellodee

    bellodee TS Rookie Topic Starter Posts: 54

    I have done the things you said. Thanks very much! My computer is like new!!! It has not been this good for a very long time. I have a small issue with the display but I think this is something I may be able to sort out myself: if I cant I will seek help. Just a couple of quick question if that's okay
    1. Is microsoft security essentials okay?
    2. Do I need a separate anti malware programme
    Thanks once again
     
  23. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Excellent :)
    MSE is perfectly OK.
    Run Super and 'Bytes on occasion and run TFC weekly.

    I'll mark this thread as resolved.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...