TechSpot

Response to "8-step Viruses/Spyware/Malware Preliminary Removal Instructions"

Solved
By Ragnorock88
Mar 31, 2010
Topic Status:
Not open for further replies.
  1. ok so ive followed steps 1 - 8 (this being step 8) and here are the 3 reports
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please tell me what problems you are experiencing.
     
  3. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    internet explorer (which is not my default browser) is popping up at random intervals and attempting to display advertisments. i used my norton 360 firewall to block IE's access to the internet. however internet explorer still pops up (though now it displays cannot to connect to the internet).
     
  4. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, thanks. Please disable the CNET TechTracker program while we are cleaning. The CNet description:
    We want to be sure none of the pop-ups are related to this program.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    And let's do an online AV scan to see what got past Norton:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please include both the Combofix report and Eset log in next reply.
     
  6. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    ok here is combo fix log, eset nod 32 requires a proxy for an update or it wont run what should i do?

    * update: I am using the demo verson of the program now and will upload the log file shortly.
     

    Attached Files:

  7. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    im re running combofix and will send you the new log in my next post
     
  8. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    here is the new log for combo fix
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please be sure to disable the antivirus, firewall and antimalware programs before running. They were running in the 2 previous scans and can affect the results.

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    Code:
    File::
    c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    
    Folder::
    c:\users\Public\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    
    RegNull::
    [HKEY_USERS\S-1-5-21-692946247-3924552147-1366034368-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    [HKEY_USERS\S-1-5-21-692946247-3924552147-1366034368-1001\Software\SecuROM\License information*]
    
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    =======================
    If you're still having a problem with the Eset scan, try this one:
    Open
    Kaspersky Online Scanner in Internet Explorer


    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan. (Win 7 may require this)
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    Please attach new Combofix after running the script and the Kaspersky log.
     
  10. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    combofix is running again. also i am running windows 7 and have firefox set as default browser

    the NOD32 scanner detected 3 trojans but did not produce a log which i found odd.
     
  11. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    ad aware, zone alarm ,and super anti viris restarted when i logged in but i quickly shut the processes down. Will it interfere with the last part of the scanning process?
     

    Attached Files:

     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please go find it.

    You download the program first and save to the desktop. Then you disable the security programs before you double click to run the program.
     
  13. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    ad aware, zone alarm ,and super anti viris have been shut down and set to not turn on unless i activate it. norton firewall and active protection has been diabled but i cant seem to stop it from showing notifications is this an issue and if so how do i disable norton 360 completely.
     
  14. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    here is the latest combofix log with the shutdown programs

    *note: im re running eset with explorer (this might take an hour or more (took 3:30 last time))
     

    Attached Files:

  15. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    here is the log file from the new scan
     

    Attached Files:

  16. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    because i reinstalled Eset before i read you message the only log file i have is this one and the other one i sent you. the new scan indicated that there was only one trojan this time and the file spot can be seen in the prevous file.

    *considering where its coming from i belive removing this program (the one specified as metro 2033) and its related files would be advantageous.
    I will wait for your response before i proceed however.
     

    Attached Files:

    • log.txt
      File size:
      76 bytes
      Views:
      2
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I don't understand why you aren't sending me the entire logs! You don't need to pick out the 'bad' entries to send. I want to see it all!

    The logs shows:
    C:\Program Files\METRO 2033\metro2033.exe a variant of Win32/Injector.BDJ trojan
    I'd like to see the entire log, which will show date and time it was run along with a few other entries.

    Then you leave this again:
    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK


    Please follow this:
    Copy the log and either paste it in the next reply or attach it. It's my job to check the logs and decide what needs to be done- based on what I see.
     
  18. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    this is from the first scan here are the screenshots nothing had been edited and nothing was taken out. I am going to do another scan and it will take 3.5 hours. after that scan i will take screenshots and send the log file again.
     

    Attached Files:

  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Well I think the confusion is because you're doing a screen shot instead of a copy and paste, I see one entry on 4/1/2010 that says log Please double click to open the file and see if it's the Eset log. If it is:
    Go up to Edit> Select All> Edit> Copy> then open Notepad and paste the copy of the log.(Ctrl V)
     
  20. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    here is the second scan, i have to run out for a bit i will be back in an hour i aplogize
     

    Attached Files:

  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Here is some help: http://www.worldstart.com/tips/shared/copypaste.htm

    You must open the log, copy the contents and paste it here. The screen prints do just what they say- take a print- an image- of what is on the screen. The doesn't do any good here.

    On screen print #2, do you see the folder named "Quarantined" and the file called 'log', both dated 4/1/2010? I need for you to double click on each of them, copy the contents, paste it to notepad and attach here.

    I have copied part of a log for you to see what is needed. When you open the log, yours should be similar to this. This is the contents of the log, not a picture of the screen:
    I have deleted part of the log so as not to take up so much space, but your log will resemble this.
     
  22. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    the quarintine is empty.


    Here ill run another scan and double check the quarintine afterwards.
     

    Attached Files:

  23. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    here is during the early part of the scan
     

    Attached Files:

  24. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    later in the scanning process with 1 threat found
     

    Attached Files:

  25. Ragnorock88

    Ragnorock88 TS Rookie Topic Starter Posts: 24

    final scan results and files under the name log (as you can see "log 2" and "log 1" cannot be found however i assure you that they were created), also what i saw from your post i cannot seem to find under the area you specified. Also i am removing the Metro2033 program and associated files as of now.
     

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.