Solved Response to "8-step Viruses/Spyware/Malware Preliminary Removal Instructions"

[Ragnorock88]

Ok so ive followed steps 1 - 8 (this being step 8) and here are the 3 reports

 

[Bobbye]

Please tell me what problems you are experiencing.

 

[Ragnorock88]

internet explorer (which is not my default browser) is popping up at random intervals and attempting to display advertisments. i used my norton 360 firewall to block IE's access to the internet. however internet explorer still pops up (though now it displays cannot to connect to the internet).

 

[Ragnorock88]

also i followed the 8 steps to the letter here is a link to the post
: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[Bobbye]

Okay, thanks. Please disable the CNET TechTracker program while we are cleaning. The CNet description:

According to CNET:
The TechTracker app shows you the software that is out of date and provides you with the information to decide which updates you need.]

We want to be sure none of the pop-ups are related to this program.

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
And let's do an online AV scan to see what got past Norton:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please include both the Combofix report and Eset log in next reply.

 

[Ragnorock88]

Ok here is combo fix log, eset nod 32 requires a proxy for an update or it wont run what should I do?

* update: I am using the demo verson of the program now and will upload the log file shortly.

 

[Ragnorock88]

im re running combofix and will send you the new log in my next post

 

[Ragnorock88]

Here is the new log for combo fix

 

[Bobbye]

Please be sure to disable the antivirus, firewall and antimalware programs before running. They were running in the 2 previous scans and can affect the results.

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

Folder::
c:\users\Public\AppData\Local\temp
c:\users\Default\AppData\Local\temp

RegNull::
[HKEY_USERS\S-1-5-21-692946247-3924552147-1366034368-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
[HKEY_USERS\S-1-5-21-692946247-3924552147-1366034368-1001\Software\SecuROM\License information*]

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
=======================
If you're still having a problem with the Eset scan, try this one:
Open
Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan. (Win 7 may require this)

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Please attach new Combofix after running the script and the Kaspersky log.

 

[Ragnorock88]

combofix is running again. also i am running windows 7 and have firefox set as default browser

the NOD32 scanner detected 3 trojans but did not produce a log which i found odd.

 

[Ragnorock88]

Ad aware, zone alarm ,and super anti viris restarted when I logged in but I quickly shut the processes down. Will it interfere with the last part of the scanning process?

 

[Bobbye]

the NOD32 scanner detected 3 trojans but did not produce a log which i found odd.

A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please go find it.

ad aware, zone alarm ,and super anti viris restarted when i logged in but i quickly shut the processes down.

You download the program first and save to the desktop. Then you disable the security programs before you double click to run the program.

 

[Ragnorock88]

ad aware, zone alarm ,and super anti viris have been shut down and set to not turn on unless i activate it. norton firewall and active protection has been diabled but i cant seem to stop it from showing notifications is this an issue and if so how do i disable norton 360 completely.

 

[Ragnorock88]

Here is the latest combofix log with the shutdown programs

*note: im re running eset with explorer (this might take an hour or more (took 3:30 last time))

 

[Ragnorock88]

Here is the log file from the new scan

 

[Ragnorock88]

Because I reinstalled Eset before I read you message the only log file I have is this one and the other one I sent you. the new scan indicated that there was only one trojan this time and the file spot can be seen in the prevous file.

*considering where its coming from I belive removing this program (the one specified as metro 2033) and its related files would be advantageous.
I will wait for your response before I proceed however.

 

[Bobbye]

I don't understand why you aren't sending me the entire logs! You don't need to pick out the 'bad' entries to send. I want to see it all!

The logs shows:
C:\Program Files\METRO 2033\metro2033.exe a variant of Win32/Injector.BDJ trojan
I'd like to see the entire log, which will show date and time it was run along with a few other entries.

Then you leave this again:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

Please follow this:

A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Copy the log and either paste it in the next reply or attach it. It's my job to check the logs and decide what needs to be done- based on what I see.

 

[Ragnorock88]

This is from the first scan here are the screenshots nothing had been edited and nothing was taken out. I am going to do another scan and it will take 3.5 hours. after that scan I will take screenshots and send the log file again.

 

[Bobbye]

Well I think the confusion is because you're doing a screen shot instead of a copy and paste, I see one entry on 4/1/2010 that says log Please double click to open the file and see if it's the Eset log. If it is:
Go up to Edit> Select All> Edit> Copy> then open Notepad and paste the copy of the log.(Ctrl V)

 

[Ragnorock88]

Here is the second scan, I have to run out for a bit I will be back in an hour I aplogize

 

[Bobbye]

Here is some help: http://www.worldstart.com/tips/shared/copypaste.htm

You must open the log, copy the contents and paste it here. The screen prints do just what they say- take a print- an image- of what is on the screen. The doesn't do any good here.

On screen print #2, do you see the folder named "Quarantined" and the file called 'log', both dated 4/1/2010? I need for you to double click on each of them, copy the contents, paste it to notepad and attach here.

I have copied part of a log for you to see what is needed. When you open the log, yours should be similar to this. This is the contents of the log, not a picture of the screen:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=..............
# end=stopped
# antistealth_checked=false
# utc_time=2010-03-30 11:06:46
# local_time=2010-03-30 04:06:46 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777
# utc_time=2010-03-31 12:38:57
# local_time=2010-03-30 05:38:57 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 6127 6127 0 0
# scanned=154769
# found=2
# cleaned=0
# scan_time=5157
C:\Qoobox\Quarantine\C\Windows\System32\drivers\onlldr.sys.vir Win32/Rootkit.Kryptik.BB trojan 80C6AF4F948D4168FC90DA1A6F4B6924 I
C:\Users\Kevin\AppData\Local\VirtualStore\Windows\System32\C2H3 a variant of Win32/Phyiost.AE trojan DFDAA083B07942FEE550FF2C0880B61E I

I have deleted part of the log so as not to take up so much space, but your log will resemble this.

 

[Ragnorock88]

The quarintine is empty.


Here ill run another scan and double check the quarintine afterwards.

 

[Ragnorock88]

Here is during the early part of the scan

 

[Ragnorock88]

Later in the scanning process with 1 threat found

 

[Ragnorock88]

Final scan results and files under the name log (as you can see "log 2" and "log 1" cannot be found however I assure you that they were created), also what I saw from your post I cannot seem to find under the area you specified. Also I am removing the Metro2033 program and associated files as of now.