TechSpot

System scan logs after 8 step process

By scincuboy
Dec 11, 2008
  1. I get a lot of popups while I am online. At first I had a problem downloading SuperAntiSpyware because it would get to about 73% and just stop everytime. So I tried about 10 more times from different websites and it finally worked. I'm not in any hurry but hopefully someone can get back to me pretty soon about my logs. Thanks
     

    Attached Files:

  2. Kazi

    Kazi TS Enthusiast Posts: 121

    Logs are looking well
    Just to make sure there is no more vundo
    Run Vundofix
    http://www.atribune.org/ccount/click.php?id=4


    Click scan for vundo then fix

    tell me if anything is found and any symtoms
    i'll review your hjt log soon
     
  3. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    that program says everything is fine. 0 detections
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Still some left overs

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here with a fresh hijackthis log
     
  5. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    I think I did the SDfix thing right. I ran the computer in safe mode then started the SDfix program. When I had to restart I let it go into regular mode instead of safe mode and then it finished the whole process. I got the logfile from SDfix and then got a fresh log from HJT. Here they are. Thanks for your time guys.
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Excellent - that got the worst of it.

    Now if you have anti-scripting with Mcafee that needs disabled and also Teatimer

    Disable Teatimer
    • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
    • Open Spybot S&D
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    =======================================

    [​IMG]Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  7. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    so i disabled teatimer and mcaffee oas then i ran the combofix program. got the log from combofix and got a fresh log from hjt. im pretty much clueless now as to what's going on so hopefully you guys know. thanks again
    here's the two logs:
     

    Attached Files:

  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    hmm, I need to know before proceeding did you or somebody with access to your computer download a program/game called TizzleTalk?

    It looks like it may be packed with an adware

    Also please visit http://virusscan.jotti.org/

    and have these files scanned:

    d:\profile.cu\Application Data\tizhook.bin
    d:\profile.cu\Application Data\internaldb6334.dat
    d:\profile.cu\Application Data\internaldb41.dat
    d:\profile.cu\Application Data\internaldb8467.dat


    then paste the result for me
     
  9. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    So I scanned all four of those files with four different programs (Spybot S&D, McAfee ODS, SUPERAntiSpyware, and Malwarebytes' Antimalware) and there was nothing harmful to be found. As for tizzletalk I installed that on my computer a while ago but thought that I got rid of it and uninstalled it. Can you help me to get rid of that also?
     
  10. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    Oh, I get a page load error when I try to go to that url so I just scanned with those programs.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I am getting the same error - their server must be down

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file d:\profile.cu\Application Data\tizhook.bin
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.
     
  12. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    File tizhook.bin received on 04.08.2007 13:15:42 (CET)
    Current status: finished
    Result: 2/31 (6.45%)
    Compact Compact
    Print results Print results
    Antivirus Version Last Update Result
    AhnLab-V3 - - -
    AntiVir - - -
    Authentium - - -
    Avast - - -
    AVG - - -
    BitDefender - - -
    CAT-QuickHeal - - -
    ClamAV - - -
    DrWeb - - -
    eSafe - - suspicious Trojan/Worm
    eTrust-Vet - - -
    Ewido - - -
    F-Prot - - -
    F-Secure - - -
    FileAdvisor - - -
    Fortinet - - suspicious
    Ikarus - - -
    Kaspersky - - -
    McAfee - - -
    Microsoft - - -
    NOD32v2 - - -
    Norman - - -
    Panda - - -
    Prevx1 - - -
    Sophos - - -
    Sunbelt - - -
    Symantec - - -
    TheHacker - - -
    VBA32 - - -
    VirusBuster - - -
    Webwasher-Gateway - - -
    Additional information
    MD5: 45bf7e33d8ebb00013f624741b0dd297
    SHA1: 96fc3463f044bd56f3549d49ecb8c99c25cd12cf
    SHA256: a5b985b4ae4ae85c4c674e3adb66dba00d1974644a6ea1ca149e07dc1e4b3fc7
    SHA512: 39176d17a57acd8785a583735d0a93816df95b3b0e7b046846b5a29db7cc04f1206051bb739141be6c7ebb62669d32d12311a44f81058cea08b0bba90a9ac6f1
     
  13. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    and the other files had no results.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I think that after this you should completely uninstall firefox and reinstall it fresh.

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
      O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
      O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} -
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    =============================================

    OTMoveit3 by OldTimer
    Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes
      explorer.exe
      
      :Services
      
      :Reg
      
      :Files
      d:\profile.cu\Application Data\tizhook.bin
      
      :Folders
      c:\program files\Viewpoint\
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    ========================================

    Run the temp file cleaner again - either CCleaner or ATF cleaner

    ========================================

    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply

    =======================================

    Attach here:
    1) OTMoveit3 log
    2) Kaspersky scan log
     
  15. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    Here's the OT logfile, and the Kapersky scanner found one file located here:

    D:\Profile.cu\My Documents\FrostWire\Saved\paper plans trey songs MTV.mp3

    how do I get rid of this file? I think I'm just going to use FileShredder if that's okay.
     
  16. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    Oh, and here's another thing. My McAfee OAS keeps turning red and everytime I look at the logfile there's something new... and for some reason instead of just showing me new things it shows me the new things along w all the old things. If I could somehow just get it to show me the new blocked items could someone tell me how to do that? Thanks
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Fileshredder is fine, or use File Assassin through malwarebytes -> more tools -> run tool

    with mcafee it depends - what is it finding and can you attach the log here for me to look at

    Also please run and attach a fresh hijackthis log
     
  18. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    Ok, so for McAfee I just deleted everything that showed up in the logfile which I thought would just delete all the old things. Now, when it turns red, I go to the logfile and it doesn't show anything. Hope I didn't do something wrong. Here is the fresh HJT logfile:

    And since I've I deleted that file that Kaspersky found I am no longer getting pop-ups on Firefox. Thanks for all your help so far!
     
  19. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    So I just went back into McAfee and switched some properties back to their original and everything shows up now. Here's what's showing up:
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I am not familiar with the correct settings of Mcafee as I recommend against it, but it would seem one of your settings is incorrect - these files should not be allowed, and should be quarantined. Let me know if you want to switch to a free product that will quarantine the files from the temp folder.

    Until you let me know, lets just delete all .tmp files from that folder

    Code:
    :Processes
    explorer.exe
    
    :Services
    
    :Reg
    
    :Files
    C:\Documents and Settings\student\Local Settings\Temp\*.tmp
    
    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]

    Please paste the above into OTMoveit3 just like before and select Moveit!

    Then I want to see the log after
    ==============================================

    Please update and rescan with SAS and MBAM - and attach those logs
     
  21. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    what's the product called and where do I find it? So I'm looking for OTMoveIt and I can't find it. I put all of these programs into a folder on my desktop (4 programs) and when I looked in the folder there are only 3. I try to download OT again and the download wont even start. What do I do?
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Proceed with MBAM and SAS updates, then we will deal with that next
     
  23. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    Done updating!
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Did you rescan with them already? If so, please attach the logs
     
  25. scincuboy

    scincuboy TS Rookie Topic Starter Posts: 19

    Thanks, here's the logs:
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...