System scan logs after 8 step process

[scincuboy]

I get a lot of popups while I am online. At first I had a problem downloading SuperAntiSpyware because it would get to about 73% and just stop everytime. So I tried about 10 more times from different websites and it finally worked. I'm not in any hurry but hopefully someone can get back to me pretty soon about my logs. Thanks

 

[Kazi]

Logs are looking well
Just to make sure there is no more vundo
Run Vundofix
http://www.atribune.org/ccount/click.php?id=4


Click scan for vundo then fix

tell me if anything is found and any symtoms
i'll review your hjt log soon

 

[scincuboy]

that program says everything is fine. 0 detections

 

[Blind Dragon]

Still some left overs

Download and Install SDFix

• Download SDFix and save it to your Desktop.
• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here with a fresh hijackthis log

 

[scincuboy]

I think I did the SDfix thing right. I ran the computer in safe mode then started the SDfix program. When I had to restart I let it go into regular mode instead of safe mode and then it finished the whole process. I got the logfile from SDfix and then got a fresh log from HJT. Here they are. Thanks for your time guys.

 

[Blind Dragon]

Excellent - that got the worst of it.

Now if you have anti-scripting with Mcafee that needs disabled and also Teatimer

Disable Teatimer

• Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
• Open Spybot S&D
• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

=======================================

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[scincuboy]

So I disabled teatimer and mcaffee oas then I ran the combofix program. got the log from combofix and got a fresh log from hjt. im pretty much clueless now as to what's going on so hopefully you guys know. thanks again
here's the two logs:

 

[Blind Dragon]

hmm, I need to know before proceeding did you or somebody with access to your computer download a program/game called TizzleTalk?

It looks like it may be packed with an adware

Also please visit http://virusscan.jotti.org/

and have these files scanned:

d:\profile.cu\Application Data\tizhook.bin
d:\profile.cu\Application Data\internaldb6334.dat
d:\profile.cu\Application Data\internaldb41.dat
d:\profile.cu\Application Data\internaldb8467.dat

then paste the result for me

 

[scincuboy]

So I scanned all four of those files with four different programs (Spybot S&D, McAfee ODS, SUPERAntiSpyware, and Malwarebytes' Antimalware) and there was nothing harmful to be found. As for tizzletalk I installed that on my computer a while ago but thought that I got rid of it and uninstalled it. Can you help me to get rid of that also?

 

[scincuboy]

Oh, I get a page load error when I try to go to that url so I just scanned with those programs.

 

[Blind Dragon]

I am getting the same error - their server must be down

Upload a File to Virustotal
Please visit Virustotal found HERE

• Click the Browse... button
• Navigate to the file d:\profile.cu\Application Data\tizhook.bin
• Click the Open button
• Click the Send button
• Copy and paste the results back here please.

 

[scincuboy]

File tizhook.bin received on 04.08.2007 13:15:42 (CET)
Current status: finished
Result: 2/31 (6.45%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - suspicious
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 45bf7e33d8ebb00013f624741b0dd297
SHA1: 96fc3463f044bd56f3549d49ecb8c99c25cd12cf
SHA256: a5b985b4ae4ae85c4c674e3adb66dba00d1974644a6ea1ca149e07dc1e4b3fc7
SHA512: 39176d17a57acd8785a583735d0a93816df95b3b0e7b046846b5a29db7cc04f1206051bb739141be6c7ebb62669d32d12311a44f81058cea08b0bba90a9ac6f1

 

[scincuboy]

and the other files had no results.

 

[Blind Dragon]

I think that after this you should completely uninstall firefox and reinstall it fresh.

Remove bad HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
  O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} -
  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

=============================================

OTMoveit3 by OldTimer
Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  d:\profile.cu\Application Data\tizhook.bin
  
  :Folders
  c:\program files\Viewpoint\
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

========================================

Run the temp file cleaner again - either CCleaner or ATF cleaner

========================================

Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

=======================================

Attach here:
1) OTMoveit3 log
2) Kaspersky scan log

 

[scincuboy]

Here's the OT logfile, and the Kapersky scanner found one file located here:

D:\Profile.cu\My Documents\FrostWire\Saved\paper plans trey songs MTV.mp3

how do I get rid of this file? I think I'm just going to use FileShredder if that's okay.

 

[scincuboy]

Oh, and here's another thing. My McAfee OAS keeps turning red and everytime I look at the logfile there's something new... and for some reason instead of just showing me new things it shows me the new things along w all the old things. If I could somehow just get it to show me the new blocked items could someone tell me how to do that? Thanks

 

[Blind Dragon]

Fileshredder is fine, or use File Assassin through malwarebytes -> more tools -> run tool

with mcafee it depends - what is it finding and can you attach the log here for me to look at

Also please run and attach a fresh hijackthis log

 

[scincuboy]

Ok, so for McAfee I just deleted everything that showed up in the logfile which I thought would just delete all the old things. Now, when it turns red, I go to the logfile and it doesn't show anything. Hope I didn't do something wrong. Here is the fresh HJT logfile:

And since I've I deleted that file that Kaspersky found I am no longer getting pop-ups on Firefox. Thanks for all your help so far!

 

[scincuboy]

So I just went back into McAfee and switched some properties back to their original and everything shows up now. Here's what's showing up:

 

[Blind Dragon]

I am not familiar with the correct settings of Mcafee as I recommend against it, but it would seem one of your settings is incorrect - these files should not be allowed, and should be quarantined. Let me know if you want to switch to a free product that will quarantine the files from the temp folder.

Until you let me know, lets just delete all .tmp files from that folder

:Processes
explorer.exe

:Services

:Reg

:Files
C:\Documents and Settings\student\Local Settings\Temp\*.tmp

:Commands
[emptytemp]
[start explorer]
[Reboot]

Please paste the above into OTMoveit3 just like before and select Moveit!

Then I want to see the log after
==============================================

Please update and rescan with SAS and MBAM - and attach those logs

 

[scincuboy]

what's the product called and where do I find it? So I'm looking for OTMoveIt and I can't find it. I put all of these programs into a folder on my desktop (4 programs) and when I looked in the folder there are only 3. I try to download OT again and the download wont even start. What do I do?

 

[Blind Dragon]

Proceed with MBAM and SAS updates, then we will deal with that next

 

[scincuboy]

Done updating!

 

[Blind Dragon]

Did you rescan with them already? If so, please attach the logs

 

[scincuboy]

Thanks, here's the logs: