TechSpot

Trying to follow preliminary 15 steps - having a bit of a problem

By GingerTheDog
Oct 29, 2007
  1. Hello nice site you have here :)
    I am trying to do the preliminary 15 steps before posting my problem, I got to step 10 downloaded and followed instructions for tool 1 and now I cannot seem to download anything else. I click on the link and they come up like they are supposed to and when I click save file, nothing happens. I did get Panda AntiRootkit to load by opening it with compress disk instead of clicking save file, the other downloads didn't have that option as they aren't zips.
    The rootkit program said there were no rootkits found.

    Should I continue on without executing tools 2 & 3 in step 10 and Combofix in step 12?
    I had spybot s&d, Avast, ZoneAlarm, ccleaner & HJT installed already so just had to update them.
    Thank you for your help, I really do need it!

    Edit: Okay miraculously the links are working now! so I'm continuing on with the steps, will post findings when through, probably tomorrow morning.
     
  2. N3051M

    N3051M TS Evangelist Posts: 2,115

    use another pc to download them if you have to, then transfer via a usb drive/cd etc. Post all relevant log files as attachments after running the tools and apps.

    two of the tool links leads you to a website where you can download them, the third is a link to the actual file itself (if i remember correctly). If you still have problems, just skip to the next step and mention what you skipped in your next post.
     
  3. GingerTheDog

    GingerTheDog TS Rookie Topic Starter

    okay, finally got all the scans and things done! I followed all 15 steps, the only one I couldn't do was step 3, the online virus scan wouldn't continue, I even left it go for a few hours and it never went so I skipped it.

    The symptoms I was having were:
    • There was a security toolbar7.1 in IE7 browser
    • There was a yellow flashing triangle in my system tray with various bogus and misspelled warnings and alerts.
    • I was recieving a large amount of endless popups for some bogus antivirus program (bestseller among others) - the popups would come weather I was using IE or not (I prefer Firefox)
    • Computer was running extremely slow at almost 100% cpu with no programs actively being used
    • There were also 2 shortcut icons on my desktop for some bogus security programs

    So far since rebooting after step 15 I haven't had any more of these problems so maybe I'm clean!

    The Panda Scan said no rootkits were found.
    When I ran Avast in safe mode (step13) There were no infections found, the results page that came up had one thing on it and it said :
    • C:\SystemVolumeInformation\... \[UPX] - unable to scan - The file is a decompression bomb.
    I have no idea if this is good or bad.

    Here are my HJT, ComboFix and AVG Anti-spyware logs.
    I hope I haven't forgotten anything.
    Thank you !
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is still badly infected.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Win32 USB2 Driver (Microsoft Config)

    Close the services window.


    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:


    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :wave: :wave:

    This thread is for the use of GingerTheDog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. GingerTheDog

    GingerTheDog TS Rookie Topic Starter

    Thank you for the help. I will do this right now and post back asap.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, no problem mate.

    Regards Howard :)

    This thread is for the use of GingerTheDog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. GingerTheDog

    GingerTheDog TS Rookie Topic Starter

    Well that was fairly quick :) Here's the COmbofix log and fresh HJT log.
    Also, Thank you for the Welcome!
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    PowerReg Scheduler V3.exe
    PowerReg Scheduler

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

    O4 - Startup: PowerReg Scheduler V3.exe

    O4 - Startup: PowerReg Scheduler.exe

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O15 - Trusted Zone: *.ebaystatic.com

    O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxresearch.com/Preloader.dll

    O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXIn staller_2-0-0.cab

    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab

    O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab

    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.116/view22/View22RTE.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    PowerReg Scheduler V3.exe
    PowerReg Scheduler
    <Search your system for these files and delete all instances found.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of GingerTheDog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. GingerTheDog

    GingerTheDog TS Rookie Topic Starter

    I'm on it ;)
     
  10. GingerTheDog

    GingerTheDog TS Rookie Topic Starter

    The
    PowerReg Scheduler V3.exe
    PowerReg Scheduler
    weren't in task manager in safe mode

    I did delete 4 instances of them that search found.

    I know that I put a check next to
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

    but I see that it's there again now. I'm not sure if I should try it again so I will wait for instructions to do so.

    Here is the fresh log.
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix the following from normal mode.

    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

    O4 - Startup: AutoTBar.exe

    Reboot your system and see if they`re still there. they`re not nasty, more of an annoyance really.

    Other that that, your HJT log is clean as a whistle.

    Regards Howard :)

    This thread is for the use of GingerTheDog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. GingerTheDog

    GingerTheDog TS Rookie Topic Starter

    That did the trick, I also searched it and deleted files. It's gone :)

    So my computer is really clean now? Wow Thank you so much that was pretty pain-free.

    Hopefully this will not happen again anytime soon, I will have to run my virus and spyware programs more often I suppose.

    I really appreciate the quick and thorough advice you offer. I tried to receive help on a few other forums with no replies, before I found this one. You and your fellow Techs are truly wonderful.

    Thanks ;)
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s good news and you should be good to go.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of GingerTheDog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...