8 Steps done - Log check please

[schwein11]

Ok, so two nights ago I had a very weird freezup of firefox, and was unable to close it without it remaining open. I then received some prompts from spybot s&d teatimer re: registry changes, that I denied, because at this point I was getting pretty concerned. After unplugging the power and restarting the computer, I began to get 0xd1 BSOD (Driver:IRQL_Not_Less_or_Equal). Figuring this was probably somehow related to the earlier weirdness, I did the 8 steps.

Note that I installed the newest version of Java, and was unable to find any other version of java in my add/remove programs.

Note also that my avast scan found 2 infected files that I deleted, but stupidly did not take note of their names (thinking there would be a log available later). I have not been able to find a log though.

See attached logs.

Thanks for any help you may provide, I truly appreciate how helpful this community is.

 

[Bobbye]

NOTE: the malware is in the System Restore points. Do NOT do a System Restore while we're cleaning. We will drop the old restore points when the system is clean.

You are running two antivirus programs:
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

Decide which one you want on the system and uninstall the other. If you decide to uninstall the Symantec/Norton program, use the Norton Removal Tool HERE

Temp files should be cleaned out occasionally:
C:\DOCUME~1\OLDMAN~1\LOCALS~1\Temp\clclean.0001
This is from "Creative Filter AudioControlMB Module"
(ctmbha.dll, version 1.0.1.22).

Please re-open HiJackThis> click on System Scan Only> Check the boxes next to all the entries listed below.:

O2 - BHO: (no name) - {DDAD52FC-45AA-4493-872A-5E1D7823C437} - (no file)
O2 - BHO: (no name) - {E87D9DDF-FC36-4699-B73F-37BBC978160F} - C:\WINDOWS\system32\mlJYpPFy.dll (file missing)>> this is another Vundo process/
O4 - HKLM\..\Run: [win16dll] C:\Program Files\44052\cae4.exe>>>Screenspy captures screenshots silently. If you didn't install this yourself, remove it. (Filename: win16dll.exe)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: ssqRjGYO - C:\WINDOWS\>> this is the Trojan.WinFixer.Process.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
Poker Stars
Any process related to win16dll, 44052 or cae4.exe
> Apply> OK

Open IE> Tools> Manage Add-on> find the Eset OnlineScanner Control> highlight> Disable.

Control Panel> Add/Remove Programs> UNINSTALL the following if present:
PokerStars
win16dll, 44052 or cae4.exe

Reboot into Normal Mode. NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

Run the VundoFix:
Please download VundoFix.exe and Save to your Desktop.from HERE to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please attach the C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Then run SDFix:
* Download SDFix from HERE and save it to your Desktop.
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here

Rescan with HijackThis AFTER VundoFix and SDFix. Attach all logs and reports.

 

[schwein11]

Logs are attached.

 

[Bobbye]

Much Better! A little overkill in the extra programs but it appears we got all the malware entries. Technically, TeaTimer should have been disabled before the scans. This was covered in the Steps.

The HijackThis log is clean, but I would like to advise that you have many unnecessary processes starting on boot and running in the background. For instance, there are numerous 'Creative' processes. NONE of these need to start on boot. The last 2 are Services and they can be set to Startup type Manual instead of Automatic.

CTSysVol.exe /r>> Surround Mixer
CTSched.exe" /logon>> Task Scheduler
StartFX.exe>> Web cam
AndreaVC.exe" /tray> Creative Voice Center
Creative Labs Licensing Service
Creative Service for CDROM Access

You have 3 Media Players starting up: NONE need to start on boot.

QuickTime
Real Player
Creative

I use to help people stop these nuisance startups, but it got to be too time consuming. Just know that the ONLY processes you need to start on boot are:

Antivirus program
Firewall
Touchpad for laptop.

All else can be started manually as needed.

Something else to consider: If you don't use the Dell preloaded processes, get rid of them. I have found few do!

Please disable TeaTimer BEFORE you run the Kaspersky scan.

SPYBOT TEATIMER

* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

I'd like you to run the Kaspersky online scan just to make sure what you found is gone:
Kaspersky' online scan
Open Kaspersky Online Scanner in Internet Explorer using this link:
http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

* Click Accept and the web scanner will begin to load
* If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
* You will be prompted to install an ActiveX component from Kaspersky, click Install
* If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT and then Scan Settings
* In the scan settings make that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives
Scan Mail Bases
* Click OK
* Now under select a target to scan:
Select My Computer
* The program will start to scan your system.
* Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Attach the scan report. If it's clean, we'll remove the cleaning tools and old restore points. Now is the time to tell me if you are still experiencing the problem you started with.

 

[schwein11]

Note that the only noticeable symptom (0xd1 BSOD) I was having disappeared at some point during the 8 steps.

Kaspersky report is attached.

 

[schwein11]

hm, was getting "invalid file" for kaspersky report (as html) when trying to attach it. I've copied and pasted what was found into a txt and attached it here.

 

[Bobbye]

It looks like your Norton has quarantined Trojan-Downloader.JS.Agent.hv1. Delete the contents of your antivirus programs quarantine folder.

There is some discussion as to whether this finding actually is a Trojan, but since it's been quarantined, best to delete it.

But you did have malware! IF the system is stable now, please delete the above and you can remove the cleaning tools and old restore points:

Download OTCleanIt HERE & save it to your desktop.

Double click on OTCleanIt.exe.
Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Clear your existing system restore points and establish a new clean restore point:

1. Go to Start > All Programs > Accessories > System Tools > System Restore
2. Select Create a restore point, and OK it.
3. Next, go to Start > Run and type in cleanmgr
4. Select the More options tab
5.Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.

Please let us know if we can be of any more help.