Cleanup help / confirmation

By Del ¬∑ 5 replies
Jun 20, 2010
  1. Background:
    About a week ago I stumbled across some site that launched acrobat reader when it shouldn't have, obviously doing something bad. Killed it from process explorer, but damage done already.
    Did a scan with Trend Micro Housecall, which didn't find anything other than the usual false positives.
    Something was clearly still wrong, as whenever I tried to follow google results the usual way (i.e. clicking the link) I'd end up somewhere bad and cpu usage would spike. Copy link location + paste still worked fine though.

    After a few days, the symptoms went away on their own. Still didn't seem likely that whatever caused them had done the same.
    Eventually I found the Kaspersky online scanner, which found a few things but, from what I can tell, didn't do anything about them. Log saved if needed.
    Found the 8-step, got Avira and did the steps more or less in order (did 2 and 3 before the full scan in 1).
    Avira cleaned some files up in the post install quick scan (logs available if needed), then found those false positives in the full scan (I let it remove them this time, nothing I'm using anyway).
    MBAM and GMER found nothing, as far as I can tell.
    Had a bit of an issue when I reconnected the network after running GMER, with the svchost hosting dhcpclient/firewall/etc and avguard each taking 40+ % cpu; ended up pushing the reset button, and after the restart things worked again.
    DDS marked a line with [?], but I'm not sure that one's an issue. Not sure I know what to look for in these files either though.

    What I'm wondering now is, is there more to do?
    The requested logs are attached. DDS log is ever so slightly altered: I replaced the dns ips with a marker. They were what they should be, though I don't know if that's where they should be, so I left the line in.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    The driver in question is this:
    S3 cpuz130;cpuz130;\??\c:\docume~1\del\lokala~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\del\lokala~1\temp\cpuz130\cpuz_x32.sys [?]

    This entry was for the Windows (R) Codename Longhorn DDK provider/driver:
    DDK is the Driver development Kit and Codename Longhorn was for Vista

    It is also a temp file and can be removed.

    Are you actually having any problems now? I don't see anything in these logs other than some old versions you need to remove:

    Old versions of both the Adobe reader and Java should be uninstalled when a new version is updated. They are vulnerabilities on the system: Java(TM) 6 Updates 2, 3 5 and 7

    You have the correct current Java version 6u20.

    Get current Adobe reader v9.xx:
    Visit this Adobe Reader site and make sure you have the most current update.

    Then uninstall v7.
    Please run this online AV scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  3. Del

    Del TS Rookie Topic Starter

    I kinda suspected it had something to do with cpu-z, as that's something I've used some time long ago. I suppose it's possible it' from something else I've used, but I don't think I've done anything Longhorn-related.
    It's already gone, actually. Either long ago, or after step 2 (TFC).

    None that I know of, but that was true for a couple of days before I even got started cleaning up, so... not sure that means all that much.
    However, if Avira, Kaspersky and NOD32 all say I'm clean, I suppose that's a decent indicator. Ran a critical sections scan with Kaspersky online scanner yesterday while waiting for a reply, and the NOD32 one is running at the moment.

    If it's the restore points you're looking at, "togs bort" translates to "was removed". I don't see any other mentions of old java/adobe versions. Shame I hadn't noticed Reader not updating on its own earlier, or I might have been able to avoid this...

    Speaking of the RPs, I was going to mention them but apparently fumbled that.
    It seems the malware enabled system restore on the first bootup after infection (looking at the time for RP1). Avira cleaned one file in there as well, with the same signature as what was found elsewhere.
    RP 7-13 are from me doing step 3, dunno about 2-6.
    Should probably wipe all of those once I'm reasonably sure everything's clean.

    Eset NOD32 Online AntiVirus Scanner is running at the moment (18% after 22 minutes), will get the log here when it's done.

    Edit: got held up on the phone a bit. Nothing found here either.
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=
    # OnlineScanner.ocx=
    # api_version=3.0.2
    # EOSSerial=99266c65a9ad5d44adcf9d6e5bec8722
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-06-21 08:00:15
    # local_time=2010-06-21 10:00:15 (+0100, Västeuropa, sommartid)
    # country="Sweden"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=1797 16775141 100 93 186187 36238429 0 0
    # compatibility_mode=8192 67108863 100 0 502 502 0 0
    # scanned=378783
    # found=0
    # cleaned=0
    # scan_time=5078
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Looks good! Remove Longhorn driver:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Save this as CFScript.txt, in the same location as ComboFix.exe

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . No need to leave log.
    You can remove the cleaning tools now. This will also handled the old restore points:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin

    Let me know if I can be of any mroe help.
  5. Del

    Del TS Rookie Topic Starter

    Is downloading cf and dropping the script on it enough, or would I have to install it or something first?
    I'm out of town at the moment though, so won't be able to do this for another couple of weeks or so.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Run the script, remove the cleaning tools. I'll go ahead and close the thread.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...