Completed step 8 logs attached
- Thread starter arbor13
- Start date
- Status
Hi arbor13
When any cleaner is ran, it is possible that after one run that removes certain powerful Malware, then it exposes more that were not even seen on the first run.
The goal is to get these to come up clean or find something it can not handle.
So run both MBAM and SAS again and post the logs.
Good job so far.
Mike
When any cleaner is ran, it is possible that after one run that removes certain powerful Malware, then it exposes more that were not even seen on the first run.
The goal is to get these to come up clean or find something it can not handle.
So run both MBAM and SAS again and post the logs.
Good job so far.
Mike
hi arbor13
Yes you likely do have more!
OK next step.
Download SD Fix to Desktop among other things Catchme to look for RootKits.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-clickto RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Copy and paste the Report.txt file to your next post.
Mike
Yes you likely do have more!
OK next step.
Download SD Fix to Desktop among other things Catchme to look for RootKits.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-clickto RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Copy and paste the Report.txt file to your next post.
Mike
Mike,
Ran the SDFix program. Here is the log file:
SDFix: Version 1.240
Run by paul schneeweiss on Mon 11/24/2008 at 09:32 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-11-24 09:47:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019"
"C:\\Program Files\\eSignal\\winros.exe"="C:\\Program Files\\eSignal\\winros.exe:*:Enabled:eSignal Data Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
Remaining Files :
Files with Hidden Attributes :
Thu 29 Aug 2002 24,448 A.SHR --- "C:\NTBOOTDD.SYS"
Wed 10 Jan 2007 30,720 ...HR --- "C:\WINDOWS\CdaC13BA.EXE"
Wed 10 Jan 2007 112,128 ...HR --- "C:\WINDOWS\CdaC14BA.DLL"
Fri 22 Aug 2008 637,984 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Sat 5 Aug 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 12 Sep 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 12 Sep 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 13 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 21 Dec 2006 19,762,176 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborHomeBldrs\~WRL0005.tmp"
Thu 4 Jan 2007 2,050,048 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborHomeBldrs\~WRL2070.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL0332.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL1234.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL1591.tmp"
Tue 4 Nov 2008 19,968 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL3575.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL3992.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\Application Data\Microsoft\Word\~WRL0004.tmp"
Finished!
Thanks for your help. What next? Internet explorer still slow to load and 2 instances of iexplore.exe still in task manager.
Ran the SDFix program. Here is the log file:
SDFix: Version 1.240
Run by paul schneeweiss on Mon 11/24/2008 at 09:32 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-11-24 09:47:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019""C:\\Program Files\\eSignal\\winros.exe"="C:\\Program Files\\eSignal\\winros.exe:*:Enabled:eSignal Data Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled
xpsp3res.dll,-20000""C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled
xpsp3res.dll,-20000"Remaining Files :
Files with Hidden Attributes :
Thu 29 Aug 2002 24,448 A.SHR --- "C:\NTBOOTDD.SYS"
Wed 10 Jan 2007 30,720 ...HR --- "C:\WINDOWS\CdaC13BA.EXE"
Wed 10 Jan 2007 112,128 ...HR --- "C:\WINDOWS\CdaC14BA.DLL"
Fri 22 Aug 2008 637,984 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Sat 5 Aug 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 12 Sep 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 12 Sep 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 13 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 21 Dec 2006 19,762,176 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborHomeBldrs\~WRL0005.tmp"
Thu 4 Jan 2007 2,050,048 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborHomeBldrs\~WRL2070.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL0332.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL1234.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL1591.tmp"
Tue 4 Nov 2008 19,968 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL3575.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL3992.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\Application Data\Microsoft\Word\~WRL0004.tmp"
Finished!
Thanks for your help. What next? Internet explorer still slow to load and 2 instances of iexplore.exe still in task manager.
Hi Arbor
Thought you weren't comming back.
Do the below and ATTACH the log!
ComboFix
NOTE: If you have had ComboFix more than a few days old delete and re-download.
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
When finished, it will open a log.
Attach the log and a new HJT log in your next reply.
Note: Do not click combofix's window while its running. That may cause it to stall.
After the above (not before) then post a new HJT log
Once I see this log clean we will address your slowness and IE issues. But Malware removal comes first.
Just so SOMEONE thinks I am missing multiple Virus Scanners I am not, and this HJT log may or may not get cleaned this time, but will be before we are finished.
Mike
Thought you weren't comming back.
Do the below and ATTACH the log!
ComboFix
NOTE: If you have had ComboFix more than a few days old delete and re-download.
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
When finished, it will open a log.
Attach the log and a new HJT log in your next reply.
Note: Do not click combofix's window while its running. That may cause it to stall.
After the above (not before) then post a new HJT log
Once I see this log clean we will address your slowness and IE issues. But Malware removal comes first.
Just so SOMEONE thinks I am missing multiple Virus Scanners I am not, and this HJT log may or may not get cleaned this time, but will be before we are finished.
Mike
Bobbye
Posts: 16,313 +36
Well Mike, I DO notice and will take issue at the multiple antivirus programs running not being handled.
arbor13, only one antivirus program should be running. You have processes loading from 3 antivirus programs plus you have an online scanner running in the background. The reason this needs to be handled now is because the multiple programs can cause a conflict that may leave you with little or NO AV protection. Decide which one you want to keep, remove the entries for ALL of the other programs, uncheck them on startup and unistall them.
Additionally, you're running Nortons Ghost, backing up your infected files. You need to disable that program for now. When you system us clean, the old infected restore points will be dropped- they show infected in Mbam- so do NOT use system Restore, so why continue backing up infected files?
These are the entries, programs and Services you need to be concerned with:
arbor13, only one antivirus program should be running. You have processes loading from 3 antivirus programs plus you have an online scanner running in the background. The reason this needs to be handled now is because the multiple programs can cause a conflict that may leave you with little or NO AV protection. Decide which one you want to keep, remove the entries for ALL of the other programs, uncheck them on startup and unistall them.
Additionally, you're running Nortons Ghost, backing up your infected files. You need to disable that program for now. When you system us clean, the old infected restore points will be dropped- they show infected in Mbam- so do NOT use system Restore, so why continue backing up infected files?
These are the entries, programs and Services you need to be concerned with:
Ok Arbor
You can do the above now if you want.
My priority is to get you clean of Malware and then address these system issues.
If you do the above first before we get you clean my recommendation is Avira if you get rid of one.
Or if you like Mcafee then you can actually have to Virus scanners as long as only one is online Active. In this case it is a on Command scanner and has to be explicitly updated and ran.
Your choice.
The AVG Antispyware is defunct and needs to be uninstalled.
All of these I would do when you are clean.
Mike
You can do the above now if you want.
My priority is to get you clean of Malware and then address these system issues.
If you do the above first before we get you clean my recommendation is Avira if you get rid of one.
Or if you like Mcafee then you can actually have to Virus scanners as long as only one is online Active. In this case it is a on Command scanner and has to be explicitly updated and ran.
Your choice.
The AVG Antispyware is defunct and needs to be uninstalled.
All of these I would do when you are clean.
Mike
Two IEXPLORE.EXE Processes
Mike,
Followed your instructions:
The Combofix.exe log and HJT log are attached.
I have comcast cable internet service and they provide free Mcafee, so I would like to keep that, unless there is something better.
I read the other reply and am not sure how to go about removing the other scanners, or how to keep it loaded but only when I want to run it.
Please let me know and I will make those changes.
Thanks,
Paul
Mike,
Followed your instructions:
The Combofix.exe log and HJT log are attached.
I have comcast cable internet service and they provide free Mcafee, so I would like to keep that, unless there is something better.
I read the other reply and am not sure how to go about removing the other scanners, or how to keep it loaded but only when I want to run it.
Please let me know and I will make those changes.
Thanks,
Paul
OK so we keep Mcafee
Reboot
Run Combofix again and post log
Use HJT Scan only to remove the below.
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Then go into Control panel Add/Remove programs and uninstall AVG Anti-Spyware and Avira AntiVir
Post new HJT log after all the above.
Mike
Reboot
Run Combofix again and post log
Use HJT Scan only to remove the below.
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Then go into Control panel Add/Remove programs and uninstall AVG Anti-Spyware and Avira AntiVir
Post new HJT log after all the above.
Mike
Next step
Mike,
Followed your last instructions.
Attached are the new Combofix log and the HJT log. Also removed AVG anti-spyware and Avira AntiVir.
Just a quick question. I have been trying to keep up with what is being done, but wondering what type of Malware this computer is infected with. Is it still infected?
Will await further instructions.
Thanks for your help,
Paul
Mike,
Followed your last instructions.
Attached are the new Combofix log and the HJT log. Also removed AVG anti-spyware and Avira AntiVir.
Just a quick question. I have been trying to keep up with what is being done, but wondering what type of Malware this computer is infected with. Is it still infected?
Will await further instructions.
Thanks for your help,
Paul
Ok well you don't now you are clean
except appearently you did not do the HJT deletions.
Run HJT Scan only place check mark in boxes by these and then delete
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)
At your option in Add/Remove Programs uninstall a2 not a cpu hog but not really needed
As to what you had, read the MBAM logs look under infection and found deleted quarantined and you will see them.
I am at work now but will make closing suggestions on how to stay clean later tonight or in the morning.
Mike
except appearently you did not do the HJT deletions.
Run HJT Scan only place check mark in boxes by these and then delete
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)
At your option in Add/Remove Programs uninstall a2 not a cpu hog but not really needed
As to what you had, read the MBAM logs look under infection and found deleted quarantined and you will see them.
I am at work now but will make closing suggestions on how to stay clean later tonight or in the morning.
Mike
Additional Questions
Mike,
I followed your last instruction and removed the 2 HJT entries. Also removed A2.
I then opened Internet Explorer and still have the same problem, with 2 processes showing up in task manager. One of them is 25,272K and the other is 1,076K (just leaving IE open). If I try and End Process on the small one, Internet Explorer closes immediately. If I try and End Process on the larger one, I get a little bubble saying that "This tabs has been recovered A problem with this webpage caused Internet Explorer to close and reopen this tab" and the mem usage goes down to about half and then back to 25K again.
I'm concerned that there still is something wrong with this computer. Please let me know what you think and how to proceed.
Thanks again,
Paul
Mike,
I followed your last instruction and removed the 2 HJT entries. Also removed A2.
I then opened Internet Explorer and still have the same problem, with 2 processes showing up in task manager. One of them is 25,272K and the other is 1,076K (just leaving IE open). If I try and End Process on the small one, Internet Explorer closes immediately. If I try and End Process on the larger one, I get a little bubble saying that "This tabs has been recovered A problem with this webpage caused Internet Explorer to close and reopen this tab" and the mem usage goes down to about half and then back to 25K again.
I'm concerned that there still is something wrong with this computer. Please let me know what you think and how to proceed.
Thanks again,
Paul
Not malware or Virus.
A misconfiguration.
Do Number 1 only here: https://www.techspot.com/vb/post680361-2.html
But do it from Internet Options in Control panel with IE Closed.
Mike
A misconfiguration.
Do Number 1 only here: https://www.techspot.com/vb/post680361-2.html
But do it from Internet Options in Control panel with IE Closed.
Mike
Two IEXPLORE.EXE processes
Sorry it took so long to reply, but I was away for the holidays.
Mike, I followed your instructions and RESET internet explorer. Did not help.
Bobbye, there are two IEXPLORE.EXE processes that show up in Task Manager as soon as I open internet explorer.
Without doing anything in Internet Explorer but opening it, this is what shows in Task Manager:
iexplore.exe username 00 17,152 K
iexplore.exe username 00 19,412 K
If I end task on the smaller one (first one) it closes internet explorer immediately and both processes disappear. If I end task on the larger one (second one) both processes remain and I receive an error message in internet explorer stating "This tab has been recovered A problem with internet explorer cause it to close and reopen this tab".
I have checked other computers, and they only show 1 entry in task manager. Therefore, I think I am still infected with something on this computer. No idea what though. Hope you can point me in the right direction.
Mike has been very helpful to this point.
Thanks in advance for your help and support.
Paul
Sorry it took so long to reply, but I was away for the holidays.
Mike, I followed your instructions and RESET internet explorer. Did not help.
Bobbye, there are two IEXPLORE.EXE processes that show up in Task Manager as soon as I open internet explorer.
Without doing anything in Internet Explorer but opening it, this is what shows in Task Manager:
iexplore.exe username 00 17,152 K
iexplore.exe username 00 19,412 K
If I end task on the smaller one (first one) it closes internet explorer immediately and both processes disappear. If I end task on the larger one (second one) both processes remain and I receive an error message in internet explorer stating "This tab has been recovered A problem with internet explorer cause it to close and reopen this tab".
I have checked other computers, and they only show 1 entry in task manager. Therefore, I think I am still infected with something on this computer. No idea what though. Hope you can point me in the right direction.
Mike has been very helpful to this point.
Thanks in advance for your help and support.
Paul
Bobbye
Posts: 16,313 +36
This was overlooked:
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00
IE8 is still in beta testing. That means there are still bugs to work out. Only beta testers should be using the beta versions of software.
Suggest you uninstall IE8 and go back to IE7 if that's what you were using.
That possibly might be the problem.
EDIT: IF this hasn't been done, please verify that this is your ISP:
From description of OpenDNS: To use OpenDNS, all you have to do is open your Network Connections or Router’s settings page and update the default DNS server to point to the OpenDNS nameservers that are 208.67.222.222 and 208.67.220.220.
208.67.222.222
OrgName: OpenDNS, LLC
OrgID: OPEND-2
Address: 199 Fremont St.
Address: 12th Floor
City: San Francisco
StateProv: CA
PostalCode: 94105
Country: US
O17 - HKLM\System\CCS\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00
IE8 is still in beta testing. That means there are still bugs to work out. Only beta testers should be using the beta versions of software.
Suggest you uninstall IE8 and go back to IE7 if that's what you were using.
That possibly might be the problem.
EDIT: IF this hasn't been done, please verify that this is your ISP:
From description of OpenDNS: To use OpenDNS, all you have to do is open your Network Connections or Router’s settings page and update the default DNS server to point to the OpenDNS nameservers that are 208.67.222.222 and 208.67.220.220.
208.67.222.222
OrgName: OpenDNS, LLC
OrgID: OPEND-2
Address: 199 Fremont St.
Address: 12th Floor
City: San Francisco
StateProv: CA
PostalCode: 94105
Country: US
O17 - HKLM\System\CCS\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220
Another Question
Bobbye & Mike,
I uninstalled IE8 and am back to IE7 with all 13 updates. IEXPLORE.EXE only appears once in the task manager and it loads the first page in about 3 seconds. Much better.
I was wondering if you could look at the attached file (screen capture) of my task manager.
GoogleDesktop.exe is showing up twice. Also, SVCHOST.exe shows up 6 times. Is this normal or is there still a problem with this computer?
Thanks again for your help in getting Internet Explorer running again and removing the MALWARE.
Paul
Bobbye & Mike,
I uninstalled IE8 and am back to IE7 with all 13 updates. IEXPLORE.EXE only appears once in the task manager and it loads the first page in about 3 seconds. Much better.
I was wondering if you could look at the attached file (screen capture) of my task manager.
GoogleDesktop.exe is showing up twice. Also, SVCHOST.exe shows up 6 times. Is this normal or is there still a problem with this computer?
Thanks again for your help in getting Internet Explorer running again and removing the MALWARE.
Paul
I don't know about Google desktop. I don't use those things as they are already available on the net. It very well could be normal.
The 1% Cpu usage shows it is not hogging the cpu.
Perhaps someone that uses Google Desktop.
OK here is the cleanup you wanted.
If you Downloaded the Attachment Fixit then just delete it.
Thread closing-------------------------------------------------------------------------------------------------------------
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
These tools update so often they require downloading again later if needed.
Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"
Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.
If prompted to Reboot click Yes.
OTCleanit will delete itself when finished, if not delete it by yourself.
-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
-------------------------------------------------------------------------------------
The issues found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
Every 2 weeks or so run mbam and sas until clean They take a while so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be schedules not to interfere with computer time.
If they find something they can not clean then get back to us.
Additionally run CCleaner.
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to co-exist with other Virus scanners.
Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.
http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/
Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
Hostman http://www.abelhadigital.com/2008/07...-released.html
A Disk scan and Defrag are in order.
Mike
The 1% Cpu usage shows it is not hogging the cpu.
Perhaps someone that uses Google Desktop.
OK here is the cleanup you wanted.
If you Downloaded the Attachment Fixit then just delete it.
Thread closing-------------------------------------------------------------------------------------------------------------
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
These tools update so often they require downloading again later if needed.
Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"
Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.
If prompted to Reboot click Yes.
OTCleanit will delete itself when finished, if not delete it by yourself.
-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
-------------------------------------------------------------------------------------
The issues found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
Every 2 weeks or so run mbam and sas until clean They take a while so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be schedules not to interfere with computer time.
If they find something they can not clean then get back to us.
Additionally run CCleaner.
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to co-exist with other Virus scanners.
Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.
http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/
Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
Hostman http://www.abelhadigital.com/2008/07...-released.html
A Disk scan and Defrag are in order.
Mike
Bobbye
Posts: 16,313 +36
Paul, I'll check the Task Manager. But in the meantime:
Remove the cleaning tools:
Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
Clear system restore points
Clear your existing system restore points and establish a new clean restore point:
Remove the cleaning tools:
Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
I'll come back with an EDIT for the Task Manager Processes.
Clear system restore points
Clear your existing system restore points and establish a new clean restore point:
Bobbye
Posts: 16,313 +36
New post for Processes in Task Manager:
Paul, this is more than you asked for. I have omitted some processes that need to run as part of the OS. Others, I have identified- some of which you can stop: those are marked 'non-essential'
Others say NO, meaning you should remove them from Startup or change Service Start up to wither Manual or Disabled/
The program or process can then be started manually of needed:
Use what you want, ignore the rest:
Windows Task Manager
1. aawservice.exe > AdAware 2008- from Service in 023
You have two Fax Services running. Do not need to either startup or run unless you are actively using them
None of the following need to startup and can be started manually when needed:Non-Essential means not necessary to start on boot"
From Google Groups:
Scanners: No
The following are normal processes. I have 9 usually showing
Others are controlled according to the Startup type set for Serrvices
Paul, this is more than you asked for. I have omitted some processes that need to run as part of the OS. Others, I have identified- some of which you can stop: those are marked 'non-essential'
Others say NO, meaning you should remove them from Startup or change Service Start up to wither Manual or Disabled/
The program or process can then be started manually of needed:
Use what you want, ignore the rest:
Windows Task Manager
1. aawservice.exe > AdAware 2008- from Service in 023
You have two Fax Services running. Do not need to either startup or run unless you are actively using them
.
None of the following need to startup and can be started manually when needed:Non-Essential means not necessary to start on boot"
From Google Groups:
McAfee Processes:
Scanners: No
The following are normal processes. I have 9 usually showing
NOTE: Some of these processes are controlled on the stasartup menu:L Stasrt> Run> msconfig> enter> Selecive Strtup> Startup tab> UNCHECK any you don't want to startup> Apply> OK
Others are controlled according to the Startup type set for Serrvices
When through reboot te computer. You will get a nag message thst your can ignore after you check 'don't show this message again.' Stay in Selective Startup.
Mike,
Followed your directions. Got to the last one about Hostman, but when I clicked your link it went to a page that says "The blog you were looking for was not found."
Everything else worked fine.
Bobbye,
Thanks for all of the information on the task manager. From all of your details, it doesn't look like I have anything suspicious left. I will get rid of the non-essential stuff.
Thanks again to both of you for you help, I really appreciate it.
Paul
Followed your directions. Got to the last one about Hostman, but when I clicked your link it went to a page that says "The blog you were looking for was not found."
Everything else worked fine.
Bobbye,
Thanks for all of the information on the task manager. From all of your details, it doesn't look like I have anything suspicious left. I will get rid of the non-essential stuff.
Thanks again to both of you for you help, I really appreciate it.
Paul
- Status
Similar threads
Latest posts
-
4K QD-OLED vs. 4K WOLED: What You Need to Know- Burty117 replied
-
10 Things We Hate About Nvidia- Beerfloat replied
