Solved Help with virus removal - logs loaded
- Thread starter amjam9
- Start date
- Status
Broni
Posts: 56,041 +516
I can see, Combofix didn't uninstall correctly, so delete it manually.
Delete Combofix, Qoobox folders,and Combofix.txt file from C:
Delete Combofix from your desktop
Please download OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Delete Combofix, Qoobox folders,and Combofix.txt file from C:
Delete Combofix from your desktop
Please download OTM
- Save it to your desktop.
- Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Processes
:Services
:Reg
:Files
C:\WINDOWS\system32\spool\prtprocs\w32x86\b00007020.dll
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]- Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
OTM Log
Here are the contents of the OTM log:
All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\spool\prtprocs\w32x86\b00007020.dll
C:\WINDOWS\system32\spool\prtprocs\w32x86\b00007020.dll moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Amir H. Jamil
->Temp folder emptied: 813736 bytes
->Temporary Internet Files folder emptied: 22304292 bytes
->Java cache emptied: 5273 bytes
->Flash cache emptied: 552 bytes
User: AMIRH~1~JAM
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 308241 bytes
Total Files Cleaned = 22.00 mb
OTM by OldTimer - Version 3.1.12.0 log created on 05232010_104129
Files moved on Reboot...
File C:\Documents and Settings\Amir H. Jamil\Local Settings\Temp\fla19.tmp not found!
File C:\Documents and Settings\Amir H. Jamil\Local Settings\Temp\~DF8551.tmp not found!
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\O06QPIX0\ads[1].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\O06QPIX0\ads[4].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\O06QPIX0\DARTIframe[2].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\O06QPIX0\DARTIframe[3].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\O06QPIX0\sh18[1].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\1IF4MVCB\topic147415-2[1].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_b88.dat not found!
Registry entries deleted on Reboot...
Here are the contents of the OTM log:
All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\spool\prtprocs\w32x86\b00007020.dll
C:\WINDOWS\system32\spool\prtprocs\w32x86\b00007020.dll moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Amir H. Jamil
->Temp folder emptied: 813736 bytes
->Temporary Internet Files folder emptied: 22304292 bytes
->Java cache emptied: 5273 bytes
->Flash cache emptied: 552 bytes
User: AMIRH~1~JAM
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 308241 bytes
Total Files Cleaned = 22.00 mb
OTM by OldTimer - Version 3.1.12.0 log created on 05232010_104129
Files moved on Reboot...
File C:\Documents and Settings\Amir H. Jamil\Local Settings\Temp\fla19.tmp not found!
File C:\Documents and Settings\Amir H. Jamil\Local Settings\Temp\~DF8551.tmp not found!
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\O06QPIX0\ads[1].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\O06QPIX0\ads[4].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\O06QPIX0\DARTIframe[2].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\O06QPIX0\DARTIframe[3].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\O06QPIX0\sh18[1].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\Content.IE5\1IF4MVCB\topic147415-2[1].htm moved successfully.
C:\Documents and Settings\Amir H. Jamil\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_b88.dat not found!
Registry entries deleted on Reboot...
Broni
Posts: 56,041 +516
Good 
Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
===================================================================
Download HijackThis:
http://free.antivirus.com/hijackthis/
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
- Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
- Click on the CleanUp! button and follow the prompts.
- You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
- After the reboot all the tools we used should be gone.
- The tool will delete itself once it finishes.
===================================================================
Download HijackThis:
http://free.antivirus.com/hijackthis/
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Broni
Posts: 56,041 +516
Print this post out, since you won't have an access to it, at some point.
1. Open HijackThis.
2. Close all windows, except for HijackThis.
3. Put checkmarks next to the following HijackThis entries:
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
5. Click on Fix checked button.
6. Restart computer.
7. Post new HijackThis log.
1. Open HijackThis.
2. Close all windows, except for HijackThis.
3. Put checkmarks next to the following HijackThis entries:
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
5. Click on Fix checked button.
6. Restart computer.
7. Post new HijackThis log.
Broni
Posts: 56,041 +516
Your computer is clean
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.
Turn off System Restore:
- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
2. Restart computer.
3. Turn System Restore on.
4. Make sure, Windows Updates are current.
5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
7. Run defrag at your convenience.
8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
9. Please, let me know, how is your computer doing.
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.
Turn off System Restore:
- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
2. Restart computer.
3. Turn System Restore on.
4. Make sure, Windows Updates are current.
5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
7. Run defrag at your convenience.
8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
9. Please, let me know, how is your computer doing.
Windows Updates
Is "Microsoft .NET Framework 1.1 Service Pack 1" a necessary update? For some reason, I am unable to install it.
Also, how do I know if any trojans were listed among my infections? I don't think I had any....Which of the logs will the information for me?
Thank you for all your help!
Much appreciated!
Is "Microsoft .NET Framework 1.1 Service Pack 1" a necessary update? For some reason, I am unable to install it.
Also, how do I know if any trojans were listed among my infections? I don't think I had any....Which of the logs will the information for me?
Thank you for all your help!
Much appreciated!
Internet Connection
Thanks so much for your help. I will go ahead and change my passwords.
I am still experiencing connectivity issues.
If you remember (a few posts back), the only way for me to establish an internet connection on my PC was a direct connection from my PC to the cable box (as opposed to my wireless router).
I am still connected to the Internet via the direct connection. However, after about 5-10 minutes of connecting to the internet, the connection fails out and I have to re-start my computer to re-establish connection.
Can you please help?
Thank you
Thanks so much for your help. I will go ahead and change my passwords.
I am still experiencing connectivity issues.
If you remember (a few posts back), the only way for me to establish an internet connection on my PC was a direct connection from my PC to the cable box (as opposed to my wireless router).
I am still connected to the Internet via the direct connection. However, after about 5-10 minutes of connecting to the internet, the connection fails out and I have to re-start my computer to re-establish connection.
Can you please help?
Thank you
Broni
Posts: 56,041 +516
Your computer is malware free, so...
Access to malware forum is very limited (just you and me), so I'd suggest, you repost your internet issue at some other forum of this board and you'll get more attention.
If I were you, I'd probably start with replacing your network (ethernet) card. 15 bucks.
Access to malware forum is very limited (just you and me), so I'd suggest, you repost your internet issue at some other forum of this board and you'll get more attention.
If I were you, I'd probably start with replacing your network (ethernet) card. 15 bucks.
- Status
Similar threads
Latest posts
-
New Affordable AMD B650 Motherboard Roundup- Avro Arrow replied
-
Nvidia GeForce RTX 3050 6GB Review: Quiet Release, Dodgy Name- petalsofpain replied
-
Fallout TV show secures second season after stellar debut- Vulcanproject replied
