Hijack recovery

[hoopsbrown]

Several viruses hijacked my system yesterday. Lucikly Windows Defender caught enough that I was able to block some of the registry changes and run anti-malware to recover. The most troublesome was that it appears System Restore was actually turned off by one of the viruses... something I didn't think was possible. I was able to recover as far as I can tell and don't have anymore symptoms, but I wanted to post here just to be sure something wasn't lurking.

Note I added a logs in the post below for SpywareDoctor because I actually ran this first to try and recover.

 

[hoopsbrown]

spyware doc attachments

 

[Bobbye]

First 7/5/2009 7:12:41 AM mbam-log-2009-07-05 (07-12-26).txt> No action taken
Second 7/5/2009 7:12:57 AM mbam-log-2009-07-05 (07-12-57).txt> quarantined. Good for you! you aught it- most people don't!

You need to get rid of all the temp folders:
TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please empty the recycle Bin when finished.

Stop the Tracking Cookies on accounts for both Amy and Guest:
Reset Cookies:
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

SAS has a line to check for removal of the malware it finds. If you did not check that first time around, please update, rescan and check.

Please reopen HijackThis to 'do system scan only'
Check each f the following if present: Note: Don't click on 'Fix Checked' until you have checked all on the list:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\msierj.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\msyrrw.exe
O3 - Toolbar: (no name) - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKCU\..\Run: [] C:\DOCUME~1\MATTBR~1\LOCALS~1\Temp\shqr75u0.exe
O20 - AppInit_DLLs: C:\DOCUME~1\MATTBR~1\LOCALS~1\Temp\1043932984446mxx.dll

Close all Windows except HijackThis and click on 'Fix Checked.'

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HijackThis and include new log and report from Combofix.
I'll determine if you need to run additional programs.

A comment: You have a lot of processes running. Most do not need to start on boot and run in the background. Most can be accessed manually when needed.

 

[hoopsbrown]

Ran and completed TFC

Ran HiJack this and removed requested lines all at once.

ComboFix appeared to fail after scan step 26 (I didn't click on anything). Desktop disappeared and I was left with a background picture only. Let it run over night but it never recovered. Should I run again?

Also, if you could tell me what the "required" programs are, I'll update my msconfig to only start those programs. I have already disabled about half of the startup programs...ugh!

 

[Bobbye]

Uninstall Combofix:
To uninstall ComboFix.exe And all Backups of files that it deleted
[list[
[*] Click START> RUN
[*] Type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

[*] When shown the disclaimer, Select "2"
[/list]

Reboot. Then try Combofix again.
Rescsn with HijackThis after and include Combofix report and new HijackThis log.

The only programs that need to start on boot are:
Antivirus
Firewall if using third party firewall
Touchpad if on laptop.
Possibly network processes if network set up.

Note: when making the changes using msconfig: click on Selective Startup> Startup tab
Uncheck what you want
Apply> OK
The first boot after making any changes brings up a nag message which can be ignored and closed after clicking on 'don't show message again.' Stay in Selective Startup to retain the changes.

That's it. Everythign else, including printers, can be started manually if and when needed.

 

[hoopsbrown]

Worked this time, see attached.

So all those "system" startup functions aren't needed either? Wow.

 

[Bobbye]

So all those "system" startup functions aren't needed either? Wow.

Nice to know, huh?! I also noticed you have a lot of remote access features running. I find that sometimes the user doesn't realize they can disable these features or stop them from loading on boot. Programs like LogMeIn, SupportSoft Remote Assistance, SlingService- unless you use regularly don't need to startup.

Also, keep an eye on the Dropbox program- looks like there's some sharing there.

I'd like you to run a full system virus scan, save the log and attach to next post.
And UPDATE Mbam and rescan to make sure it's clean. attach log if anything is found.

As for the System Restore- we have you drop those at the end of cleaning and set a new, clean restore point, so nothing lost there. Now IF we do tht and SR still doesn't work, we'll address that.


chuckle with me here: do you really need to have SouthWest Airlines start on boot, run in the backgroumnd the entire time you're on the system, then "ding" you if there's a good fare to somewhere? Or can't you just manaually open the program and check it when you want to?

 

[hoopsbrown]

The weird thing was SR was on... and after the virus I went straight to it to restore to a previous point, and it had been turned off by the virus.... first time I have seen that. My norton didn't have a log, it completed without any issues. Here's the MBAB and HiJack logs.

 

[Bobbye]

If you have to run the cleaning programs in the future, you should check the line for removal of what is found- it's not necessary that you run Malwarebytes twice to do this.

And a tip about using System Restore when you've had malware> Don't! You don't know exactly when you got the malware so using old restore point could reinfect the system,

Logs look good- let's clean up:
To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTCleanIt by OldTimer:
Save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Let me know if you need any more help.