Log check

[swker98]

hi, i had a badly infected machine just wondering if i missed anything


thanks again

 

[touch]

Hello swker98


It looks like you´ve got an old and rare (AboutBlank) infection ->

Please download AboutBuster

http://malwarebytes.org/aboutbuster.php

Unzip to a convenient location such as C:\AboutBuster

Start –Run, type services.msc (or copy/paste) in 'run' box. Click OK. When the services window opens, scroll down to:
Network Security Service ( 6QÔõ 'ª´ÆÐ8)

Right click on it and choose 'properties. You will see a little drop down bar with an arrow. Click on that and change it to ”Deactivate”


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing

Run About:Buster now. Hit OK, Start, OK. Save the log file. Run it again for the second time (OK, Start, OK). Save that log file. Post both log files here.

Reboot into Safe Mode (hit F8 key until menu shows up). Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Go to EVERY profile (C:\Documents and Settings\every_profile_listed\Local Settings\Temp & also
C:\Documents and Settings\every_profile_listed\Local Settings\Temporary Internet Files) and delete all the contents in their folders.

Reboot normally.

Attach a new HJT log file along with log files from aboutbuster

 

[swker98]

Will do thanks

Thanks for your help, i have attached the logs you have asked me to, however i wasent able to follow your instrustions exactly as far as

Run About:Buster now. Hit OK, Start, OK. Save the log file. Run it again for the second time (OK, Start, OK). Save that log file. Post both log files here.

but i did run it twice and attached the logs all else was completed successfully as far as emptying the temp folders.

 

[touch]

Ok

I´m not sure if AboutBuster have removed what it found -> C:\WINDOWS\system32\cvxmj.dat.

I´ll therefore suggest you run a scan with combofix.

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.


Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
C:\WINDOWS\system32\cvxmj.dat.

http://img.photobucket.com/albums/v6...FScriptB-4.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, Attach the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[swker98]

combo fix says that the script is incorrect, also it says the current date is 4\12\09 it is going to run in reduced functionality mode, would it be ok to delete that file in safemode?


Edit: I had the wrong name for the script, DOH. Im running combo fix in safe mode now

alright, downloaded an updated version of combofix, used it in safemode, lookes like it got rid of the about infection and a bunch of other stuff

updated logs attached

 

[swker98]

can i assume im clean?

 

[touch]

Uncheck these:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner Free]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncerDL]

in msconfig. Look here, how to:
http://netsquirrel.com/msconfig/msconfig_xp.html

reboot, and tell how things are running ?

 

[swker98]

all those have been unchecked prior to cleaning everything out, it running good much better then in the beginning, in fact i only have 3 startup programs running (checked) as all the other crap is unnecessary

thank you for your help

 

[touch]

My pleasure

Now your computer problems are solved, it is time for the clean-up procedure.

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.




Please download OTCleanIt
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place