Solved Please look at my log after 8-step Instructions

[den2mayo]

Hi, please look at my log files. I've had a lot of nasty stuff on my PC, slowing it down significantly.

Hope you can help me.

 

[Bobbye]

Welcome to TechSpot. I'll help with the malware.

You have a Worm called WORM_BRONTOK.BA This infection has numerous built in protection to prevent it's removal and has autostart entries that will allow it to execute every time the machine restarts in normal or safe mode and every time an instance of the command prompt is opened.It disables the Registry Editor. It attaches a copy of itself to email messages, which it sends to target addresses.,

It restarts the affected system whenever it finds an open window with specific strings in the title bar. It also terminates Task Manager and Process Explorer. this worm overwrites the HOSTS file. Source: TrendMicro.

To begin, please reopen HijackThis to do system scan only.'. Check the following entries:
O1 - Hosts: 127.0.0.22 virustotal
O1 - Hosts: 127.0.0.22 anubis.ise
O1 - Hosts: 127.0.0.22 threatexpe
O1 - Hosts: 127.0.0.22 mcafee.com
O1 - Hosts: 127.0.0.22 www.mcafee
O1 - Hosts: 127.0.0.22 mcafee.net
O1 - Hosts: 127.0.0.22 www.mcafee
O1 - Hosts: 127.0.0.22 mcafee.org
O1 - Hosts: 127.0.0.22 www.mcafee
O1 - Hosts: 127.0.0.22 mcafeesecu
O1 - Hosts: 127.0.0.22 www.mcafee
O1 - Hosts: 127.0.0.22 mcafeesecu
O1 - Hosts: 127.0.0.22 www.mcafee
O1 - Hosts: 127.0.0.22 mcafeesecu
O1 - Hosts: 127.0.0.22 www.mcafee
O1 - Hosts: 127.0.0.22 mcafeeb2b.
O1 - Hosts: 127.0.0.22 www.mcafee
O1 - Hosts: 127.0.0.22 mcafeeb2b.
O1 - Hosts: 127.0.0.22 www.mcafee
O1 - Hosts: 127.0.0.22 mcafeeb2b.
O1 - Hosts: 127.0.0.22 www.mcafee
O1 - Hosts: 127.0.0.22 nai.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Close all Windows except Hijackthis and click on "Fix Checked."

When you have finished, Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
And follow that with Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Rescan with HijackThis and include new log along with the Combofix Report and Eset log.

NOTE: DO NOT use the System restore feature. The restore points have malware and you will reinfect the system. I'll have you remove them at the end.

 

[den2mayo]

Bobbye,

Thanks for taking the time to help out.
Did what you asked, please see attached log file.

 

[den2mayo]

Sorry forgot the combo fix log. Here it is.

 

[Bobbye]

There is an entry in the Combofix log that may indicate an infected flash drive- Drive E. We should set up a flash disinfector when finished with the CFFix below. Are you using one?

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\documents and settings\Den\Application Data\Azureus
C:\Documents and Settings\Den\Application Data\zinwinupdate.exe	 

Folder::
c:\program files\Azureus

Extra::
Firefox::
Firefox-: Profile- c:\documents and settings\Den\Application Data\Mozilla\Firefox\Profiles\78j7pdzb.default\
Firefox-: Search.selectedEngine - Ask

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

Please follow with a new HijackThis scan and paste in new log.

 

[den2mayo]

ran combo fix

Hello,

Here are the logs as instructed.

Thanks

 

[Bobbye]

I notice 20 entries for MagicJack on 2/26/2010 and data from it on 3/26/2010. But you also have Skype entries running from 3/12.2008. Can you use those both at the same time?

I'd like to try removing these 2 entries again. We don't recommend use of ask.com as it's know for adware and some spyware. But if they remain on the system it's not malware as is:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
Folder::
Extra::
Firefox::
Firefox-: Profile-c:\documents and settings\Den\Application Data\Mozilla\Firefox\Profiles\78j7pdzb.default\
Firefox-: prefs.js: browser.search.selectedEngine - Ask
Firefox-: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=

Registry::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

How is the system running now? You should have regained some speed with the removals. I'd like you to reset the host files:

Please download MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

If problem has been resolved, I'll have you remove the cleaning tools.

 

[den2mayo]

Bob,

Here is the log file. I forgot to answer your question the other day. No, I don't have flash disinfector nor have a clue about it. I appreciate if you could enlighten me about that.

With regards to skype and magic jack. I use both softwares, I use skype to call PC but use magic jack to call landline number. I am located in the philippines so it is very practical for me to use magic jack to call relatives in north america.

Speed problems have been solved, big thanks!

I also have a problem which I almost forgot to mention, it involves windows explorer. When I double click folders, they always pop up in another window. But my folder options is set folders to open at the same window. Might this be the affect of viruses/malware/adware?

Thanks.

 

[Bobbye]

Are you accessing this site for anything?
hxxp://globebroadbandclickfix.com.ph

A partial description is "Globe Telecom Agent can automatically configure your GBB connection, your browser and LAN, wireless or not, will be configured by the software itself. .." It is coming up as a possibly infected site which is why I didn't set it up as a link.

Did you put the Firefox removal script into the code box? There is no mention of it in the log.

I don't think the new Window has anything to do with malware. Are you using tabs? If so, go into Internet Options and check the tab settings.

 

[den2mayo]

hxxp://globebroadbandclickfix.com.ph is the website for my ISP's support software "clickfix" They have asked me to install this one for the initial troubleshooting in case if internet connection problems.

I may have overlooked the instructions regardin Firefox removal script...how do I do that again?

The problem is my windows explorer not the internet explorer of windows. I've been looking around the net for solutions to that, I think it has to do with regedit something that I am also clueless about.

 

[Bobbye]

The problem is my windows explorer not the internet explorer of windows. I've been looking around the net for solutions to that, I think it has to do with regedit something that I am also clueless about.

When I double click folders, they always pop up in another window.

I think it has to do with regedit

If you are getting an error message, I need to know what it says. 'something about regedit' doesn't mean much.

What kind of 'Window' opens? The description is not enough for me to do anything. It' will depend on what the file extension is as to what 'Window' opens.
For instance, if you click on a .doc file, it will open in Word.
If you click on a .jpg file, it will open in the imaging program.

A file isn't going to open in the browser unless it's for a link on the internet such as a shortcut or bookmark.

I may have overlooked the instructions regardin Firefox removal script...how do I do that again?

Follow the instructions for copying contents of the Code box in my Reply #7

Please understand that my help is based on the information you give me. And the success if the cleaning depends on you following my directions.

 

[den2mayo]

Okay, the windows explorer problem.

When I open "my computer", when I click on a drive say "E:" it would then show all the contents of that drive. When I open a folder in that drive, the folder contents then opens in a new window. But the thing is, my folder options has always been set to open the content on the same window. That's probably the meat of it, there is no error message.

With regards to step 7, I believe that I did that step. If there is a need to do that step again please let me know.

I appreciate all your help and patience.

 

[Bobbye]

Regarding Firefox entries:
FF - ProfilePath - c:\documents and settings\Den\Application Data\Mozilla\Firefox\Profiles\78j7pdzb.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=

They are still on the system. If you want ask,com to be your selected search engine, if you want the Ask toolbar, if you don't mind being redirected, then leave them. Most of us do not recommend using any .ask.com processes because of adware.

Regarding clickfix: Combofix advises:
----- BITS: Possible infected sites -----
hxxp://globebroadbandclickfix.com.ph

Regarding the new Windows on E drive: try doing a right click to open. See what that does. It's not malware related.

If the problem has been resolved: Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if you need more help.