Possible infection

By Sharrow ยท 7 replies
May 13, 2009
  1. Hi guys,

    Can you check the attached logs. Presently can't open Regedit, and suspect I may have caught something.

    Thanks in advance.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    As far as I can tell, you have only the Zone Alarm firewall. And you have NO antivirus program:

    Step 1:
    Antivirus scanning
    If you're NOT running any antivirus or firewall software, you should install one ASAP If you already have an Anti-virus program - please be sure to check for updates and run a full scan of your system - Please note anything that it finds in your thread.

    Recommended Free Anti Virus:
    Avira Free: https://www.techspot.com/downloads/41-antivir-personal-edition.html
    Avast Free: https://www.techspot.com/downloads/223-avast-home-edition.html

    Choose one and download and install. Then run a full system scan. Attach log in your next post

    Mbam is showing the Security Center Disabled. This key controls the warning you get about your antivirus software (out of date , not installed .....) . If the value is set to 1 you wont get any of these warnings and multiple malicious applications do this to prevent you from knowing that they have disabled your antivirus software .
    Do you have this disabled for a specific reason ? That may be a false positive since you have no AV running.

    After you get the AV installed and finish the scan:, run Combofix:
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    Link 3
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


      Click on Yes, to continue scanning for malware.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Include AV scan and Combofix report on next post.
  3. Sharrow

    Sharrow TS Rookie Topic Starter

    Hi Bobbye,

    Firstly, thank you very much for helping me with this, it is most appreciated.

    I use the Zonealarms security suite, but I disabled the antivirus and the spyware scanners before I ran the initial logs, but not before I did an updated, deep scan using them. Both came up with nothing.

    I used combofix (log attached) plus used Avira to scan my disk again (log attached) plus here is the latest Hijackthis log - note I have not enabled Zonealarms av and spyware until I uninstall Avira.

    I can now use regedit, cmd, log on myspace in firefox and update Malwarebytes automatically. So far, so wonderful!

    Please advise me if I need to do anything else.

    Again, thank you for your time.

    Best wishes.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I wonder if the direction that refers to 'scanners' is being misunderstood. There are some programs that have a feature which start on boot and run in the background. Common ones are TeaTimer in Spybot and AdWatch in AdAware. They also include any 'resident' part of the program that runs in the background. The reason for disabling these is because they can interfere with the scans. The preliminary steps do not say to disable the antivirus and antispyware programs as a whole.

    When Combofix is suggested, THAT program DOES tell the user to disable ALL security. So when you ran the initial programs, the AV should have been running,

    The TR/Crypt.XPACK.Gen Trojan was found in the files from:
    C:\Program Files\Steinberg\WaveLab\System\plugins\Nomad Factory\Blue Tubes Bundle

    Avira has moved them. You should delete them from the quarantine area. Combofix also deleted files from Nick Drabble\Application which it appears you were using during the scanning.

    Download ATF Cleaner by Atribune: http://www.atribune.org/ccount/click.php?id=1 to your desktop.

    Double-click ATF Cleaner.exe to open it.
    • Under Main choose:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Cookies
    • Temporary Internet Files
    • Prefetch
    • Java Cache
    • The other boxes are optional*
    • Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    Run a full scan with Avira once more and if it's clean, we'll remove the cleaning tools:
  5. Sharrow

    Sharrow TS Rookie Topic Starter

    Okay, quarantine items deleted. Cleaner used as instructed. Scan done, results attached, with new Hijackthis log.

    Kind regards.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Looks good! If the original problem has been resolved, you can remove the cleaning tools and old restore points:

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTCleanIt by OldTimer:
    Save it to your Desktop.
    Double click OTCleanIt.exe.
    Click the CleanUp! button.
    If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    Let me know if I can be of further help.
  7. Sharrow

    Sharrow TS Rookie Topic Starter

    All done and dusted, working like a dream. I owe you a beer!

    Thanks again.

    Best wishes.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Glad to help!
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...