Hi there. I've been looking through some posts and decided it best to post my own issue. Over the last couple of days I've noticed pop-ups appearing very frequently. Instantly I thought virus or spyware/malware. The issue is my AVG software will not scan my computer, nothing happens when I attempt to run it. Email scanner is disabled, and can't be started, same with AVG ID Protection. I downloaded Spybot and Hijackthis on another PC to a flash drive and transferred to my infected machine as I now no longer have an internet connection...so now Spybot will not even install.

I ran HJT and I could see the resulting log pop up for a brief second, but then disappears. Does it store to a certain location on my hard drive? If so I can get to it this way, but as of right now I'm unable to get this file for posting. Any suggestions on what my next step should be?

Regards,

Sucosam

Anyone have any suggestions on how to proceed in fixing this issue? If the HJT log stores on the C drive somewhere, I can pull it from there and post it, but I don't know the default location. Thx

I have gone through the beginning steps in the "Before You Post" message. My Registry is backed up and when I double click HJT, it appears to run but then disappears without opening Notepad. Whatever issue is on my desktop is preventing any antivirus or malware removal tools from being run.

Can anyone offer a suggestion on how to disinfect my computer?

===================================

If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.



Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

Hi there, thx for helping me out, it is greatly appreciated. Here are the results of the DDS script. The GMER is still running and I will post that shortly.

Here is the result of GMER.

Hi,

Seems that you've run ComboFix by yourself (not recommended to do so without supervision of trained helper). Post back log from that run, please.


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

BitTorrent removed. Don't know where I'd find the log for ComboFix, this was run prior to posting on this help forum.

Hi,

Look for ComboFix.txt file on your C: drive.

Hi,

I was able to track it, but had some issues getting to it, as windows explorer showed the combofix folder as the root of C:\ so it was a neverending loop with no actual combofix file. I was able to copy it however using MS-DOS. I will paste the result here as it is only a few lines. Please let me know if you require the actual file instead.


combofix.txt:
ComboFix 09-10-15.04 - Colin 10/16/2009 10:30:56.1.2 - NTFSx86
Running from: F:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.

Ok. Let's run it again with this set of instructions:

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.



Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

I am rerunning ComboFix as advised. One issue however is that I get the message stating that the MS Windows Recovery Console is not installed and asks me to click "Yes" to have ComboFix download/install it. Problem here is that since the infection, I do not have an internet connection, so this part fails. It does however continue to go through the completed stages, and once complete I will post the result here.

NVM, I see the section about manual installation and will do this momentarily once the current progress of combofix is complete. I will then rerun following the same instructions.

Here is the combofix log prior to having windows recovery module installed. Shall I rerun combofix after getting this installed?

I am so far unable to install Recovery console. Not sure if this is a requirement or not. The reason is due to not having an internet connection from the infected PC. Is there a way to do this without an internet connection? Also, when using the windows CD it messages me saying that the version of Windows I'm running is newer than the version on the CD.

Hi,

Which edition of Windows XP you have - Home or Professional and what language? Let me know and I'll try to guide you with manual recovery console install option.

Microsoft WindowsXP Professional SP3
Version 5.1(Build 2600.xpsp_sp3_gdr.090206-1234 : Service Pack 3)

Hi,

Download this (http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124&displaylang=en) bootdisk file and transfer it to the desktop of the system we're cleaning. Then drag'n'drop the file to ComboFix as shown in the tutorial.

I've downloaded the file, transferred to my desktop, but the infection will not allow me to manipulate desktop icons. I can only select an icon, I am not able to drag it at all.

Ok. Then we'll try another way.

Click start->run->write cmd.exe and press enter. Write bolded command below into command prompt window and press enter:
ComboFix "c:\documents and settings\colin\desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe"

I get the message:

'ComboFix' is not recognized as an internal or external command, operable program or batch file.

I ran this from c:\Documents and Setting\Colin and also from c:\combofix

Ensure you have ComboFix.exe on your desktop and use this command:

"c:\documents and settings\colin\desktop\ComboFix.exe" "c:\documents and settings\colin\desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe"

Alright, this is working now. I have rec'd a message stating that the recovery console is installed and that on reboot a black screen appears, but for normal use to not this. Combofix is now continuing to scan for malware. Once it reboots, is there any specific instructions on what to do? should I link the resulting log file from after the reboot?

Combofix log after recover console installed and system reboot.

Hi,

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l %systemdrive%\eventlog.dll >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.


Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
cacls c:\windows\system32\svchost.exe >>c:\Logit.txt
del %0

Double-click on fixes.bat file to execute it. Post contents of c:\Logit.txt file.

Contents of Log.txt:
-c----w- 55,808 2004-08-04 10:00:00 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
------w- 56,320 2008-04-14 00:11:53 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

Entries: 2 (2)
Directories: 0 Files: 2
Bytes: 112,128 Blocks: 219



Contents of Logit.txt
c:\windows\system32\svchost.exe Everyone:(NP)(special access:)

DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
STANDARD_RIGHTS_REQUIRED
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES

Hi,

One more query for you to run.

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l %systemdrive%\svchost.exe >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

Contents of log:

-c----w- 14,336 2004-08-04 10:00:00 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
------w- 14,336 2008-04-14 00:12:36 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
----a-w- 14,336 2008-04-14 00:12:36 C:\WINDOWS\system32\svchost.exe

Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 43,008 Blocks: 84

Hi,

Open notepad and copy/paste the text in the quotebox below into it:



FCopy::
C:\WINDOWS\ServicePackFiles\i386\svchost.exe|C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ServicePackFiles\i386\svchost.exe|C:\WINDOWS\system32\dllcache\svchost.exe
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\dllcache\eventlog.dll



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Had to use the ms-dos command as we did yesterday, but got it to work and am posting the resulting log. I still cannot drag icons on the desktop.

Hi,

You had the script file named in wrong way. It has to be .txt file.

Use this command ensuring that both ComboFix.exe and CFScript.txt with proper contents are on your desktop:

"c:\documents and settings\colin\desktop\ComboFix.exe" "c:\documents and settings\colin\desktop\CFScript.txt"

Shoot, so I did. Sorry about that. here is the proper result. I should also note that I have internet access again, or more accurately, I can get onto internet explorer, and I'm able to move icons on the desktop. looking good.

Looks better indeed. We have things left to do though :)

Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach the file to your reply.

Here is the log

Looks like the attachment didn't get included :)

shoot, can't upload it as it's too big. I've broken it up into 2 logs.

Hi,

Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Archive it into zip file and attach to your post.
"%userprofile%\desktop\win32kdiag.exe" -f -r

This one was within the size limit so I just posted as a txt file

Hi,

Uninstall old Adobe Reader versions and get the latest one (9.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).


Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Uninstall this vulnerable Java:
Java(TM) 6 Update 13


* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Tick the box next to YES, I accept the Terms of Use.
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new dds.txt log & a description of any remaining problems

ESET log contents:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6210
# api_version=3.0.2
# EOSSerial=ca3d58eabbc7aa4e99e9902958a679ee
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-20 09:14:27
# local_time=2009-10-20 05:14:27 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=78265
# found=0
# cleaned=0
# scan_time=2131

Please post a fresh dds.txt log and description of remaining problems too.

Here is the resulting DDS log and I posted the new Attach log also just in case. So far everything seems to be working very well. The response time for actions seems better than prior to when the issues started, and so far none of my browser windows have been hijacked, nor have I had any issues with any of my everyday tasks.

Good. It's time for the final steps :)


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis




Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /u in the runbox and click OK



Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.


hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

Blade, all is looking great. I don't see any residual issues. Thanks so much for your help, it is greatly appreciated. I will recommend this forum to friends and will bookmark it if I run into issues in the future.

Again, many many thx. I thought I was looking at a reinstall.

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.