View Full Version : Hijack Log After Running SpyBot to get rid of Virtumonde
Hi, thanks!
Here's my original post with my problem for refernence:
http://forums.spybot.info/showthread.php?t=55869
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:35 AM, on 3/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [wazewifan] Rundll32.exe "c:\windows\system32\denekilo.dll",a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253874934186
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.vexcast.com/download/vexcast.cab
O20 - AppInit_DLLs: c:\windows\system32\denekilo.dll
O21 - SSODL: molukimub - {3781c82b-a5b9-4df4-bd19-57295ed117b5} - c:\windows\system32\denekilo.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {3781c82b-a5b9-4df4-bd19-57295ed117b5} - c:\windows\system32\denekilo.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 4553 bytes
IndiGenus
2010-03-03, 21:36
Hello and welcome to the forums here at Spybot S&D.
Vundo still appears to be present.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix 10-03-03.03 - HWANG 03/01/2010 3:23.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1743 [GMT -5:00]
Running from: c:\documents and settings\HWANG\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\msssc.dll
.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.
2010-03-01 08:03 . 2010-03-01 08:03 -------- d-----w- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-11 07:35 . 2009-09-26 06:22 23272 ----a-w- c:\documents and settings\HWANG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-07 19:12 . 2009-09-26 06:42 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-10-16 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-16 114688]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-11 198160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"DeltTray"="DeltTray.exe" [2004-08-27 56320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.14.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2007-7-9 634880]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/11/2009 2:10 AM 108289]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [2/22/2007 10:28 AM 30864]
R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [9/25/2009 5:26 AM 215040]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 8:57 AM 13532]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\HWANG\Application Data\Mozilla\Firefox\Profiles\kb0wygle.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-M-Audio Taskbar Icon - c:\windows\System32\M-AudioTaskBarIcon.exe
HKLM-Run-wazewifan - c:\windows\system32\denekilo.dll
SharedTaskScheduler-{3781c82b-a5b9-4df4-bd19-57295ed117b5} - c:\windows\system32\denekilo.dll
SSODL-molukimub-{3781c82b-a5b9-4df4-bd19-57295ed117b5} - c:\windows\system32\denekilo.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 02:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3416)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\DeltTray.exe
c:\windows\system32\wscntfy.exe
c:\windows\SoftwareDistribution\Download\fbd10dcbeeea9977a50637fdf6817519\update\update.exe
.
**************************************************************************
.
Completion time: 2010-03-01 02:49:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-01 07:49
Pre-Run: 12,241,653,760 bytes free
Post-Run: 12,204,376,064 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - C413013F3159370AE4994DAB6600F890
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:30 AM, on 3/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\WINDOWS\explorer.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253874934186
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.vexcast.com/download/vexcast.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 3970 bytes
Hi, thanks for the help I have a new problem relating to "combofix".
After running this combofix my 3rd party soundcard has completely dissapeared, there's no icon for it, do I need to re-install the drivers or what's happened?
my soundcard is a "Delta 1010 LT" and it's no longer showing up and there's no tray icon for it.
I need to use it tonight, before running combofix my computer was operating fine, can I just do the system restore point? Or should I re-install my drivers, anybody know I would like to use the soundcard.
Also, combofix deleted some windows/system32 file automatically I didn't tell it to.
thanks for the help.
I also have a new folder called "recycler" on each of my 2 hardrive partitions, after running combofix.
I'm starting to get scared because the other hardrive has very sensitive data, and was not effected by the virus, why did combofix mess with my 2nd hardrive? I thought it was just going to effect my c: drive, my system drive?
can this "combofix" prorgram corrupt audio files up on my backup drive?
nevermind on the soundcard I rebooted and it seems to have been restored somehow, strange these computers, maybe I was still in that mode that from windows recovery console or something?
thanks again.
question: I haven't run "Real Player" in a while, so is the virus using Real Player through a back door or something?
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
^is this referring to "Real Player" because it shouldn't running, I haven't open the program in a while.
sorry if I'm confused, that happens alot.
Hey, the error message is gone!
and system is running fine?
is it gone!?
thanks again for the help!
tashi you can delete my posts that are of no use, I tried but I can't seem to edit them.
thanks IndiGenus!
Jim43,
Please wait for a response from IndiGenus, he may want to see another log. :)
Towards the end of a cleanup please make sure you follow through with any final log requested, even if it appears to you that your computer is back to normal operation.
As much as we like our members ;) we would rather not see you back in a few weeks because there was no follow up with the helper.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Can I edit my own posts?
In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.
In the Malware Removal Forum, members may not edit their posts. A helper may already be analyzing the information given.
Posts are not deleted though, well not unless they are from spammers. :ninja:
IndiGenus
2010-03-04, 04:03
Hi,
Looks like it's pretty much gone. We'll clear out the "stuff" that combofix created at the end of the fix here.
I would like to see a couple more scans run.
Use ATF Cleaner to remove temp files, cookies, cache, ect...
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.
++++++++++++++
I would also like you to run the following scan: Eset Online Scanner (http://www.eset.com/onlinescan/)
Run with Internet Explorer
Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button, or click the notification bar at the top of the window and choose to install.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Hi, I'm sorry to delay the process.
However there is a problem, I don't have many temp files, but I need some of my temp files because for a period I used my windows temp folder to store temp files that relate to efx settings on my digital recording software, and those particular projects seem to reference this windows temp folder (I have since switched it). I go about deleting my temp files manually for now until the project is complete, so I don't want to clear out my temp files completely just yet, for that reason I also told spybot not to clear out my temp folder.
Is there anyway I can do what you're requesting without clearing the temp folder? Temp folder has very few files anyway, and I know what they are.
thanks again!...and sorry for my problem here.
also this "ATF" cleaner, this wouldn't be in anyway associated with the federal government would it? :clown:
oh and personally I don't even like opening internet explorer, but I guess if you say it's necassary.
IndiGenus
2010-03-04, 15:24
You can skip over ATFCleaner and go right to MBAM.
You can skip over ATFCleaner and go right to MBAM.
Thank you Sir.
While as it turns out, something already deleted the temp files in question (combofix perhaps) in any event it's not that important as I had efx presets saved anyway.
So I would like to run the entire process you suggest IF, and only IF it will not clean out my specific temp folder on partition D: that only contains temp files from my audio recording software.
Can I set ATF cleaner to only clean out files from the windows temp folder not all folders labeled "temp".
Or did you tell me I can skip ATF because it is infact created by the branch of the federal government with the same name? :secret:
thank you a great deal and I will get back later tonight when I have a chance, thanks and good day to you sir.
IndiGenus
2010-03-04, 15:54
Thank you Sir.
While as it turns out, something already deleted the temp files in question (combofix perhaps) in any event it's not that important as I had efx presets saved anyway.
So I would like to run the entire process you suggest IF, and only IF it will not clean out my specific temp folder on partition D: that only contains temp files from my audio recording software.
Can I set ATF cleaner to only clean out files from the windows temp folder not all folders labeled "temp".
Or did you tell me I can skip ATF because it is infact created by the branch of the federal government with the same name? :secret:
thank you a great deal and I will get back later tonight when I have a chance, thanks and good day to you sir.
No, ATF has nothing to do with any government branches. muha: You can just skip over it anyway. Sounds like you keep a pretty good eye on those things anyway. Although I would not suggest using temp files/folders in the future for any critical system settings or storage....:rolleyes:
mbam:
Malwarebytes' Anti-Malware 1.44
Database version: 3825
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
3/1/2010 3:38:52 AM
mbam-log-2010-03-01 (03-38-52).txt
Scan type: Quick Scan
Objects scanned: 115578
Time elapsed: 3 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
well the eset one doesn't seem to want to run..
it had me ok a bunch of stuff at the top like active x and an add on, it said it installation was blocked so I ok'd the add-on multiple times it doesn't work.
and yes i'm using internet explorer right now, usually i use firefox.
*sigh*
sorry, idk what's going on I almost got it to work, got it to the start page, clicked start to start the scan but it stops on step 2 of 4 and says: "can not get update, is proxy configured?"
gish, you would think eset would support firefox as ie is a turrible browser.
oh and it's telling me I have another virus software turned on which might effect the performance and quality of the scan, it says it is Avira that's turned on, however, I do in fact have Avira disabled.
gotta a little further, it started to initialize then when it was 6% through it gave me this: "Unexpected error 2002"
just for shits nd giggles 1 tried to run the eset scanner with Firefox...same results, just wouldn't work no matter what I did, it started to scan but again got the "can not get update, is proxy configured?" at 50% finished this time.
1'm not using any proxies, although hell, 1'm not really shure what a proxy is so 1 guess it's possible.
IndiGenus
2010-03-05, 04:44
Let's try a different scanner. You can use Firefox with this one.
Go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
well I finally got the eset scanner to work...it scanned what seemed to be all of my files (took awhile) and said that not threat was detected.
It did not give me a "details tab" and I checked the option "remove at close".
So I guess I don't have the report, after I hit finish it just recommeded I install eset nod32 but I didn't, then there was no other option to get a report.
I checked under program files and the eset scanner is still there however there is no log text.
I think it's cleared out out my system...but do you still want me to run the kaspersky?
what kind of virus was it anyway?
Oh and should I get rid of what "combofix" left behind now ? I could just delete the "recycle" folders in each of my partitions manually...and there's nothing in them anyway, I wonder why they were created.
Thanks! I'll continue to follow your lead!
IndiGenus
2010-03-05, 14:21
I think it's cleared out out my system...but do you still want me to run the kaspersky?
what kind of virus was it anyway?
Oh and should I get rid of what "combofix" left behind now ? I could just delete the "recycle" folders in each of my partitions manually...and there's nothing in them anyway, I wonder why they were created.
Thanks! I'll continue to follow your lead!
No need to run Kaspersky then, we can wrap up.
You had Vundo Malware.
Uninstall Combofix
Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
The above procedure will:
Delete the following: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
IndiGenus, Thanks alot brotha! You have my gratitude! thanks for the help!
Here are the results:
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
HijackThis 2.0.2
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
oh on a sidenote, after uninstalling combofix the "recycler" folders are still there in every partition, it says they have 85kb when I put the mouse over them but there's nothing inside when I doubleclick them.
Is it ok to just delete these "recycler" folders manually?
Also, should I delete the "hijack this" program or should I leave it incase I need it later?
thanks again!
correction the "Recycler" folders say they have 85 bytes not kb.
IndiGenus
2010-03-06, 04:07
If there's nothing in the folders just delete them.
You can uninstall Hijackthis also. Use Add or Remove Programs in Control Panel.
Security check looks good.
In addition to updating and using what you currently have you may want to consider the following:
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall.
Online-Armor (http://www.tallemu.com/free-firewall-protection-software.html)
Outpost Firewall (http://www.agnitum.com/products/outpostfree/)
For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/index.php?showtutorial=60)
Install SpywareBlaster - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49)
Install Winpatrol -
Use Winpatrol (http://www.winpatrol.com/) to take control of your PC and provide another layer of security.
Help file and tutorial can be found Here (http://www.winpatrol.com/features.html)
Block unwanted parasites with a custom hosts file -
http://www.mvps.org/winhelp2002/hosts.htm
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.
Keep your applications up to date -
Use Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) to help stay on top of application updates that could leave your PC vulnerable to attack.
I'll leave the thread open a few days in case you have questions or issues.
Regards,
Dave
Thank you much Dave! I greatly appreciate all the information.
Just one last question I have is: I never use internet explorer I only use firefox so in this case should I still install "Spyware Blaster", or is this only for use with Internet Explorer?
Do you recommend internet explorer over firefox?
Thanks!
-Jim
IndiGenus
2010-03-06, 04:24
Thank you much Dave! I greatly appreciate all the information.
Just one last question I have is: I never use internet explorer I only use firefox so in this case should I still install "Spyware Blaster", or is this only for use with Internet Explorer?
Do you recommend internet explorer over firefox?
Thanks!
-Jim
SpywareBlaster works with most browsers. Check out the following page for a little more info.
http://www.javacoolsoftware.com/spywareblaster.html#Browsers
Personally, I use Firefox probably 98% of the time. But occasionally need and use IE. IE has gotten better but I have all my add-ons set up and running for Firefox. It's really a preference thing....
Good luck Jim and glad we could help you out,
Dave
Hey are you still there, I've run into a problem.
Well the "recycler" folder will not delete, when I try to delete it, it gives me this message:
"Error deleting file or folder:
Cannot delete RECYCLER: access is denied
Make sure the disk is not full or write protected and that the file is not currently in use"
when I point the mouse to the "RECYCLER" folder it says :
size: 85 bytes
folders:
I think it was created when I ran combofix, but possibly Spybot because that was the program I ran before combofix.
I followed your instructions to uninstall combofix and it said that it had uninstalled correctly, but then I did have to delete other Combofix files manually after the uninstall.
thanks again for any advice,
-Jim
no other programs are open when I'm trying to delete the "RECYCLER" folder on each of my additional partitions.
or could that possibly be related to the windows defender?
or could that possibly be related to the windows defender?
excuse me, not the windows defender, I mean to say the "Microsoft Windows Recovery Console"...could those "RECYCLER" folders be related to that program? I can't find it, it's not listen under programs.
Do you think the ATF cleaner might get rid of the "RECYCLER"?
not that it's causing any problems, it's just there and can't be deleted...and actually I can't find it on my C: drive only on every other partition on both hard drives but it might be there on C: somewhere.
update, well it will let me move each of the "RECYCLER" folders outside of the other partitions and to the desktop, from there I can delete them...
hmm, but should I, are these folders now related to files on the other partitions?
strange, why can't I delete them unless they are moved from the other partitions? ... that would seem to mean they are being used when they are inside the other partitions.
IndiGenus
2010-03-06, 17:01
Take a look at the following article.
http://techsalsa.com/what-is-recycler-folder-and-how-to-remove-it/
Take a look at the following article.
http://techsalsa.com/what-is-recycler-folder-and-how-to-remove-it/
thanks..hmmm, I Read it but that article doesn't seem to explain how they suddenly arrived on each of my other partitions...
and I'm left still wondering whether I should delete them (they're all on my desktop now) from my desktop or should I restore them to each of the partitions from which they came?
:confused:
One question:
That article you gave me says that these are folders that files from the emptied out recycle bin go to.
Could it be that these "RECYCLER" folders were always there but just hidden, and one of the virus programs un-hid them?
In this case, could this mean that IF I Delete the RECYCLER folder that it would have a negative impact on a data-retrieval company's ability to obtain lost data from my harddrive in the event of a failure?
Or does this just effect the stuff that's already been in the "recycle bin"?
anybody with any insight or comments? thanks!
IndiGenus
2010-03-07, 15:54
thanks..hmmm, I Read it but that article doesn't seem to explain how they suddenly arrived on each of my other partitions...
They were always there and you were probably just not aware.
and I'm left still wondering whether I should delete them (they're all on my desktop now) from my desktop or should I restore them to each of the partitions from which they came?
I would suggest you restore them. They are normal for Windows XP.
That article you gave me says that these are folders that files from the emptied out recycle bin go to.
Yes
Could it be that these "RECYCLER" folders were always there but just hidden, and one of the virus programs un-hid them?
They were always there. They are normally hidden by Windows. If you tell Windows to unhide files you will see them.
In this case, could this mean that IF I Delete the RECYCLER folder that it would have a negative impact on a data-retrieval company's ability to obtain lost data from my harddrive in the event of a failure?
Absolutely not. Data recovery is an entirely different thing.
The RECYCLER folder is the recycle bin. The recycle bin on your desktop is simply a shortcut to all the RECYCLER folders in your computer. If you have a C:\ D:\ and E:\, your recycle bin shows the contents of C:\RECYCLER D:\RECYCLER and E:\RECYCLER. Having these RECYCLER folders on each drive saves the OS from having to copy a deleted file or folder from any other drive to the C:\ drive.
I would suggest you just leave them alone.
ok thanks, one more question is how do I hide them again?
thanks for all your help Dave!
IndiGenus
2010-03-08, 00:58
one more question is how do I hide them again?
Combofix should have done that as part of the uninstall routine if they were not hidden. Doesn't sound like it uninstalled correctly. But here's how you can re-hide if needed.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options...
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click OK.
ok thanks, one more question is how do I hide them again?
thanks for all your help Dave!
the reason I ask is because I already have the "Do not show hidden files and folders" button checked under "control panel > folder options > view"
and they recycler folders are still visible.
any ideas or suggestions? thanks! this will be my last question I hope.
IndiGenus
2010-03-08, 01:03
If you right click on the folder and select properties. Is there an option to select hidden?
If you right click on the folder and select properties. Is there an option to select hidden?
Indeed, thank you sir, I actually just discovered that before coming here.
Thanks again Dave, now just to let you know or anyone else: I tried to restore the "RECYCLER" folder that I moved from each partition onto my desktop, but it says that there is already another recycler folder on each partition...soo, I suppose xp restored those folders when you reboot if they are moved/deleted.
I also reduced the size of my recycle bin storage limit to 2% from the gigantic 10% which I figure 2% is big enough for a 160gb drive.
thanks again Dave!! great help!
IndiGenus
2010-03-08, 02:52
You're welcome and glad we got it sorted.
Regards,
Dave