Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Infected, and now I'm scared reading these topics!


  • This topic is locked This topic is locked
17 replies to this topic

#1 steven

steven

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 03 November 2009 - 04:07 PM

Hello BC, I'm back - again.
You would think that after being here a few years, I would be more adept at keeping bugs out of my work laptop.

I pretty sure I have a dialer / bug of some sort. (are the pop up ads here on BC new? They're the only ones I get!) I believe I have a dialer because when I'm not connected to the net, a dialog box keeps popping up wanting me to connect. It even disables my real wireless internet connection until I click "try again" on the dialog box.
I also have a . (period) left in my I.E. addy bar after deleting a site and entering a new site to go to. This was characteristic of FunWebSearch with my old 98 XP.

I have Spybot, A2Sq. Mbam, Adaware, AVG, SAS, ATF. (I have most of these because I like to run scans all the time.) All updated.

Now I'm really scared after reading some of the posts here. This is my online banking laptop and can't afford to have any bugs on this system.

Yesterday I ran scans in safe mode with SAS, MBAM, a2squared with nothing found.

Here's my most recent SAS scan. (not in safe mode)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/28/2009 at 07:51 PM

Application Version : 4.29.1004

Core Rules Database Version : 4206
Trace Rules Database Version: 2114

Scan type : Complete Scan
Total Scan Time : 01:16:35

Memory items scanned : 765
Memory threats detected : 0
Registry items scanned : 7007
Registry threats detected : 0
File items scanned : 29352
File threats detected : 2

Adware.Tracking Cookie
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.bleepingcomputer[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.bridgetrack[1].txt

Thanks for taking the time to read this.

I sure could use some help again!
Steve

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:43 AM

Posted 03 November 2009 - 04:17 PM

Hello, Lets runs Part 1 of S!Ri's SmitfraudFix and then DrWeb.
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 03 November 2009 - 04:43 PM

Hello Boopme, glad to meet ya.

I'm doing this wirelessly on the road and don't have access to a printer, so I'll follow your instructions as best as I can.

I did the smitfraud scan and am posting the results. The Dr.Web is going to take me a little longer to respond to. Thanks for your time in this matter.

SmitFraudFix v2.424

Scan done at 15:37:49.37, Tue 11/03/2009
Run from C:\Users\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\Utilities\VolControl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\cmd.exe

hosts


C:\


C:\Windows


C:\Windows\system


C:\Windows\Web


C:\Windows\system32


C:\Windows\system32\LogFiles


C:\Users\Owner


C:\Users\Owner\AppData\Local\Temp


C:\Users\Owner\Application Data


Start Menu


C:\Users\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL,avgrsstx.dll C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{336A0967-68A0-4885-8B13-37CE2D50E83E}: DhcpNameServer=192.168.182.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{78C77FCD-5EFB-4693-8D40-6369EC20392F}: NameServer=69.78.96.14 66.174.92.14
HKLM\SYSTEM\CS1\Services\Tcpip\..\{336A0967-68A0-4885-8B13-37CE2D50E83E}: DhcpNameServer=192.168.182.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{78C77FCD-5EFB-4693-8D40-6369EC20392F}: NameServer=69.78.96.14 66.174.92.14
HKLM\SYSTEM\CS3\Services\Tcpip\..\{336A0967-68A0-4885-8B13-37CE2D50E83E}: DhcpNameServer=192.168.182.1


Scanning for wininet.dll infection


End

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:43 AM

Posted 03 November 2009 - 08:07 PM

Ok, we'll need to see DrWeb also before Ican run Part 2 or not. It is along scan antway.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 04 November 2009 - 01:12 AM

I did the Dr.web scan. (took over 5 hours!)

Yes, it found multiple threats, but unfortunately the program saved the scan to my desktop as an 07 word doc.

I bought this laptop new from Bestbuy. Bought Office 2007. Best Buy was supposed to install it, using the product key. Office was never activated and I have since divorced, losing the product key, which means I can't copy, print, or do anything with the file that was saved by Dr.Cureit.
This is what I can't copy + paste; (I had to write it all down.)

Line 1. Process.exe;C:\Windows\system32;Tool.Prockill;Moved.;
Line 2. RegUBP2b-Owner.reg;C:\DocumentsandSettings\Allusers\ApplicationData\Spybot-SearchandDestroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
Line 3. SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\DocumentsandSettings\Owner\Desktop\SmitfraudFix.exe;Tool.Prockill;;
Line 4. SmitfraudFix.exe\SmitfraudFix\restart.exe;C:DocumentsandSettings\Owner\Desktop\SmitfraudFix.exe;Tool.ShutDown.14;;
Line 5. SmitfraudFix.exe;C:\DocumentsandSettings\Owner\Desktop\;Archive contains infected objects; Moved.;
Line 6. Process.exe;C\DocumentsandSettings\Owner\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Deleted.;
Line 7. restart.exe;C:\DocumentsandSettings\Owner\Desktop\SmitfraudFix;Tool.ShutDown.14;Incurable.Deleted.;
Line 8. Process.exe;C:\DocumentsandSettings\Owner\DoctorWeb\Qarantine;Tool.Prockill;Incurable.Deleted.;
Line 9. SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\DocumentsandSettings\Owner\DoctorWeb\Quarantine\SmitfraudFix.exe;Tool.Prockill;;
Line 10. SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\DocumentsandSettings\Owner\DoctorWeb\Quarantine\SmitfraudFix.exe;Tool.ShutDown.14;;
Line 11. SmitfraudFix.exe;C:\DocumentsandSettings\Owner\DoctorWeb\Quarantine\SmitfraudFix.exe;Tool.ShutDown.14;;
Line 12. Bright.exe;C:\ProgramFiles\Toshiba\TBS;Trojan.Swizzor.10712;Deleted.;
Line 13. Process.exe;C:\ProgramFiles\Owner\Desktop\SmitfraudFix;Tool.Prockill;Invalid path to file;
Line 14. restart.exe;C:\Users\Owner\Desktop\SmitfraudFix;Tool.ShutDown.14;invalid path to file;

Took me almost as long to type this as it did to scan my system.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:43 AM

Posted 04 November 2009 - 10:02 AM

Ok that was helpful. For the Keys try installing this. Magical Jellybean Keyfinder

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 04 November 2009 - 05:13 PM

Hi Boopme,
I hope this was ok, but I rebooted last night in normal mode thinking it was ok, and I needed to do some work.
I was amazed at how fast my wireless connection is again. Yay! Actually, security is more important to me than speed since I pretty much run my financial life from my laptop.
I have to be sure my system is clean.

Thanks for the link, but I'm not sure how to use it. Do I download the Keyfinder v2.0.1?

Ok, did the Mbab scan. Results follow, but the scan didn't find anything for me to remove. Should I still reboot again?
Can I run Dr.Web anytime in the future in safe mode as a safety feature?

Malwarebytes' Anti-Malware 1.41
Database version: 3101
Windows 6.0.6002 Service Pack 2

11/4/2009 16:02:03
mbam-log-2009-11-04 (16-02-03).txt

Scan type: Quick Scan
Objects scanned: 107025
Time elapsed: 9 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I was really scared I had a bug that would require me to reformat. I don't have the installation disks, so I would have had to buy a new laptop.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:43 AM

Posted 04 November 2009 - 09:01 PM

Hello. looks like we have removed your malware the most serious was Swizzor.
The Jelly bean ,,Click on the blue link I provided to run it.
,The Magical Jelly Bean Keyfinder is a freeware open source utility that retrieves your Product Key (cd key) used to install Windows from your registry.
With this you should be able to get the disks from your PC manufacturer.

EDIT:
As you mentioned your do financials you should change your passwords any way to be safe. Swizzor does call home.

Now since all is running well.
Next you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Edited by boopme, 04 November 2009 - 09:06 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:43 AM

Posted 04 November 2009 - 09:10 PM

I would suggest uninstalling the trend micro, AV 2007
Chewy

No. Try not. Do... or do not. There is no try.

#10 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 04 November 2009 - 09:16 PM

Bad News boopme,

The . is back in my address bar. Things were running fine until I started browsing Kimkomando's site. My connection started to get a littly choppy and now I discover the . in the addy bar.

Why should I uninstall TrendMicro Chewy?

#11 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 04 November 2009 - 09:21 PM

oops,
I'm not going to do a system restore until I'm sure my system is clean.

I ran Mbam + SAS again and they found nothing. Is it possible the swizzor installed itself as a rootkit?
I haven't been all over the net, just tried to watch a you tube video, and did some business stuff, checked all my emails.
I really don't want to change all my passwords until I'm positive I'm not wasting my time.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:43 AM

Posted 04 November 2009 - 09:31 PM

When sometrhing reoccurs like this the best fix is posting in the HJT forum. Yes do not do the Restore as for now it is better to have an infected point than none.


To run HJT/DDS.
Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.

Edited by boopme, 04 November 2009 - 09:33 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 04 November 2009 - 09:41 PM

Ok boopme.
I'll do as instructed, but now I'm worried again.
I've gone the HJT route before. It worked but it took awhile.

I'll let you know how this turns out.
Thanks for your efforts.
Steven

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:43 AM

Posted 04 November 2009 - 09:48 PM

Why should I uninstall TrendMicro Chewy?


Your smitfraud log showed 2 resident antivirus programs running

Here's the standard response

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either xxxx or xxxx.
Chewy

No. Try not. Do... or do not. There is no try.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:43 AM

Posted 04 November 2009 - 09:57 PM

Yes it will take a week they are busy.

Reformatting is the next best choice and definately the surest. Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Reinstall Windows Vista
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users