Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

running extreemly slow after virus removal


  • This topic is locked This topic is locked
22 replies to this topic

#1 gpisanti

gpisanti

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 05 December 2009 - 08:45 AM

be gentle as this is my first time using a forum like this - i recently found the win32:sdbot-gen44 virus and removed using avast (also ran spybot and malwarebytes after removal and all was clean). My system is now running slower than when the virus was present (particullary when on sites like facebook it dang near freezes my computer). Any help would be appriciated.

here is the dds file :(



DDS (Ver_09-12-01.01) - NTFSx86
Run by at 21:46:25.15 on Thu 12/03/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.762 [GMT -5:00]

AV: avast! antivirus 4.8.1367 [VPS 091127-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Greg 2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dell4me.com/myway
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.google.com/
mDefault_Search_URL = hxxp://www.google.com/
mSearch Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [sdkupdate22] SDK0mCORE.exe
dRunOnce: [sdkupdate22] SDK0mCORE.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uExplorerRun: [*windows update] wkmst.exe
dExplorerRun: [*windows update] wkmst.exe
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: ppctlcab - hxxp://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - hxxp://download.verizon.net/sfp/Cabs/max_update/cVOLUpdate_1-0-0.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 MrFilter;EasyWrite Driver;c:\windows\system32\drivers\MRFilter.sys [2004-8-29 12992]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-10 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-10 20560]
S2 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2007-10-5 10379]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]

=============== Created Last 30 ================

2009-12-01 02:06:04 0 d-----w- c:\windows\RegCure
2009-11-30 23:47:17 23 --sha-w- c:\windows\system32\edacded0.dat
2009-11-30 23:47:17 23 ----a-w- c:\windows\system32\bcdadac7.xml
2009-11-29 23:29:02 0 d-----w- c:\documents and settings\greg 2\Incomplete
2009-11-29 23:26:13 0 d-----w- c:\docume~1\greg2~1\applic~1\LimeWire
2009-11-29 19:32:45 792 ----a-w- C:\Windows Media Player.lnk
2009-11-29 18:11:39 0 d-s---w- c:\documents and settings\greg 2\UserData
2009-11-28 01:06:48 0 dc----w- c:\docume~1\alluse~1\applic~1\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
2009-11-28 01:05:50 0 d-----w- C:\autorun
2009-11-28 01:02:08 0 d--h--r- C:\AHCache
2009-11-23 15:13:03 292 --sha-w- C:\DESKTOP.INI
2009-11-23 15:13:03 1579 ----a-w- C:\Remote Assistance.lnk
2009-11-22 21:40:30 1072775168 ----a-w- c:\windows\MEMORY.DMP

==================== Find3M ====================

2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

============= FINISH: 21:47:30.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gpisanti

gpisanti
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 18 December 2009 - 12:44 PM

2 weeks....36 views and nothing?

#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:39 PM

Posted 18 December 2009 - 11:11 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 gpisanti

gpisanti
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 19 December 2009 - 04:10 PM

great now have another virus....everytime i try to run the program (ddr.scr) it tells me it is infected...

ran superantispyware and it removed
worm.win32.netsky
trojan.agent/gen

ran avast and it finds nothing but i keep getting pop ups now that tells me to DL internet security 2010?

guess we need to start from scratch on this one - do i need to start a new post or should we go from here?

also get that annoying "red X" in my system tray about infected.

Edited by gpisanti, 19 December 2009 - 04:23 PM.


#5 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 PM

Posted 20 December 2009 - 01:44 AM

Hi gpisanti,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, :(
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1
  • If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  • Please visit this webpage for instructions to run the tool.
  • Please download the random ComboFix from Here and save it to your desktop.
  • Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow Combofix to continue scanning for malware.
  • When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  • Do not mouse click on Combofix while it is running. That may cause it to stall.
Step2
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<

In your next reply, please post back:


1.Combofix log
2.RSIT log.txt and info.txt. Thanks.

#6 gpisanti

gpisanti
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 20 December 2009 - 09:37 AM

was only able to download combofix and ran it - told me there was rootkit running and had to reboot - after rebot the only way i could get into XP was in safe mode - finished running combofix and rsit and have attached logs

still can only access computer in safe mode - pick any users in normal startup and it just freezes up

Attached Files



#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 PM

Posted 20 December 2009 - 10:05 AM

Hi gpisanti,



Please navigate to C:\Windows\ERDNT\Hiv-Backup folder and click the the green color of ERDNT.exe then it will restore the backups. Restart your pc and check if you can boot into normal mode.

If yes, please delete the current copy of KittyFix.exe from your desktop. and go to the following thread to download a new copy of ComboFix and run it as instructed in my previous post.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

If not, Please run Gmer and SystemLook in safe mode instead as instructed in the following:

Step1

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Step2

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



In your next reply, please post back:


1.ComboFix log
2.Gmer log
3.SystemLook txt

Tell me how things went.

Edited by sundavis, 20 December 2009 - 11:05 AM.


#8 gpisanti

gpisanti
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 20 December 2009 - 02:48 PM

ran the erdnt - still hangs up going into normal mode (gets a little farther than before though)

was not sure if you wanted a combofix log from safe mode - have attached the gmer scan and system look (both ran in safe mode).

will await your next instruction - thank you in advance!

Attached Files


Edited by gpisanti, 20 December 2009 - 02:48 PM.


#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 PM

Posted 20 December 2009 - 04:52 PM

Hi gpisanti,



was not sure if you wanted a combofix log from safe mode

If yes, please delete the current copy of KittyFix.exe from your desktop. and go to the following thread to download a new copy of ComboFix and run it as instructed in my previous post. Anyway, please do the following:


Step1

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"SAFEBOOT_OPTION"=-
Name the file as fix.reg, making sure save as type is set to " All Files ". It should look like Posted Image
Double click it and an information box will pop up asking if you want to merge the information in the file into the registry, click yes. Restart your pc.


Step2

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
File::
c:\windows\system32\qSzNu5PaiW.dll

Reglock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Multimedia\MIDIMap]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Telephony\Cards]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

DDS::
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step3


I notice you have MBAM installed in your system, Please rerun it as instructed in the following. Update your virus definitions before proceeding. If you can't update the program, you can download the virus definitions from Here and install it manually.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Step4

We need to create an OTL Report
  • Please OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Click the "Scan All Users" checkbox. .
  • Push the Run Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In your next reply, please post back:


1.ComboFix log
2.MBAM log
3.OTListIt.txt and Extra.txt

Tell me if you have any remaining issues on your pc.

#10 gpisanti

gpisanti
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 20 December 2009 - 09:39 PM

i ran the regfix and re-started computer (step 1) - still only able to boot in safe mode, any "users" it still freezes up.

moving on to step 2 - this may be a dumb question but how to i turn off the avast scanner in safe mode? there is no little icon in my tray....call me a newb - i did not want to run combofix with the scanner running - was warned not to.

awaiting your thoughts before i move on to step 2, 3 and 4.

#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 PM

Posted 21 December 2009 - 10:35 AM

Hi gpisanti,


Go to Start>All programs>locate Avast and click on it, after that, please do as instructed in the following:

http://www.myantispyware.com/2009/04/16/ho...ent-protection/

Before running ComboFix, We need to run TDSSKiller beforehand to ensure everything should go smoothly. Please do in the following:

Step1

1.Go to this thread and Download TDSSKiller to your Desktop.
2.Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
3.Start > Run and copy/paste the following bolded command into run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

4.Follow the instructions to type in "delete" when it asks you what to do when if something found.
5.When done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents in your next reply.


In your next reply, please post back:


1.TDSSKiller txt
2.ComboFix log
3.MBAM log
4.OTListIt.txt and Extra.txt

#12 gpisanti

gpisanti
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 21 December 2009 - 01:37 PM

i appricate all the help you have given thus far - but i think you may have missed my point about only being able to boot in safe mode.

beacuse i can only boot in "safe mode" there are no icons in my tray for avast - even if i follow the instructions on the link it assumes you are in "normal mode" and that the icons appear in your tray.

http://www.myantispyware.com/2009/04/16/ho...ent-protection/

so again i am kind of stuck - cannot disable avast scanners because i am in "safe mode" and not able to simply right click and disable.

anything we can do to help me boot in "normal mode" so i can run the programs as you request?

***edit - or do i just uninstall avast until i get combofix to run?


thanks again
G

Edited by gpisanti, 21 December 2009 - 03:23 PM.


#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 PM

Posted 21 December 2009 - 06:10 PM

Hi gpisanti,


anything we can do to help me boot in "normal mode" so i can run the programs as you request?

Have you ever tried Last Known Good Configuratin ? If still not working, we will deal with that later after your system is clean.


do i just uninstall avast until i get combofix to run

Yes, Please uninstall it for temporarily. Thanks.

Edited by sundavis, 21 December 2009 - 07:58 PM.


#14 gpisanti

gpisanti
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 21 December 2009 - 09:02 PM

uninstalled avast and finally got combofix to run - have attached that and the other info you requested

will await your next instructions - thank you!

***edit - seems like "normal mode" is working again!!!!!!

Attached Files


Edited by gpisanti, 21 December 2009 - 09:19 PM.


#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:39 PM

Posted 21 December 2009 - 09:39 PM

Hi gpisanti,


seems like "normal mode" is working again

That sounds good. :(

We need to check your system with Kas Online Scanner to scan the remnants. It will take some time to run the full course. Please be patient and do the following:


Step1


Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 17...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:

    Java™ 6 Update 2

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
Step2


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3


Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.

1.Kas Online Scan Report

Tell me if you have any remaining issues on your pc.

Edited by sundavis, 21 December 2009 - 09:41 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users