Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

At My Wits End


  • This topic is locked This topic is locked
28 replies to this topic

#1 beaniejem

beaniejem

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 06 January 2010 - 02:05 PM

Good Afternoon

I have been struggling with this PC for 3 weeks. I have cleaned, scanned reloaded and virus checked until I am blue in the face. I have used SpyDoctor, CCleaner and now Hijackthis.

I have followed the instructions in the 15 page guide and hope that someone out there can help me.

The computer was infested with viruses, spyware and adware. It was moving to slow it was unuseable. I have it working to some degree but little things still concern me. I cannot access regedit. The keyboard will stop working at times. I have entries in the reclycer directory that look like a virus. My desktop will automatically revert back to it's previous form on it's own.

I know there is still issues with this PC.

Jim


Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:22 AM

Posted 07 January 2010 - 06:00 AM

Hi beaniejem,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please download Malwarebytes' Anti-Malware from one of these locations:
malwarebytes.org
majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#3 beaniejem

beaniejem
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 07 January 2010 - 09:13 AM

Got it.

My Spy Docotr runs a scan every night. Should I disable it?

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:22 AM

Posted 07 January 2010 - 09:18 AM

Yes please.

#5 beaniejem

beaniejem
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 07 January 2010 - 10:39 AM

Spy Doctor disabled. Scan snf fix run with MBAM

Here are the results

Malwarebytes' Anti-Malware 1.43
Database version: 3507
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/7/2010 9:13:11 AM
mbam-log-2010-01-07 (09-13-11).txt

Scan type: Quick Scan
Objects scanned: 119416
Time elapsed: 22 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2810eb22-763d-4d0c-9450-64bbd1758685}\DhcpNameServer (Trojan.DNSChanger) -> Data: 213.174.139.72 192.168.1.1 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\oTt02e (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\gifnoc.xtx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146115110.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465749.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146115110.lso (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.lso (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465749.lso (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:22 AM

Posted 07 January 2010 - 11:32 AM

We might have still some work to do.
  1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either Norton 360 or Spyware Doctor. Since Norton has a firewall too I suggest you to uninstall Spyware Doctor.

  2. Run CCleaner (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked). Then click run cleaner.

  3. Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c dir /a /s /od c:\recycler > log.txt&start log.txt

    A text file (log.txt) will be open. Please post its content to your reply.


#7 beaniejem

beaniejem
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 07 January 2010 - 01:01 PM

Removing Spyware doctor now.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:22 AM

Posted 07 January 2010 - 01:26 PM

Good. thumbup2.gif

#9 beaniejem

beaniejem
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 07 January 2010 - 01:35 PM

Completed all of the steps. Here is the log.txt

Volume in drive C is Weisner_PC
Volume Serial Number is 8CB4-58BF

Directory of c:\recycler

10/12/2007 06:48 PM <DIR> ..
10/12/2007 06:48 PM <DIR> .
02/18/2008 06:17 PM <DIR> S-1-5-18
01/07/2010 12:32 PM <DIR> S-1-5-21-74520859-1270844494-224119412-1006
0 File(s) 0 bytes

Directory of c:\recycler\S-1-5-18

10/12/2007 06:45 PM 43 Dc5.gif
10/12/2007 06:45 PM 24,651 Dc8.dll
10/12/2007 06:45 PM 4,744 Dc6.gif
10/12/2007 06:45 PM 4,507 Dc7.gif
10/12/2007 06:45 PM 79 Dc4.ini
10/12/2007 06:45 PM 1,216 Dc3.gif
10/12/2007 06:45 PM 27,247 Dc2.html
10/12/2007 06:45 PM 672 Dc1.gif
10/12/2007 06:48 PM 65 desktop.ini
10/23/2007 02:12 PM 4,744 Dc14.gif
10/23/2007 02:12 PM 4,507 Dc15.gif
10/23/2007 02:12 PM 24,651 Dc16.dll
10/23/2007 02:12 PM 79 Dc12.ini
10/23/2007 02:12 PM 43 Dc13.gif
10/23/2007 02:12 PM 1,216 Dc11.gif
10/23/2007 02:12 PM 672 Dc9.gif
10/23/2007 02:12 PM 27,247 Dc10.html
11/12/2007 04:39 PM 4,507 Dc23.gif
11/12/2007 04:39 PM 4,744 Dc22.gif
11/12/2007 04:39 PM 43 Dc21.gif
11/12/2007 04:39 PM 24,651 Dc24.dll
11/12/2007 04:39 PM 79 Dc20.ini
11/12/2007 04:39 PM 1,216 Dc19.gif
11/12/2007 04:39 PM 27,247 Dc18.html
11/12/2007 04:39 PM 672 Dc17.gif
11/19/2007 12:23 PM 24,651 Dc32.dll
11/19/2007 12:23 PM 4,507 Dc31.gif
11/19/2007 12:23 PM 79 Dc28.ini
11/19/2007 12:23 PM 4,744 Dc30.gif
11/19/2007 12:23 PM 43 Dc29.gif
11/19/2007 12:23 PM 27,247 Dc26.html
11/19/2007 12:23 PM 1,216 Dc27.gif
11/19/2007 12:23 PM 672 Dc25.gif
11/26/2007 09:28 PM 24,651 Dc40.dll
11/26/2007 09:28 PM 4,744 Dc38.gif
11/26/2007 09:28 PM 43 Dc37.gif
11/26/2007 09:28 PM 4,507 Dc39.gif
11/26/2007 09:28 PM 79 Dc36.ini
11/26/2007 09:28 PM 1,216 Dc35.gif
11/26/2007 09:28 PM 27,247 Dc34.html
11/26/2007 09:28 PM 672 Dc33.gif
12/03/2007 09:40 PM 4,744 Dc46.gif
12/03/2007 09:40 PM 4,507 Dc47.gif
12/03/2007 09:40 PM 24,651 Dc48.dll
12/03/2007 09:40 PM 79 Dc44.ini
12/03/2007 09:40 PM 1,216 Dc43.gif
12/03/2007 09:40 PM 43 Dc45.gif
12/03/2007 09:40 PM 27,247 Dc42.html
12/03/2007 09:40 PM 672 Dc41.gif
02/13/2008 04:13 PM 24,651 Dc56.dll
02/13/2008 04:13 PM 4,744 Dc54.gif
02/13/2008 04:13 PM 4,507 Dc55.gif
02/13/2008 04:13 PM 43 Dc53.gif
02/13/2008 04:13 PM 79 Dc52.ini
02/13/2008 04:13 PM 1,216 Dc51.gif
02/13/2008 04:13 PM 27,247 Dc50.html
02/13/2008 04:13 PM 672 Dc49.gif
02/18/2008 05:51 PM 24,651 Dc64.dll
02/18/2008 05:51 PM 4,507 Dc63.gif
02/18/2008 05:51 PM 43 Dc61.gif
02/18/2008 05:51 PM 4,744 Dc62.gif
02/18/2008 05:51 PM 1,216 Dc59.gif
02/18/2008 05:51 PM 79 Dc60.ini
02/18/2008 05:51 PM 27,247 Dc58.html
02/18/2008 05:51 PM 672 Dc57.gif
02/18/2008 06:17 PM <DIR> .
02/18/2008 06:17 PM <DIR> ..
02/18/2008 06:17 PM 51,220 INFO2
66 File(s) 556,557 bytes

Directory of c:\recycler\S-1-5-21-74520859-1270844494-224119412-1006

01/07/2010 12:32 PM <DIR> ..
01/07/2010 12:32 PM 65 desktop.ini
01/07/2010 12:32 PM 20 INFO2
01/07/2010 12:32 PM <DIR> .
2 File(s) 85 bytes

Total Files Listed:
68 File(s) 556,642 bytes
8 Dir(s) 52,973,137,920 bytes free



#10 beaniejem

beaniejem
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 07 January 2010 - 01:40 PM

In the ark.txt file there were several notations that said "hooked by"

What does that mean?

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:22 AM

Posted 07 January 2010 - 01:42 PM

Are you sure you did the step 2 ? The Recycle Bin is still full of files and they are not typical malware files.

Before running CCleaner have you checked all the boxes mentioned and specially: Empty Recycle Bin?

#12 beaniejem

beaniejem
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 07 January 2010 - 01:48 PM

yes i did


I will do it again

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:22 AM

Posted 07 January 2010 - 01:51 PM

Yes please do both the step 2 and 3 again.

#14 beaniejem

beaniejem
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 07 January 2010 - 01:53 PM

Done

Volume in drive C is Weisner_PC
Volume Serial Number is 8CB4-58BF

Directory of c:\recycler

10/12/2007 06:48 PM <DIR> ..
10/12/2007 06:48 PM <DIR> .
02/18/2008 06:17 PM <DIR> S-1-5-18
01/07/2010 12:50 PM <DIR> S-1-5-21-74520859-1270844494-224119412-1006
0 File(s) 0 bytes

Directory of c:\recycler\S-1-5-18

10/12/2007 06:45 PM 43 Dc5.gif
10/12/2007 06:45 PM 24,651 Dc8.dll
10/12/2007 06:45 PM 4,744 Dc6.gif
10/12/2007 06:45 PM 4,507 Dc7.gif
10/12/2007 06:45 PM 79 Dc4.ini
10/12/2007 06:45 PM 1,216 Dc3.gif
10/12/2007 06:45 PM 27,247 Dc2.html
10/12/2007 06:45 PM 672 Dc1.gif
10/12/2007 06:48 PM 65 desktop.ini
10/23/2007 02:12 PM 4,744 Dc14.gif
10/23/2007 02:12 PM 4,507 Dc15.gif
10/23/2007 02:12 PM 24,651 Dc16.dll
10/23/2007 02:12 PM 79 Dc12.ini
10/23/2007 02:12 PM 43 Dc13.gif
10/23/2007 02:12 PM 1,216 Dc11.gif
10/23/2007 02:12 PM 672 Dc9.gif
10/23/2007 02:12 PM 27,247 Dc10.html
11/12/2007 04:39 PM 4,507 Dc23.gif
11/12/2007 04:39 PM 4,744 Dc22.gif
11/12/2007 04:39 PM 43 Dc21.gif
11/12/2007 04:39 PM 24,651 Dc24.dll
11/12/2007 04:39 PM 79 Dc20.ini
11/12/2007 04:39 PM 1,216 Dc19.gif
11/12/2007 04:39 PM 27,247 Dc18.html
11/12/2007 04:39 PM 672 Dc17.gif
11/19/2007 12:23 PM 24,651 Dc32.dll
11/19/2007 12:23 PM 4,507 Dc31.gif
11/19/2007 12:23 PM 79 Dc28.ini
11/19/2007 12:23 PM 4,744 Dc30.gif
11/19/2007 12:23 PM 43 Dc29.gif
11/19/2007 12:23 PM 27,247 Dc26.html
11/19/2007 12:23 PM 1,216 Dc27.gif
11/19/2007 12:23 PM 672 Dc25.gif
11/26/2007 09:28 PM 24,651 Dc40.dll
11/26/2007 09:28 PM 4,744 Dc38.gif
11/26/2007 09:28 PM 43 Dc37.gif
11/26/2007 09:28 PM 4,507 Dc39.gif
11/26/2007 09:28 PM 79 Dc36.ini
11/26/2007 09:28 PM 1,216 Dc35.gif
11/26/2007 09:28 PM 27,247 Dc34.html
11/26/2007 09:28 PM 672 Dc33.gif
12/03/2007 09:40 PM 4,744 Dc46.gif
12/03/2007 09:40 PM 4,507 Dc47.gif
12/03/2007 09:40 PM 24,651 Dc48.dll
12/03/2007 09:40 PM 79 Dc44.ini
12/03/2007 09:40 PM 1,216 Dc43.gif
12/03/2007 09:40 PM 43 Dc45.gif
12/03/2007 09:40 PM 27,247 Dc42.html
12/03/2007 09:40 PM 672 Dc41.gif
02/13/2008 04:13 PM 24,651 Dc56.dll
02/13/2008 04:13 PM 4,744 Dc54.gif
02/13/2008 04:13 PM 4,507 Dc55.gif
02/13/2008 04:13 PM 43 Dc53.gif
02/13/2008 04:13 PM 79 Dc52.ini
02/13/2008 04:13 PM 1,216 Dc51.gif
02/13/2008 04:13 PM 27,247 Dc50.html
02/13/2008 04:13 PM 672 Dc49.gif
02/18/2008 05:51 PM 24,651 Dc64.dll
02/18/2008 05:51 PM 4,507 Dc63.gif
02/18/2008 05:51 PM 43 Dc61.gif
02/18/2008 05:51 PM 4,744 Dc62.gif
02/18/2008 05:51 PM 1,216 Dc59.gif
02/18/2008 05:51 PM 79 Dc60.ini
02/18/2008 05:51 PM 27,247 Dc58.html
02/18/2008 05:51 PM 672 Dc57.gif
02/18/2008 06:17 PM <DIR> .
02/18/2008 06:17 PM <DIR> ..
02/18/2008 06:17 PM 51,220 INFO2
66 File(s) 556,557 bytes

Directory of c:\recycler\S-1-5-21-74520859-1270844494-224119412-1006

01/07/2010 12:50 PM <DIR> ..
01/07/2010 12:50 PM 65 desktop.ini
01/07/2010 12:50 PM 20 INFO2
01/07/2010 12:50 PM <DIR> .
2 File(s) 85 bytes

Total Files Listed:
68 File(s) 556,642 bytes
8 Dir(s) 52,972,179,456 bytes free


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:22 AM

Posted 07 January 2010 - 02:14 PM

Thanks for redoing it.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users