Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can someone check my HJT log?


  • This topic is locked This topic is locked
14 replies to this topic

#1 WindowsTutorialsify

WindowsTutorialsify

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 25 March 2010 - 08:44 PM

Hi, I have been in a long and hard struggle against some trojans and worms in my computer.

I have the following security programs:
Avast 5
Advanced System Optimizer Protecter 3
Spybot SD
SpywareBlaster
Malwarebytes Antimalware

Here is my log:
-------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:46 PM, on 3/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Advanced System Optimizer 3\ASO3DefragSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Advanced System Optimizer 3\SystemProtector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://ssl.scroogle.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SystemProtector] "C:\Program Files\Advanced System Optimizer 3\SystemProtector.exe" /autorun
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-725345543-842925246-1606980848-501\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9A81FC-F4B2-4D62-B3D6-7B8EDB1B1267}: NameServer = 8.8.8.8,8.8.4.4
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASO3DiskOptimizer - Systweak Inc. - C:\Program Files\Advanced System Optimizer 3\ASO3DefragSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6888 bytes

-----------------------------------------------------------------
Thanks in Advance,

Cody


P.S. I am currently running a GMER scan

Attached Files


Edited by WindowsTutorialsify, 25 March 2010 - 08:57 PM.


BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:54 PM

Posted 29 March 2010 - 09:03 PM

Hey WindowsTutorialsify,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. smile.gif
  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Bleepingcomputer and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 WindowsTutorialsify

WindowsTutorialsify
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 29 March 2010 - 10:45 PM

Thank you very much. I am anxiously awaiting your response smile.gif

#4 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:54 PM

Posted 30 March 2010 - 09:14 AM

Hey WindowsTutorialsify,

It seems that you are running Advanced System Optimizer Protecter 3, which in effect is a registry scanner/cleaner. Please be aware that the Registry is a very important segment of a computer system and that registry edit can be a dangerous process. Any mistakes in editing can corrupt the entire registry, rendering your system unbootable or unrepairable. Unless you have advanced knowledge about the inner workings of the Registry, you should never run any registry scanners/cleaners without the guidance of an expert. Doing so may not always deliver the results you want to see, in addition,fixing/cleaning a wrong section of the registry can ultimately corrupt your entire computer system. Thus, I highly recommend that you remove Advanced System Optimizer Protecter 3 from your computer and refrain from downloading registry scanners/cleaners in the future.

I don't see much in your logs, let's run some scans first. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avast anti-virus and Spybot Search and Destroy) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

2) Run RootRepeal

Download RootRepeal from one of the following locations and save it to your desktop:
  • Double click to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
    Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

Next reply (please include in your post):

OTS.txt (attached)
RootRepeal.txt (attached)

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#5 WindowsTutorialsify

WindowsTutorialsify
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 31 March 2010 - 10:48 PM

Here are the logs you requested smile.gif

(P.S. 1st time I scanned files with RootRepeal, I got an Error that said "Error at address 0x00000000" but second time worked)
(P.S.S. I had to run each individually and then save them into one log for RootRepeal, tried to follow your instructions, but this RootRepeal didn't let me click Scan and choose them all haha)
(P.S.S.S. I had to put them both in a zip file, too large for upload otherwise)
Individual Files:
Root Repeal Log
OTS log

QUOTE
It seems that you are running Advanced System Optimizer Protecter 3, which in effect is a registry scanner/cleaner. Please be aware that the Registry is a very important segment of a computer system and that registry edit can be a dangerous process. Any mistakes in editing can corrupt the entire registry, rendering your system unbootable or unrepairable. Unless you have advanced knowledge about the inner workings of the Registry, you should never run any registry scanners/cleaners without the guidance of an expert. Doing so may not always deliver the results you want to see, in addition,fixing/cleaning a wrong section of the registry can ultimately corrupt your entire computer system. Thus, I highly recommend that you remove Advanced System

I am quite aware of this smile.gif But I have messed around with the inner workings of the registry, and know what is safe and what is not safe to remove, so I check each file being removed before authorizing it to be. smile.gif I am very careful :D

Attached Files


Edited by WindowsTutorialsify, 31 March 2010 - 10:50 PM.


#6 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:54 PM

Posted 02 April 2010 - 07:34 AM

Hey WindowsTutorialsify,

Alright, let's proceed with the cleanup process. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avast anti-virus and Spybot Search and Destroy) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run Malwarebytes' Anti-Malware
  • Open Malwarebytes by clicking on its shortcut on desktop. Please click on the "Update" tab and click "Check for Updates".
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next reply (please include in your post):

OTS.txt (Re-run with quick scan)
ComboFix.txt
MBAM scan log

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#7 WindowsTutorialsify

WindowsTutorialsify
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 02 April 2010 - 01:35 PM

I attached them. I am not sure if that is what you wanted, but i hope it is alright smile.gif
(Why is 71.35k used automatically?)

Attached Files



#8 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:54 PM

Posted 03 April 2010 - 05:18 AM

Hey WindowsTutorialsify,

Thank you for the logs. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avast anti-virus and Spybot Search and Destroy) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run CFScript

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
File::
c:\windows\SwSys2.bmp
c:\windows\SwSys1.bmp
c:\windows\system32\SET130.tmp
c:\windows\system32\drivers\SET12A.tmp

Dirlook::
C:\WINDOWS\System32\3076
C:\WINDOWS\System32\2052
C:\WINDOWS\System32\1054
C:\WINDOWS\System32\1042
C:\WINDOWS\System32\1041
C:\WINDOWS\System32\1037
C:\WINDOWS\System32\1033
C:\WINDOWS\System32\1031
C:\WINDOWS\System32\1028
C:\WINDOWS\System32\1025
c:\windows\system32\wbem\snmp


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt .

2) Run MBRFix and Rooter

Please download MBR.exe to your desktop.
  • Click on Start then click Run.
  • Type cmd and hit the Enter button.
  • A command prompt window will open. Type cd desktop then hit Enter.
  • Then type mbr.exe -f and hit Enter. (make sure you have a space before the -f)
  • Type exit at the prompt and hit Enter again.
  • Restart the computer normally. After you log in, double-click on mbr.exe and post a fresh log for me to see.
THEN

Please download Rooter.exe and save it to your desktop
  • Double-click it to start the tool. If you are using Vista, please right-click and choose Run As Administrator...
  • Alow it to run when you get a Security Warning.
  • At the main control page, please click the green button.
  • It will now begin to scan, please be paitent. The scan should not take more than 3 minutes
  • A Notepad file containing the report will open soon. It can also be foun/d at %systemdrive%\Rooter$\Rooter_1.txt
  • Now push the button to close Rooter.
  • Please post the contents of that log file here in your next reply.

3) Upload files for analysis

To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and close My Computer.
  • Now your computer is configured to show all hidden files.
NEXT

Please visit the online Jotti Virus Scanner <--link
  • Copy and paste the following filepath in the box:

    C:\WINDOWS\sel3110.exe
  • Click on the button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.
  • Please do the same for the files below:

    c:\windows\system32\aaisolv.dll
    c:\windows\system32\MJ12.exe
    c:\windows\system32\297B33C07C.sys
    c:\windows\uninst.exe
    c:\windows\system32\sasnative32.exe
    C:\Documents and Settings\Owner\My Documents\1000dbc.mpq

Next reply (please include in your post):

ComboFix.txt
MBR.txt
Rooter_1.txt
7 Virscan reports
Tell me how your computer is doing

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#9 WindowsTutorialsify

WindowsTutorialsify
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 03 April 2010 - 01:54 PM

C:\WINDOWS\sel3110.exe --> http://virusscan.jotti.org/en/scanresult/6...c29434f97f7881c (0/20)
c:\windows\system32\aaisolv.dll --> Not Found
c:\windows\system32\MJ12.exe --> http://virusscan.jotti.org/en/scanresult/d...b6ba653e7305011 (0/20)
c:\windows\system32\297B33C07C.sys --> http://virusscan.jotti.org/en/scanresult/f...b4cd0825f02dd5c (0/20)
c:\windows\uninst.exe --> http://virusscan.jotti.org/en/scanresult/0...d994657a8bc7645 (0/20)
c:\windows\system32\sasnative32.exe --> http://virusscan.jotti.org/en/scanresult/a...ec1754487333a06 (0/20)
C:\Documents and Settings\Owner\My Documents\1000dbc.mpq --> http://virusscan.jotti.org/en/scanresult/0...578bb66f06ce777 (0/20) {That is a starcraft game mod :D)

(I much prefer virustotal myself smile.gif)

(WOAH! Now 485.47k out of 512k is auto used! D: Why?)

ComboFix would not run. It told me I must be administrator... and I am the only person who uses my computer. I AM the administrator sad.gif

My computer is a bit slow, but that could be from a crash that happened (no minidump to show sad.gif ) but other than that, alright i suppose. I'm worried that my new antivirus (Comodo Antivirus 3) isn't good. Should I switch back to Avast 5?

Attached Files



#10 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:54 PM

Posted 04 April 2010 - 03:03 AM

Hey WindowsTutorialsify,

Let's try other tools then. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (insert protection software(s)'s name(s)) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run OTM

Please download the OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy everything in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    CODE
    :Files
    c:\windows\SwSys2.bmp
    c:\windows\SwSys1.bmp
    c:\windows\system32\SET130.tmp
    c:\windows\system32\drivers\SET12A.tmp

    :Commands
    [purity]
    [emptytemp]
    [reboot]

  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the "Results" window (under the Green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your computer.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

2) Optional Removal

From your log, you seem to have uTorrent installed.

uTorrent is not malware, but it is a peer-to-peer (P2P) file sharing program. It can bring about unnecessary security risks to your computer. Please look at the article(s) below:

http://www.microsoft.com/protect/data/down...ilesharing.aspx

Due to the dubious nature of these programs, it is highly recommended that you remove the programs via Add or Remove Programs in Control Panel and refrain from downloading these programs in the future. If you have made a decision to remove these programs, please do the following:

Please go to Add or Remove Programs and remove the following (if present):

uTorrent

Then use Windows Explorer and remove the following (if present):

c:\program files\uTorrent
c:\documents and settings\owner\application data\uTorrent


Reboot your computer.

Next reply (please include in your post):

OTM.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#11 WindowsTutorialsify

WindowsTutorialsify
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 04 April 2010 - 12:39 PM

I'm pretty sure that this is not irrelevant since now my computer will not turn on.
Tried different plugs
Tried taking apart the power box and repairing it/cleaning it
Nothing i do fixes it sad.gif

#12 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:54 PM

Posted 06 April 2010 - 09:18 AM

Hi,

Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. smile.gif

Hi,

Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:54 PM

Posted 06 April 2010 - 11:08 AM

Hello, WindowsTutorialsify
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

I will review the topic now, in the meantime, please tell me how the system is running and run this tool:

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 WindowsTutorialsify

WindowsTutorialsify
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 06 April 2010 - 08:29 PM

like i posted earlier, anything is now irrelevant. I can no longer do any steps as my computer's power supply box burned up. I can NOT turn the computer on. I am on a family member's laptop. Please close this topic since it is irrelevant now.

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:54 PM

Posted 08 April 2010 - 01:36 PM

Thanks for letting me know.


If you need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users