Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
20 replies to this topic

#16 SicariusX

SicariusX
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 23 September 2013 - 05:35 PM

Here is the OTL log.

 

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{c1d89ae7-449d-4929-b24b-fded04adbe06}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c1d89ae7-449d-4929-b24b-fded04adbe06}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@esn/esnlaunch,version=1.122.0\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@esn/esnlaunch,version=1.138.0\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher|:gopher:// /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\AdobeAAMUpdater-1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\AdobeCS6ServiceManager\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\LogMeIn Hamachi Ui\ not found.
C:\ProgramData\kkbs folder moved successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Care Antivirus folder moved successfully.
Folder C:\ProgramData\3E5152E78AA0235100003E51149C2904\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Matthew\Desktop\cmd.bat deleted successfully.
C:\Users\Matthew\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: matt
->Temp folder emptied: 0 bytes
 
User: Matthew
->Temp folder emptied: 4411264 bytes
->Temporary Internet Files folder emptied: 5569216 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 7320459 bytes
->Google Chrome cache emptied: 6215875 bytes
->Flash cache emptied: 553 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 440959 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 23.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 09232013_162338

Files\Folders moved on Reboot...
C:\Users\Matthew\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\sndappv2.log scheduled to be moved on reboot.
C:\Windows\temp\~DF3C63430A8A79A3BA.TMP moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

The issues I was having are gone. Thank you very much!

 

I do have a few follow up questions:

 

1. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Care Antivirus folder moved successfully.

I know system care antivirus is actually a virus that was downloaded when I had a zero rootkit problem. Was this just getting rid of it (I had removed some things a few weeks prior to this final clean up).

 

2. Any special instructions on removing the tools used to clean up the system?

 

Thank you again for your help with my system.



BC AdBot (Login to Remove)

 


#17 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:02:49 AM

Posted 24 September 2013 - 11:33 AM

Hi SicariusX
 

I know system care antivirus is actually a virus that was downloaded when I had a zero rootkit problem. Was this just getting rid of it (I had removed some things a few weeks prior to this final clean up).

Sometimes the security tools only remove the bad files and leave the actual folder.
We were just making sure that the folder and anything still in there has gone.
 

Any special instructions on removing the tools used to clean up the system?

Yes, when we do the final cleanup i'll explain this to you.

Because there was still remnants of the old infection on the system, i want to double check that everything has now been removed.

I'd like you to do an ESET OnlineScan
64Bit users, please see note at the bottom.

You may find it beneficial to close your resident AV program before running the scan and please try not to use the system until the scan has finished.

It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% )
To prevent this happening:
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

eset.png
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Click esetExport.png, and save the file to your desktop using a unique name, such as ESETScan.
    Include the contents of this report in your next reply.
  • Click the esetBack.png button.
  • Click esetFinish.png
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Note:
As you are running a 64bit system:
The ESET Online Scanner is a 32-bit application, which means it must be run through in the 32-bit version of Internet Explorer, and as an Administrator. To do so, right-click on the Internet Explorer (32-bit) icon in the Start Menu and select "Run as administrator" from the context menu.

Please post the report if anything is found.

Thanks

BBPP6nz.png


#18 SicariusX

SicariusX
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 24 September 2013 - 03:05 PM

No threats were found (so no text file?)

It came back clean.

 

After a reboot I just wanted to say it went through its post very quickly and it was a very fast start =)


Edited by SicariusX, 24 September 2013 - 03:18 PM.


#19 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:02:49 AM

Posted 24 September 2013 - 03:33 PM

Hi SicariusX
 

No threats were found (so no text file?)
It came back clean.

That's great. :)

After a reboot I just wanted to say it went through its post very quickly and it was a very fast start

Let's hope it stays like this now.
It's always nice when a PC performs as you want it to.


I just remembered i didn't answer this earlier:

I just figured with most anti-malware scanners you run them in safe mode.

Most security tools are optimised to run in normal mode. ( but can be run in safe mode)
The more that is loaded, the more that can be detected.

This applies to MBAM:
Only run MBAM in Safe Mode as a last resort.
The DDA(Direct Disk Access) doesn't work in safe mode, so may not detect Rootkits properly.
MBAM is also more effective if the malware is loaded in the memory while scanning,
This is why running MBAM in normal mode is more efficiant.


Let's finish off the cleaning procedure then:

Step 1
Restart MBAM.
Click on the Quarantine tab
If there are items in quarantine.....
Make sure everything is selected and then click Delete All.
Close MBAM.

Step 2
Please uninstall ComboFix by
Clicking on Start ...then run ... and type in combofix /uninstall (don't forget there's is a gap between x and /) Then press Ok
cfu.png

This action will uninstall Combofix and also perform a few cleanup measures

By default, Windows 7 does not have the "Run" command on the start menu. It's easy to get this back.

1. Open the start menu.
2. Right click on a non-icon area and select "Properties".
3. Press the "Customize" button.
4. Scroll down and find the "Run command" checkbox.
5. Check it and press OK.
6. Press OK.

You now have your run command on the start menu.


Step 3
Double click on AdwCleaner.exe to run the tool again.
  • Click on the Uninstall button.
  • Click Yes when asked are you sure you want to uninstall.
  • Both AdwCleaner.exe, its folder and all logs will be removed.
JRT can be removed by right clicking on the icon and selecting delete.
Eset Online Scanner can be removed by using the Add/Remove in Control Panel.


Step 4
Please double-click OTL.exe to run it
  • You should see a CleanUp! button, press that button,

    cleanupbutton.png
  • This will cleanup an assortment of tools used during malware removal, plus itself
  • Note:
    MBAM will not be removed if it's installed.


    Step 5
    Now you should set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools may not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    Click Start >> Right click Computer >> Properties.
    Click System protection (left pane)
    Select the System Protection tab, and then click Create.
    In the System Protection dialog box, type a description, and then click Create.

    To delete all but the last restore point:

    Open Disk Cleanup by clicking the Start button.
    In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.
    If prompted, select the drive that you want to clean up, and then click OK.
    In the Disk Cleanup for (drive letter) dialog box, click Clean up system files.
    If prompted, select the drive that you want to clean up, and then click OK.
    Click the More Options tab, under System Restore and Shadow Copies, click Clean up.
    In the Disk Cleanup dialog box, click Delete.
    Click Delete Files, and then click OK.

    To find out how you may have been infected....read this topic:
    How did i get infected?

    Not all of the following information will be applicable to you, but it's still best to read it all.

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software
  • Avira AntiVir ... see note* ....installation guide Here
  • Bitdefender Free
  • MS Security Essentials ... see note** ... installation guide Here
    Note*:
    Avira has been known to include the Ask.com Toolbar unless you choose not to install it. This means it is pre-checked by default and it is recommended that you uncheck that option during installation.

    Note**:
    Upon installation MS Security Essentials will check that your OS is a legal copy.

    Only install one AntiVirus program
  • Update your AntiVirus Software regularly
  • Use a Firewall

    Only install one software Firewall
  • Scan regularly with a 'Stand Alone' Anti-Malware scanner:
    Installing another scanner that you can run once or twice a week is always beneficial.
    Something like:
    Malwarebytes Anti-Malware
    SUPERAntiSypware
    Remember to update these programs each time before running.
    You can install more than one of these if you only run them as stand alone programs.
  • Use an alternative browser:
    Some excellent alternatives to MS Internet Explorer are:

    Firefox
    For added security, add the NoScript extension to this browser:
    Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks
    also consider adding:
    WOT - Safe Browsing Tool

    Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.
    Btw: you don't have to make a contribution.

    Opera

    They offer better security, more stability, and better speed.
  • Keep a backup of your registry
    Keeping a regular backup of your registry will help when something goes wrong.
    Use a program like:
    Erunt

    A full tutorial on how to set up and use Erunt can be found here:
    Erunt tutorial
  • Keep your system clean of temp files etc, using a 'Cleaner':

    Cleaners are programs that will help to clean out your:
    Windows temp files
    Current user temp files
    Cookies
    Temporary Internet flies
    Browser history
    Recycle bin
    Etc.......
    In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.
    Programs like:
    TFC by OldTimer
    ATF Cleaner
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
  • Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.
  • Follow this list and your potential for being infected again will reduce dramatically.

    Glad I was able to help.

    Safe surfing. Computer_addict__by_Sinister_Starfeesh.g


BBPP6nz.png


#20 SicariusX

SicariusX
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 24 September 2013 - 03:52 PM

Thank you very much for helping me clean my system. Its good to have it working correctly again. Have a good rest of the week!



#21 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:02:49 AM

Posted 24 September 2013 - 04:17 PM

You are more than welcome.
Take care.

As this topic has been resolved this thread will now be closed.

If you need this topic reopened, please contact one of the moderating team by PM and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.

Everyone else please begin a New Topic.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users