Thread: Need help getting rid of malware
View Single Post
Old 11-12-2008, 06:31 AM   #6 (permalink)
TheBruce1
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Need help getting rid of malware
Hello again

File uploaded successfully, thank you.

=========

Download and run the Norton Removal Tool as some elements of Norton remain on your system.

==========

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
Folder::
c:\program files\Common Files\riuk
c:\windows\riuk
c:\documents and settings\Amy Wasley\Application Data\Symantec
c:\program files\Common Files\Symantec Shared
c:\program files\Symantec
c:\documents and settings\All Users\Application Data\Symantec
File::
c:\windows\system32\sysff11l2jp1.dll
c:\windows\download1
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2E5E800E-6AC0-411E-940A-369530A35E43}]
[-HKEY_CLASSES_ROOT\CLSID\{2E5E800E-6AC0-411E-940A-369530A35E43}]
Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=========

Please go to: VirusTotal
  • In the middle of the page you'll find a "Browse" button.



    Click the "Browse" button and browse to this file in RED:

    c:\windows\system32\atlsystem530123.exe

  • Click "Open".
  • Then click the "Send File" button at the bottom of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

Do the same with these files as well:

c:\windows\system32\atlsystem41857.exe
c:\windows\system32\atlsystem570164.exe

===========

Quote:
Here is the combofix.exe & the hijack this log. I wasn't able to complete the kaspersky scan though. It would download all the files but lock up during the scan.
Did you disable Mcafee during the scan, Mcafee was not disabled when you ran Combofix, please disable Mcafee and try the Kaspersky scan again. If problem persists, continue below:

ESET Online Scanner
  • Please go to the following link ESET Online Scanner Link
  • Tick the box YES, I accept the Terms Of Use
  • Click the Start button
  • Now click the Install button
  • Click Start

    The scanner engine will initialise and update
  • Do Not tick the box Remove found threats
  • Click the Scan button

    The scan will now run, please be patient
  • When the scan finishes click the Details tab
  • Copy and paste the contents of the %ProgramFiles%\EsetOnlineScanner\log.txt back here.

===========

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

============
Logs Required
C:\Combofix.txt
VirusTotal Results
Kaspersky/Eset Scan Report
Hijackthis Log
===========
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline