Tech Support Forum - View Single Post - Multiple problems, in serious need of help

Sempurna · 06-25-2007, 10:08 PM

Hi nallen,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

Did you do the HijackThis scan in Safe Mode? The list of running processes make it appear like you did. This is because I see no active protection software running (i.e. anti-virus).

We prefer a log scanned in Normal Mode because that gives us the most information about the possible malware that could be running in your system. In Safe Mode, we don’t get as much information as we would like.

OK, let’s do this next.

Please download CCleaner (freeware) and save it to your desktop:

Run the CCleaner installer.
During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
Once installed, run CCleaner and click the "Windows" tab.
Select the following:
- Check everything under the "Internet Explorer" section.
- Check everything under the "Windows Explorer" section.
- Check everything under the "System" section.
- Check ONLY "Old Prefetch data" under the "Advanced" section.
Then, click the "Applications" tab:
- CHECK everything there.
Next, click the "Options" button in the left pane, then click the "Advanced" button:
- UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
When done, please exit CCleaner.

CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

Save it to your desktop.
Double-click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.

NEXT:

Please download Dr.Web CureIt and save it to your desktop:

Double-click the cureit.exe file, select "Start", and allow it to run the "Express Scan".
This will scan the files currently running in memory and when something is found, click the "Yes" button when it asks you if you want to cure it. This is only a short scan.
It could be possible it displays a pop up to buy Dr.Web, or to buy at a 50% discount. Just close that pop up.
Once the short scan has finished, back at the main window, mark the drives that you want to scan.
Select all drives; a red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
If the file "process.exe" was found - uncheck it. This is because this file is related with some of our cleaning tools and the tools need it. Most scanners do flag this file as a bad tool, but there's nothing wrong with it.
Then, click "Yes to all" if Dr.Web CureIt asks if you want to cure/move any infected files, and it will after this automatically fix what is found.
After the scan, go to the "View" menu -> "Report list".
Then go to the "File" menu -> "Save report list".
Save the report to your desktop. The report will be called DrWeb.csv.
Close Dr.Web CureIt.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

After reboot, please post the contents of the DrWeb.csv log in your next reply.

NEXT:

Please do an online scan with Panda ActiveScan using Internet Explorer (this online scanner only works with IE):

Once you are on the Panda site click the "Scan your PC" button located at the bottom of the page.
A new window will open... click the "Check Now" button.
Enter your "Country".
Enter your "State/Province".
Enter your "e-mail address".
Select either "Home User" or "Company".
Click the big "Free Online Scan" button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
When the download is complete, click on "Local Disks" to start the scan.
When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

The log from the ComboFix scan.
The log from the Dr.Web CureIt scan.
The log from the Panda scan.
A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

~~~

06-25-2007, 10:08 PM	#3 (permalink)
Sempurna Analyst, Security Team Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Re: Multiple problems, in serious need of help Hi nallen, Welcome to Tech Support Forum! I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help. Did you do the HijackThis scan in Safe Mode? The list of running processes make it appear like you did. This is because I see no active protection software running (i.e. anti-virus). We prefer a log scanned in Normal Mode because that gives us the most information about the possible malware that could be running in your system. In Safe Mode, we don’t get as much information as we would like. OK, let’s do this next. Please download CCleaner (freeware) and save it to your desktop: Run the CCleaner installer. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar". Once installed, run CCleaner and click the "Windows" tab. Select the following: Check everything under the "Internet Explorer" section. Check everything under the "Windows Explorer" section. Check everything under the "System" section. Check ONLY "Old Prefetch data" under the "Advanced" section. Then, click the "Applications" tab: CHECK everything there. Next, click the "Options" button in the left pane, then click the "Advanced" button: UNCHECK : "Only delete files in Windows Temp folders older than 48 hours". Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt. When done, please exit CCleaner. CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system. NEXT: Please download ComboFix by sUBs: NOTE: In the event you already have ComboFix, this is a new version that I need you to download. Save it to your desktop. Double-click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running. NEXT: Please download Dr.Web CureIt and save it to your desktop: Double-click the cureit.exe file, select "Start", and allow it to run the "Express Scan". This will scan the files currently running in memory and when something is found, click the "Yes" button when it asks you if you want to cure it. This is only a short scan. It could be possible it displays a pop up to buy Dr.Web, or to buy at a 50% discount. Just close that pop up. Once the short scan has finished, back at the main window, mark the drives that you want to scan. Select all drives; a red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. If the file "process.exe" was found - uncheck it. This is because this file is related with some of our cleaning tools and the tools need it. Most scanners do flag this file as a bad tool, but there's nothing wrong with it. Then, click "Yes to all" if Dr.Web CureIt asks if you want to cure/move any infected files, and it will after this automatically fix what is found. After the scan, go to the "View" menu -> "Report list". Then go to the "File" menu -> "Save report list". Save the report to your desktop. The report will be called DrWeb.csv. Close Dr.Web CureIt. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, please post the contents of the DrWeb.csv log in your next reply. NEXT: Please do an online scan with Panda ActiveScan using Internet Explorer (this online scanner only works with IE): Once you are on the Panda site click the "Scan your PC" button located at the bottom of the page. A new window will open... click the "Check Now" button. Enter your "Country". Enter your "State/Province". Enter your "e-mail address". Select either "Home User" or "Company". Click the big "Free Online Scan" button. If it wants to install an ActiveX component allow it. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes). When the download is complete, click on "Local Disks" to start the scan. When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply. NEXT: Please REBOOT your computer normally into Windows and post these logs in your next reply: The log from the ComboFix scan. The log from the Dr.Web CureIt scan. The log from the Panda scan. A new HijackThis log. (You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software). Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted. ~~~ __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum