Computer Hope
Software => Computer viruses and spyware => Topic started by: skifan on August 13, 2008, 07:36:59 PM
-
Hi all. I am glad to be here. As the subject reads, I acquired all of these things on my HP pavilion laptop while surfing the net. I am running XP SP2. I have read the sticky and performed the initial steps outlined there and have created the appropriate logs. My question is: What do I do from here? I appreciate any help/advice offered.
[recovering disk space -- attachment deleted by admin]
-
Welcome to CH.
Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
First of all, thank you for your timely response to my problem and help. I have done what you recommended and here are my results.
[recovering disk space -- attachment deleted by admin]
-
Open HijackThis and select
Do a system scan only.
Place a check mark next to the following entries: (if there)
O24 - Desktop Component 0: Privacy Protection - (no file)
Important: Close all windows except for HijackThis and then click Fix checked.
Exit HijackThis and restart the computer to register the changes made by HijackThis.
----------
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
- The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
.
----------
Use the Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)
In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon and choose Run as Administrator.
Click on SCAN NOW
Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run.
- Once the scan is complete, click on View scan report
- Now, click on the Save Report as button.
- In Save as type: click the drop arrow and select: Text file [*.txt]
- Then, click: Save
- Save the file to your desktop.
Post the Kaspersky log in your next reply.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
-
Alright, moving right along. Here it is:
[recovering disk space -- attachment deleted by admin]
-
OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe)
Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.
- Double-click OTMoveIt2.exe to run it.
- Copy the lines in the codebox below.
[kill explorer]
C:\Documents and Settings\andy\Incomplete\CORRUPT-0-Linkin Park - Given up.mp3
EmptyTemp
[start explorer]- Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) and paste it in your next reply.
- Close OTMoveIt2
-
Explorer killed successfully
C:\Documents and Settings\andy\Incomplete\CORRUPT-0-Linkin Park - Given up.mp3 moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\synchronize.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\hsperfdata_andy\2664 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\Arj.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\avlib.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\Avp1.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\AvpMgr.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\btimages.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\CAB.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\dmap.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\dtreg.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\FsDrvPlg.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\FSSync.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\HashCont.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\HashMD5.PPL scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\HCCMP.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\ichk2.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\iChkSA.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\Inflate.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\IWGen.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\kave.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\kosglue-7.0.25.0.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\lha.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\L_llio.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\mdb.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\MDMAP.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\MemModSc.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\MemScan.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\minizip.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\MKavIO.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\msoe.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\nfio.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\NTFSstrm.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\prKernel.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\prLoader.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\prseqio.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\PrUtil.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\Quantum.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\rar.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\ScanningProcess.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\sfdb.PPL scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\TempFile.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\thpimpl.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\UniArc.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\UnLZX.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\UnStored.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\andy\LOCALS~1\Temp\jkos-andy\binaries\WDiskIO.ppl scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_58c.dat scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
-
1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2
----------
Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.
- Go to Start > Programs > Accessories > System Tools and click System Restore
- Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
- The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Next go to Start > Run and type Cleanmgr
- Click OK
- Click the More Options Tab.
- Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html) or Windows Vista System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial143.html)
.
----------
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
If you are running any Microsoft Office version go to the Office Update (http://office.microsoft.com/search/redir.aspx?assetid=ES790020331033&CTT=96&Origin=CL100570421033) site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
----------
Please keep these programs up-to-date and run them whenever you suspect a problem. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.
Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.
Concerned about Browser Security? Consider using Mozilla Firefox 3.0 (http://www.spreadfirefox.com/node&id=224248&t=324) with Adblock Plus (https://addons.mozilla.org/en-US/firefox/addon/1865) and NoScript (http://noscript.net/)
To prevent unknown applications from being installed on your computer install WinPatrol 2008 (http://www.winpatrol.com/winpatrol.html)
* Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
I suggest using SiteAdvisor (http://www.siteadvisor.com/). SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Check out Keeping Yourself Safe On The Web (http://evilspages.blogspot.com/2008/05/keeping-yourself-safe-on-web.html) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilspages.blogspot.com/2008/05/slow-computer-it-may-not-be-malware.html) for free cleaning/maintenance tools to help keep your computer running smooth.
-
Thanks for all the help, Kevin. That was quite a process but i think everything is running okay.
I do continue to have a solid white background on my desktop despite changing the picture via control panel> display> background tab. Don't know what that is all about.
-
Try this.
Fixing a Locked Desktop - Right click on your Desktop and select Properties
- Then click the Desktop tab.
- Next click the Customize Desktop button.
- Now in the next window that comes up click the Web tab.
- Make sure at the bottom that Lock desktop items is unchecked.
- Then in the Web pages box delete all items but My Current Home Page and make sure it is unchecked too.
- Then click OK.
- Click Apply. And click OK.
.
Run a new HijackThis scan and post the log if that doesn't work.
-
Dang you're good! That fixed it. I now have the background I have chosen.
Thanks again.
-
No problem. Glad it worked.
-
I know this wasn't for me but have followed the thread - am well impressed with the degree of help - quite awesome. :)
Kudos to evil.