Avast WEBforum
Other => Viruses and worms => Topic started by: James1990 on August 04, 2012, 04:42:37 PM
-
Hello avast! Forum!
I was attacked by a rather annoying virus yesterday. After receiving a pop-up, I was asked (non stop) to install Adobe Flash Player. I canceled because I knew something was fishy about it: I already have Adobe Flash Player installed >.> Anyway, it wouldn't stop, so I was forced to allow it. A seemingly legit Adobe installer opened up and installed Adobe Flash Player. It looked a lot like the real flash player installer, except it had no EULA and all that confirmation stuff... Anyway, after it installed(it didn't actually install, of course), I notice a shortcut on my desktop for a rogue antivirus. Various programs forcibly closed and this rogue antivirus said that everything was infected. I've dealt with this kind of thing before on a neighbors computer, and luckily avast got rid of it after a scan and then another boot-scan. After it removed a lot of malicious stuff, I noticed TONS of 800000.@, 800000c.@, etc. I deleted them from my Chest, but they kept appearing, and keep appearing as I type right now >.> I did some searching and found a few topics(strangely relatively close in date) on this forum about this virus. I noticed that they require OTL and Combofix which seem to need some sort of script pasted into them, so I couldn't really do anything myself about this, therefore I ask: HELP! Please! =[
Oh, "tdx.sys" is in my Chest also. I looked it up and it seems like a pretty important driver... Is it safe to delete it from my chest?
EDIT: I am currently preforming a quick scan with Malwarebytes, I will post the log when it's done.
-
Heres the MBAM log of the scan. Not sure what all this means exactly, but it looks to me that it's fixed Ô,o or at least, it had no problems removing anything. So what do I do next?
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.04.04
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 7.0.6002.18005
James :: JAMES-PC [administrator]
Protection: Disabled
8/4/2012 9:50:24 AM
mbam-log-2012-08-04 (09-50-24).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199219
Time elapsed: 8 minute(s), 49 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\James\AppData\Local\{e1026219-7329-6d34-043d-5ebecad5f26a}\n. -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Users\James\AppData\Local\Temp\msimg32.dll (RootKit.0Access) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Local\Temp\932E.tmp (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Windows\Installer\{e1026219-7329-6d34-043d-5ebecad5f26a}\n (RootKit.0Access) -> Quarantined and deleted successfully.
(end)
EDIT: Ah, 8000000.@ stuff is still appearing my my chest...
-
It will as the underlying infection hasn't been dealt with (but is being kept in check by avast) and that requires detailed information.
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
-
MBAM Log is in original post, although it's now over an hour old. Should I redo this step?
I've run OTL 3 times now, and it freezes on "Scanning FireFox Settings" every time. I've even closed firefox before scanning. The instructions say it doesn't take long, but it remains frozen for a long time until I finally close it. Is this normal?
-
I would say the original is fine for now unless the malware removal specialist requests it.
You could try running the OTL program from safe mode, but I don't know if that will analyse all areas. Did you run it according to the instructions in the link above (edited broken link), if not try that first.
EDIT: A malware removal specialist has been informed of your topic. They should be able to tell you how to proceed.
-
I did in fact run it as instructed, except for 1 thing: I don't have the "Include 64Bit Scans" option. Perhaps its a different version than depicted in the topic? Otherwise, I left all the options alone like it says, and pasted the script it provides. I guess I'll try safe mode and see how that works.
-
OK this time I will skip OTL as it appears that your firefox settings are corrupted
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Sorry for the late reply, my computer has been rendered unable to connect to internet for an unknown reason... I do however thank you essexboy for the fast reply. I noticed your reply just before I was about to try the safe mode thing. (Which I didn't actually do since I saw your reply.)
I ran Combofix, but I do not see C:\Combofix.txt and noticed a few additional problems:
1. I noticed my computers inability to connect to internet after Combofix rebooted it. When connecting, its simply stuck on the Identifying stage of connection.
2. When it started back up, my desktop/icons were missing. I went to task manager to manually stop and restart explorer.exe and also noticed the Process list was rather empty. I usually have to scroll down to see all of them, but now the list of processes is half as populated as normal. This actually has happened before, but I never did anything about it, as it randomly fixed itself one day. Pretty sure this has nothing to do with what happened today/yesterday.
3. There are now many transparent files on my desktop and in C:\. Does combofix make hidden files visible? Not a big deal, just wondering.
I've also noticed a possibly good thing: In my avast Chest now contains a file called "00000001.@.vir" with an original location of "C:\Qoobox\Quarantine\C\Windows\Installer\{e102... etc" and the previous "80000000.@" no longer appears constantly in the Chest. "C:\Windows\Installer\{e2 etc" is where the 800000.@ file used to be from.
-
Could you reboot the computer please and let me know what the problems are then
-
I rebooted after noticing the problems, and again just now like you said to to be sure. Sure enough, the problems persist. I have to manually restart explorer.exe to get my desktop and icons to show up. Again, this has happened in the past, so I don't think it has much connection to the real problem. I am still unable to connect to an internet connection, however, and there is still no C:\Combofix.txt, unless it's somewhere else. My avast Chest is still free of 80000000.@, and there is a single 00000001.@.vir in their place still (ready to be deleted once this is all sorted out). Besides the internet thing, I'd say my computer was ok again, despite my desktop/icon issue. Perhaps I should meantion that "tdx.sys" is also in my virus chest? It was apperently infected, but what's it for?
-
tdx.sys is a system file, this may explain your internet problems
run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(https://dl.dropbox.com/u/73555776/FSS.GIF)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
Aha, glad I meantioned it lol. Heres the log:
Farbar Service Scanner Version: 04-08-2012 01
Ran by James (administrator) on 04-08-2012 at 14:42:16
Running from "C:\Users\James\Desktop"
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Other Services:
==============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open sharedaccess registry key. The service key does not exist.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
ATTENTION!=====> C:\Windows\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-30 21:51] - [2011-09-20 16:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll
[2008-01-20 21:33] - [2008-01-20 21:33] - 0288256 ____A (Microsoft Corporation) E1499BD0FF76B1B2FBBF1AF339D91165
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
-
Right click the following two links and select "Save Target as... "
Save to your desktop
Right click each file in turn and select merge
Accept the warnings and reboot after the second one
https://dl.dropbox.com/u/73555776/MpsSvcVista.reg
https://dl.dropbox.com/u/73555776/SharedAccessVista.reg
Once done re-run FSS please
-
Steps done, here you go:
EDIT: After posting this reply, my computer blue screened! It said "APC_INDEX_MISMATCH" on top. I had it restart normally....
Farbar Service Scanner Version: 04-08-2012 01
Ran by James (administrator) on 04-08-2012 at 15:13:14
Running from "C:\Users\James\Desktop"
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors
Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Other Services:
==============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
ATTENTION!=====> C:\Windows\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-30 21:51] - [2011-09-20 16:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll
[2008-01-20 21:33] - [2008-01-20 21:33] - 0288256 ____A (Microsoft Corporation) E1499BD0FF76B1B2FBBF1AF339D91165
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
-
OK lets now search for the missing file
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
tdx.*
/md5stop
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will openone notepad window.
- Post the log
You also need to start the following service and set to Auto .. Do you know how to do that
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled
-
Just like earlier, OTL gets stuck on FireFox settings. Is there any way I can make it skip that step or delete firefox settings? No, I don't know to start services.
-
OK lets use Combofix.. I will give you a fix for the service in a mo
Download and Install Combofix
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
MIA::
tdx.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
-
Is Combofix supposed to take more than a half hour? Its been sitting there since a few minutes after your post. It says "Scanning for infected files... This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double." Its more than double so far...
-
OK stop it and I will use a different programme to find the spare copy
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:filefind
tdx.*- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-
Heres the SystemLook log:
SystemLook 30.07.11 by jpshortstuff
Log created at 16:18 on 04/08/2012 by James
Administrator - Elevation successful
========== filefind ==========
Searching for "tdx.*"
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --a---- 71680 bytes [02:34 21/01/2008] [02:34 21/01/2008] D09276B1FAB033CE1D40DCBDF303D10F
-= EOF =-
-
Let me know what problems remain after this
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
FCopy::
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys|C:\Windows\system32\Drivers\tdx.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
-
When I did this, it said my recycle bin was corrupted... So I let it empty the recycle bin. However, its been a half hour again and still nothing. Same text as before; it's just sitting there. Could I copy the file manually?
Edit: ive left it to run this whole time with no changes, but something came up: "freeware implementation of XCACLS has stopped working" does this look familiar?
-
I'm getting nowhere with this, what else can I do? I haven't tried manually copying the file yet, would this be safe to do?
-
Hope 3 posts in a row isn't out of hand or anything, lol. But I sorta fixed one of my problems! I manually copied tdx.sys from C:\Windows\winsxs\x86... etc, and started DHCP Service manually, I was able to connect to internet!
I still have some problems, though. I cannot start windows firewall. I have network discovery and file sharing on, and I would rather have them off, but it required Windows Firewall. Suggestions?
-
OK that would have been my next option... OK lets now set all services to the correct status. All this and I forgot ... How is the computer behaving, any further Avast alerts ?
Download Windows Repair (all in one) from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
Install the programme then run
(https://dl.dropbox.com/u/73555776/waio%20start.JPG)
Go to step 3 and allow it to run SFC
(https://dl.dropbox.com/u/73555776/waio%20step3.JPG)
On the start repairs tab click start
(https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG)
Select the following items and tick restart system when finished
(https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG)
-
I heard you went to bed last night. You had me worried, thought I was abandoned, lol. Well, I took the risk and copied the tdx.sys from the C:\Windows\x86 or w/e it was and pasted it into System32. I then looked up how to start services, opened services.mcs and had to turn on DHCP, ICS, and Firewall. Everything went fine, except the firewall. I did a lot of research, and found nothing. When I was ready to find a way to get a Vista install disk to do a repair, I found Tweaking.com. :)
I am now able to start my firewall and access the internet again! There are no more Avast alerts, and 800000.@ is still no longer magically appearing in my chest. My computer is behaving fine so far. To be safe I even did another MBAM scan, which came up clean.
When I used Tweaking.com, I only checked the Windows Firewall option, should I do it again and check all options? Also, any other scans I should do to make sure my system is completely bug free again?
-
Nope no need - you are miles ahead of me ;D
No need to run Windows repair now if all is good.. But, it is a handy programme to have
Are you ready for me to remove my rubbish ?
-
Alright, cool.
What is your rubbish?
-
This ;D
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
Just like before, OTL gets stuck. After the bottom says "Killing processes" and :Commands and [resethosts] disappear, OTL stops responding, as though it's having trouble with [empty temp]
I proceeded to re-hide hidden folders and update Java, but I do not see those options in Control Panel.
-
Sorry I keep forgetting about MBAM
-
I've hidden the folders again, but how do I create a new system restore point? Sorry, should have specified. And is it ok to skip OTL again, or is there a manual way to do what it needs to do?
-
If you hit the cleanup button then OTL will remove all programmes, as it is not stopping processes then MBAM should behave itself
To reset the restore points
Right click disc cleanup and select run as administrator
-
Ok, restore point created, old ones deleted, Java updated, and OTL cleaned.
Thank you so much for your help! *e-hand shake!* I will definitely come back if any problems arise again, but they hopefully won't.
-
My pleasure ;D