you can upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners to see if other detect same file
alternative http://virusscan.jotti.org/en / http://www.metascan-online.com/ / http://virscan.org/
follow this guide and attach (not copy and paste) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0
when done, a malware removal specialist will check you logs...... may be several hours before he arrive
Hi,
Like true indian said please run aswMBR and attach that log...
and do the following...
Download CKScanner by askey127 from Here (http://downloads.malwareremoval.com/CKScanner.exe) & save it to your Desktop.----------
- Right-click and Run as Administrator CKScanner.exe then click Search For Files
- When the cursor hourglass disappears, click Save List To File
- A message box will verify the file saved
- Double-click the CKFiles.txt icon on your desktop then attach the contents in your next reply
Or reading the DMP file is useless? If risking infection then pointless i'm sure.We don't need to worry about that right now. :)
Hi,QuoteOr reading the DMP file is useless? If risking infection then pointless i'm sure.We don't need to worry about that right now. :)
---------------
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)----------
- Extract it to your desktop
- Double click TDSSKiller.exe
- when the window opens, click on Change Parameters
- under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
- click OK
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Attach the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
Hi,
We need to be sure to run the tools that we are using on the infected OS. If you need to transfer the files to the infected machine via CD/USB drive that is fine, but a lot of these programs that we use will have automated features that we will need to utilize. :)
I hope that I understood what you were saying.
Hi,
No don't run everything...just run a scan with aswMBR and OTL then we can go from there. :)
Hi,
Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
- Be sure to disable your security programs
- Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
- A window will open on your desktop
- if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.
- If nothing unusual is found just press Enter[/i]
- A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
- Please post the contents of that file.
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.:)
Quoteif an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.:)
ClearJavaCache::
DDS::
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: alacritysim.com\www
Trusted Zone: neonwolfgames.com\www
Firefox::
FF - ProfilePath - c:\documents and settings\Brickstin\Application Data\Mozilla\Firefox\Profiles\vkcm1hux.default\
FF - prefs.js: network.proxy.ftp - 212.182.64.86
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 212.182.64.86
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 212.182.64.86
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
RegLock::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"=-
"3540:UDP"=-
"3389:TCP"=-
"2232:TCP"=-
"5000:UDP"=-
"1723:TCP"=-
"1701:UDP"=-
"500:UDP"=-
Hi,
Any particular reason that you have not updated Windows XP to Service Pack 3?
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code: [Select]ClearJavaCache::
DDS::
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: alacritysim.com\www
Trusted Zone: neonwolfgames.com\www
Firefox::
FF - ProfilePath - c:\documents and settings\Brickstin\Application Data\Mozilla\Firefox\Profiles\vkcm1hux.default\
FF - prefs.js: network.proxy.ftp - 212.182.64.86
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 212.182.64.86
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 212.182.64.86
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
RegLock::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"=-
"3540:UDP"=-
"3389:TCP"=-
"2232:TCP"=-
"5000:UDP"=-
"1723:TCP"=-
"1701:UDP"=-
"500:UDP"=-CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
(http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
----------
RegNull::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{424E7FAC-A75D-EA1D-2D56-21BF79D08CF9}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F6251AEA-5583-E39F-6B40-DFB43F427BD4}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]
Hi,
We definitely need to update, but we will do that after we get your system more stable. It is very important to keep your Windows operating system up to date...if not, the older software are just waiting to be infected along with the rest of your system.
-----------
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code: [Select]RegNull::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{424E7FAC-A75D-EA1D-2D56-21BF79D08CF9}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F6251AEA-5583-E39F-6B40-DFB43F427BD4}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
(http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
----------
Hi,
P2P - I see you have P2P software Limewire and uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation. This page (http://malwareremoval.com/p2pindex.php) will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.
----------
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
----------
Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)
Note: You will need to use Internet Explorer for this scan[/i]
- Tick the box next to YES, I accept the Terms of Use
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
- Click Scan (This scan can take several hours, so please be patient)
- Once the scan is completed, you may close the window
- Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic
In your next reply please attach the logs made by Malwarebytes and ESET online scanner. :)
Hi,
Rerun Malwarebytes and remove that entry and attach the new log. :)
Hi,
So when is you system getting slow again? Is it just when working with programs on your system or while on the internet? Let me know exactly what you are experiencing.
The entries that you see on start up are normal since we added the Recovery Console. :)
But now it's not doing it: i haven't noticed any lag in the actual operating system now..Ok that is good. There are many reasons why a system may become slow that are not malware related.
there's a different one called "UnsupportedDebug="do not select this" /debug"We can remove that as well later, but it is there as a result of running ComboFix. :)
Hi,QuoteBut now it's not doing it: i haven't noticed any lag in the actual operating system now..Ok that is good. There are many reasons why a system may become slow that are not malware related.
Let's get some updates and let your system settle back in.
You have an older version of Adobe Reader. You can download the current version HERE (http://www.adobe.com/products/acrobat/readstep2.html)
You may want to consider Foxit Reader (http://www.foxitsoftware.com/downloads/index.php) instead. It may be a bit lighter on resources.
Visit their support forum
Foxit Forum (http://www.foxitsoftware.com/bbs/forumdisplay.php?f=3)
In either case you should uninstall Adobe Reader 6.0 first. Be sure to move any PDF documents to another folder first though.
----------Quotethere's a different one called "UnsupportedDebug="do not select this" /debug"We can remove that as well later, but it is there as a result of running ComboFix. :)
Let me know when you get that finished.
No problem...there is no time frame to respond with. :)
As far as the OS concerned is there anything else that needs to be done?I am not seeing anything malware related in the logs you are providing. The only thing that I would highly recommend is that you upgrade to Windows XP SP3 as soon as you can.
There is not anything wrong with this.Quotethere's a different one called "UnsupportedDebug="do not select this" /debug"
Hi,QuoteAs far as the OS concerned is there anything else that needs to be done?I am not seeing anything malware related in the logs you are providing. The only thing that I would highly recommend is that you upgrade to Windows XP SP3 as soon as you can.QuoteThere is not anything wrong with this.Quotethere's a different one called "UnsupportedDebug="do not select this" /debug"
How is your system behaving?
Hi,
You can check the drives and see which one is failing using HDTune.
Please download HD Tune (http://www.hdtune.com/download.html) (the free version not the trial), run an error scan on your primary harddrive (full not quick) and report back if any blocks aren't green. It tests your hard drive for bad sectors.
No problem with any delay. :) Are you still having the problem or was it momentary like the warning stated?
Hi,
Sorry to hear of your problems. Did you ever go to Geeks to Go and start a topic there for your hardware problems previously? Since this seems to be affecting all systems on your network I would temporarily disconnect all computers not needed until we get this resolved.
Let's get a fresh look and see what is happening to try and rule out malware.
Please run new scans with OTL and aswMBR and then attach the logs to your next reply.
:file
C:\WINDOWS\Memory.dmp
I was doing a system restore because now im having another issue..When you are doing a system restore without being asked you are releasing the malware that may still be on that restore point and I have no real way of knowing what is going on with the system. In essence, even though you have the best intentions I am sure, we have taken several steps backwards in removing the malware from your system. Please do not do anything without being asked. Thanks.
Hi Brickstin,
Hold off on deleting or cleaning. ESET is used to find some files other scanners miss, but some are false positive, so.... do nothing at the moment. Jeffce will know exactly what to check and look for, so...
Quarantine or delete?
If you quarantine a file in the virus chest, it can do no harm from that location as it is in a protected area isolated from the rest of the operating system. If, say, later, this flle is found to be clean, then the option to restore it is still available. Quarantine or delete? I quarantine wherever possible. If it is a necessary system file, I choose ignore, not quarantine, otherwise system may become unbootable.
There is software on those storage drives that are literally irreplaceable.I would back those up someplace else just to be on the safe side until we get this resolved.
Hi,
Sorry for any delays.QuoteThere is software on those storage drives that are literally irreplaceable.I would back those up someplace else just to be on the safe side until we get this resolved.
----------
Please delete the current version of Combofix.exe from your desktop and download a new version from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Disable your AntiVirus and AntiSpyware applications.
Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------
It would probably be in your best interest to get your system back up and running and then drop the infected hard drive into the new system so that we can continue with the cleaning.
What program quarantined iObit? Just wondering.