magpielou Posted October 29, 2009 Report Share Posted October 29, 2009 Hi, I got virus'd via an email a week or so back and though I've tried a couple of times to find and delete the cause (I think a Trojan - I certainly found one in a previous search) I'm having the same trouble with my email system. I followed the instructions elsewhere, downloaded and ran the stuff, and I hope I've attached the logs etc correctly! Cheers for your help, Louise PS I'm not hugely computer-literate, so any replies/advice in words of one syllable with babysteps-instructions would be appreciated... Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted October 29, 2009 Report Share Posted October 29, 2009 Download ComboFix from one of these locations: Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 Link 3 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsSee HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. ----------------------------------------------------------- Attach fresh logs for: ComboFix (C:\combofix.txt) a-squared Free/Anti-Malware ISeeYouXP Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to comment Share on other sites More sharing options...
magpielou Posted October 31, 2009 Author Report Share Posted October 31, 2009 Hiya, Thanks for the idiot-proof instructions! Logs are attached. Running the ComboFix it said it found rootkit issues and rebooted itself. Then I reran the CF and got the log as attached. When I turned the Avast back on, it popped up with an alert that it had found spyware (C:\winnt_\winnR1.exe) but I hit 'no action' in case quarantining it hid it... It hadn't alerted me like this before, so I guess it either found something new or found something it had missed previously? Everything seems to be is running fine other than hotmail - after the last set of scans, it closed itself several times and reran the virus meaning I spammed a few (long-suffering) friends. I haven't tried it yet tonight, I'll do so after logging this message and add a PS. Other than the hotmail issues (only from my home computer, nowhere else), all was and is (ok, seems to be) well. Thanks for your help, Louise Link to comment Share on other sites More sharing options...
magpielou Posted October 31, 2009 Author Report Share Posted October 31, 2009 PS I've just tried my hotmail and it seems to be behaving - though I hesitate to say it's ok since it's hard to tell in just a quick login. It also tells me my default browser is no longer Internet Explorer, which I find disconcerting! Tho not necessarily a bad thing if it makes my mail a little safer... Cheers, L Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted October 31, 2009 Report Share Posted October 31, 2009 The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u16 available from Sun Microsystems. ----------------------------------------------------------- Using Add or Remove Programs in the Control Panel; uninstall the following: Java 6 Update 2Java 6 Update 5 ----------------------------------------------------------- We need to use ComboFix to remove some stuff. Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it! If it is not on your Desktop, the below will not work. Open Notepad and copy/paste the text in the below code box into it(make sure you scroll all the way down in the code box to get all lines selected ):KILLALL:: Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "winntR1"=- File:: c:\winnt_\winntR1.exe Folder:: C:\winnt_ Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe At this point, you MUST EXIT ALL BROWSERS NOW before continuing! You should have both the ComboFix.exe and CFScript.txt icons on your Desktop. Now use your mouse to drag CFscript.txt on top of ComboFix.exe Follow the prompts. When it finishes, a log will be produced named c:\combofix.txt I will ask for this log below CAUTION: do NOT mouseclick combofix's window while it is running. That may cause it to stall. Note: The above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. The ComboFix folder should NOT be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name. ----------------------------------------------------------- Attach fresh logs for: ComboFix (C:\combofix.txt) a-squared Free/Anti-Malware ISeeYouXP Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to comment Share on other sites More sharing options...
magpielou Posted November 2, 2009 Author Report Share Posted November 2, 2009 Hiya, Right, I've done all the latest scans, logs attached. Things seem to be running ok - though the Avast warning of spyware which I was getting on startup has vanished despite me not having done anything about the things it discovered. The latest scan turned up a Trojan though. One thing: when running ComboFix, it updated before running, then on rebooting I got the following message - not sure it's important but thought I'd mention it: MarketingTools.exe - Application error Process ID 0xfc0(4032), Thread ID 0xfbc(4028) OK to terminate, CANCEL to debug - I OK'd and CF carried on as usual. Once again, thanks for your help, Louise Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 2, 2009 Report Share Posted November 2, 2009 Your logs look fine. Unless you are having problems from Malware it is time to do the final steps. If you used ComboFix, uninstall ComboFix: Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.) AvoidTDSS /u or combofix /uNote: The space before /u, must be there.This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults. Delete the C:\AvoidTDSS or C:\ComboFix folder from combofix.Delete everything in C:\!KillBox Delete the following from your Desktop (If they exist) Avenger.exe Avenger.txt Avenger.zip DisableAutoRuns.reg FixMe.reg FixReg.reg ISeeYouXP.exe ISeeYouXP.lnk ISeeYouXP.txt Anything else I had you use Delete the following: (If they exist) C:\Avenger.txt C:\Avenger C:\ComboFix.txt C:\ComboFix C:\SDFix C:\Qoobox You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. Empty the Recycle Bin Run ATF Cleaner In the ISeeYouXP folder double-click HideIT.bat. Turn off System restore to flush all your restore points then turn system restore back on. To manually turn off System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. 4 Click Yes when you receive the prompt to the turn off System Restore. To turn on System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. Delete C:\ISeeYouXP Run Windows Update and update your Windows Operating System. Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated. That should take care of everything. Safe Surfing! Link to comment Share on other sites More sharing options...
magpielou Posted November 5, 2009 Author Report Share Posted November 5, 2009 Hiya, I uninstalled ComboFix ok, but can't find C:\!KillBox to delete whatever was in it. Of the list of things, I didn't have many, but deleted what I could find. Ran ATF Cleaner ok. I only seem to have ISeeYou as a single program, not a folder, so not sure what to do about the HideIT.bat part - nor about the system restore part, as I can't find a 'system restore' tab... Sorry - perhaps I'm just a particularly rubbish computer user! Oh, and although I had no notification of it in my hotmail, I apparently spammed one of my pals with the same virus yet again last night. It's always turned up in my sent mail before, so this is a bit weird (not to mention annoying). Cheers for your patience... Louise Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 5, 2009 Report Share Posted November 5, 2009 Please download DDS by sUBs from one of the following links and save it to your desktop. DDS.scr DDS.pif [*]Disable any script blocking protection [*]Double click DDS icon to run the tool (may take up to 3 minutes to run) [*]When done, DDS.txt will open. [*]After a few moments, attach.txt will open in a second window. [*]Save both reports to your desktop. --------------------------------------------------- Attach the DDS.txt report in your next reply Attach the Attach.txt report to your post. Link to comment Share on other sites More sharing options...
magpielou Posted November 6, 2009 Author Report Share Posted November 6, 2009 Hello again, Thanks for the assist, sorry it's taking so long... Two reports attached. Cheers, Louise Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 6, 2009 Report Share Posted November 6, 2009 Now we need to use ComboFix to remove some stuff. Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it! If it is not on your Desktop, the below will not work. Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ): KILLALL:: Registry:: [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] File:: C:\Users\LouiseF\AppData\Local\temp\B644.tmp\evP.exe Folder:: C:\Users\LouiseF\AppData\Local\temp\B644.tmp Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe At this point, you MUST EXIT ALL BROWSERS NOW before continuing! You should have both the ComboFix.exe and CFScript.txt icons on your Desktop. Now use your mouse to drag CFscript.txt on top of ComboFix.exe Follow the prompts. When it finishes, a log will be produced named c:\combofix.txt I will ask for this log below Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall. The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name. ----------------------------------------------------------- Attach fresh logs for: ComboFix (C:\combofix.txt) DDS Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to comment Share on other sites More sharing options...
magpielou Posted November 6, 2009 Author Report Share Posted November 6, 2009 Hello, Things seem to be running ok, other than losing a few internet settings (which I'm assuming was supposed to happen, and frankly is no bother at all). Logs attached - I hope I'm able to leave you alone again soon! I added the Attach.txt as though you didn't ask it seemed to come as part of the package with DDS... Cheers, Louise Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 7, 2009 Report Share Posted November 7, 2009 Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*). REGEDIT4 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] "SetupExecute"=- Close Notepad. Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry. ----------------------------------------------------------- Attach fresh logs for: ISeeYouXP HiJackFree Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to comment Share on other sites More sharing options...
magpielou Posted November 8, 2009 Author Report Share Posted November 8, 2009 Hiya, No problems, and things seem to be running ok - no sign of more hotmail spam. Logs attached. Many thanks, Louise Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 9, 2009 Report Share Posted November 9, 2009 Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*). REGEDIT4 [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Close Notepad. Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry. ----------------------------------------------------------- Other then the above, your logs look fine. Unless you are having problems from Malware it is time to do the final steps. If you used ComboFix, uninstall ComboFix: Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.) AvoidTDSS /u or combofix /u or Combo-Fix /uNote: The space before /u, must be there. Which command you use depends on if I had you rename ComboFix during download.This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults. Delete the C:\AvoidTDSS or C:\ComboFix folder from combofix.Delete everything in C:\!KillBox Delete the following from your Desktop (If they exist) Avenger.exe Avenger.txt Avenger.zip DisableAutoRuns.reg FixMe.reg FixReg.reg ISeeYouXP.exe ISeeYouXP.lnk ISeeYouXP.txt Anything else I had you use Delete the following: (If they exist) C:\Avenger.txt C:\Avenger C:\ComboFix.txt C:\ComboFix C:\SDFix C:\Qoobox You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. Empty the Recycle Bin Run ATF Cleaner In the ISeeYouXP folder double-click HideIT.bat. Turn off System restore to flush all your restore points then turn system restore back on. To manually turn off System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. 4 Click Yes when you receive the prompt to the turn off System Restore. To turn on System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. Delete C:\ISeeYouXP Run Windows Update and update your Windows Operating System. Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated. That should take care of everything. Safe Surfing! Link to comment Share on other sites More sharing options...
magpielou Posted November 11, 2009 Author Report Share Posted November 11, 2009 Hiya, OK, this is where I had problems before and I have the same again. I uninstalled ComboFix fine and deleted the other stuff OK, but I don't have/can't find the C:\AvoidTDSS or C:\ComboFix folder you mention, or the C:\!KillBox file/folder/whatever. I have only ISeeYouXP as a program to run, not as a folder with "HideIT.bat" to find. And I can't find an option to turn off system restore, only to create a system restore point. In the meantime, I'm going to update Windows and see what happens. Sorry if this makes me sound like an idiot, but I'm doing my best, I'm just a person who uses a computer, not a person withknowledge about them... Louise Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 12, 2009 Report Share Posted November 12, 2009 If they are not there, they are not there. The instructions say if they exist to delete them. Link to comment Share on other sites More sharing options...
magpielou Posted November 13, 2009 Author Report Share Posted November 13, 2009 Hi, OK. But does it matter about the system restore stuff? No idea what I'm doing with that, either. L Link to comment Share on other sites More sharing options...
Lynx Posted November 13, 2009 Report Share Posted November 13, 2009 ...I can't find an option to turn off system restore, only to create a system restore point... ...about the system restore stuff? No idea what I'm doing with that, either magpielou, "Creating the System Restore" you are talking about, as I understand, is the dialogue that is displayed when you go Start > All Programs > Accessories > System Tools > System Restore Is that what you mean? If so - that is different. If you follow the instruction regarding the System Restore as in #1 You should get the following "System Properties" dialogue: where you will find the System Restore Tab (#2) and the requited Check Box (#3) My regards Link to comment Share on other sites More sharing options...
magpielou Posted November 16, 2009 Author Report Share Posted November 16, 2009 Hi again, OK, here's what happens: >1. Click Start, right-click My Computer, and then click Properties. Start - rightclick on 'Computer' - click 'Properties' = all fine. >2. Click the System Restore tab. I don't have one. I have 'Device Manager', 'Remote settings', 'System protection' and 'Advanced system settings' in a list on the left and the panel on the right is the basic info about 'you are using Windows Vista' etcetc. That image in the last reply is nothing like the image I see - maybe this is a Vista thing?? In 'System properties' there is a 'System protection' tab which offers the option to create restore points, but I'm guessing that's not the right place? Sorry to be a pain... Louise Link to comment Share on other sites More sharing options...
Lynx Posted November 16, 2009 Report Share Posted November 16, 2009 ... In 'System properties' there is a 'System protection' tab which offers the option to create restore points, but I'm guessing that's not the right place?Louise,Yes, creating restore points is not the right one as it was said before “System Protection Tab” on Vista should look like: under “Automatic restore points” - uncheck box(es) next to disk(s) letters; - confirm the message “Are you sure you want to turn System Restore off?” by clicking on <<Turn System Restore Off>> button In order to turn System Restore On – check box(es) back Link to comment Share on other sites More sharing options...
magpielou Posted November 18, 2009 Author Report Share Posted November 18, 2009 Hiya, Much clearer with that set of instructions, thank you - sorry to sound like an idiot; instructions in words of one syllable were just the thing. All seems ok now, thanks for your help - hopefully I won't need to speak to you again! Cheers, Louise Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 19, 2009 Report Share Posted November 19, 2009 Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread Link to comment Share on other sites More sharing options...
Recommended Posts