WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
I may be infected?
Started by
Nman
, Jun 29 2010 07:06 PM
-
This topic is locked
99 replies to this topic
#1
Nman
-
- Authentic Member
-
- 95 posts
Authentic Member
Posted 29 June 2010 - 07:06 PM
Hey hey, a hymn to humanity, love has gone people, are you worried?
Register to Remove
#2
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 29 June 2010 - 07:21 PM
I see the Tech Team sent you over for a check. We can do that
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.
Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.
You might want to print these instructions out.
I suggest you do this:
XP Users
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.
Vista Users
To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:
Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:
If you are in the Classic View do the following:
Double-click on the Folder Options icon.
Click on the View tab.
If you are in the Control Panel Home view do the following:
Click on the Appearance and Personalization link.
Click on Show Hidden Files or Folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Please do not delete anything unless instructed to.
We've been seeing some Java infections lately.
Go here and follow the instructions to clear your Java Cache
Next:
Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.
Next:
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Then click Remove Selected .
- When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
- Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Also please describe how your computer behaves at the moment.
Please don't attach the scans / logs, use "copy/paste".
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to 
for the help you received.
Proud graduate of TC/WTT Classroom
#3
Nman
-
- Authentic Member
-
- 95 posts
Authentic Member
Posted 29 June 2010 - 08:58 PM
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4259
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
6/29/2010 7:51:41 PM
mbam-log-2010-06-29 (19-51-41).txt
Scan type: Quick scan
Objects scanned: 127657
Time elapsed: 8 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
So far as how it is running right now, it seems okay, and the scan didn't turn anything up. The times between when it runs slow are decreasing too. It gets to the point where not even CTRL+ALT+DELETE will do anything.
Thanks for your help, I would like to donate, is there any specific way I am supposed to do that?
Hey hey, a hymn to humanity, love has gone people, are you worried?
#4
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 30 June 2010 - 05:36 AM
Most of us have a PayPal button in our signatures.Thanks for your help, I would like to donate, is there any specific way I am supposed to do that?
Lets run one more scan.
Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.
You might want to print these instructions out.
I suggest you do this:
Download ComboFix from one of these locations:
Link 1
Link 2 If using this link, Right Click and select Save As.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
- Double click on ComboFix.exe & follow the prompts.
Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
Note: If you have SP3, use the SP2 package.If Vista or Windows 7, skip the Recovery Console part
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it atleast 20-30 minutes to finish if needed.
Please do not attach the scan results from Combofx. Use copy/paste.
Also please describe how your computer behaves at the moment.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#5
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 30 June 2010 - 12:09 PM
Hey, first I would like to say thank you so far for your help. I would like to ask about the links you provided, the first one will not work, and the second one McAfee won't let me download it, and it says it has been reported to have spyware or malware on it (though at this point it seems I may already have that) so what should I do? Should I disable McAfee first? Or is there something else I should try?
Thanks
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#6
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 30 June 2010 - 12:11 PM
Please use the topic here as I usually don't answer by PM.
Yes, you need to disable McAfee first before down loading combofix.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#7
Nman
-
- Authentic Member
-
- 95 posts
Authentic Member
Posted 30 June 2010 - 12:18 PM
Okay, thanks! I will be back when everything is done!Please use the topic here as I usually don't answer by PM.
Yes, you need to disable McAfee first before down loading combofix.
Hey hey, a hymn to humanity, love has gone people, are you worried?
#8
Nman
-
- Authentic Member
-
- 95 posts
Authentic Member
Posted 30 June 2010 - 12:45 PM
Okay it ran the scan, and restarted, but it did not generate a report. A window had popped up saying that Windows had encountered a critical problem and had to restart" and all my desktop icons were gone as was my start menu, so I couldn't do anything other than let it just restart. Everything is back up and running now, so what should I do now?
Hey hey, a hymn to humanity, love has gone people, are you worried?
#9
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 30 June 2010 - 12:48 PM
Look for C:\Combofix.txt
Open it with Notepad and copy / paste the results here.
Open it with Notepad and copy / paste the results here.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#10
Nman
-
- Authentic Member
-
- 95 posts
Authentic Member
Posted 30 June 2010 - 12:52 PM
ComboFix 10-06-29.04 - Nathaniel 06/30/2010 11:26:51.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.1806 [GMT -7:00]
Running from: C:\Users\Nathaniel\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\system32\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-30 )))))))))))))))))))))))))))))))
.
2010-06-30 18:35:45 . 2010-06-30 18:36:10 -------- d-----w- C:\Users\Nathaniel\AppData\Local\temp
2010-06-30 18:35:45 . 2010-06-30 18:35:45 -------- d-----w- C:\Users\Default\AppData\Local\temp
2010-06-30 17:53:51 . 2010-06-30 17:53:52 -------- d-----w- C:\Users\Nathaniel\AppData\Local\Adobe
2010-06-30 02:42:00 . 2010-06-30 02:42:00 -------- d-----w- C:\Users\Nathaniel\AppData\Roaming\Malwarebytes
2010-06-30 02:41:31 . 2010-04-29 22:39:38 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2010-06-30 02:41:30 . 2010-06-30 02:41:30 -------- d-----w- C:\ProgramData\Malwarebytes
2010-06-30 02:41:30 . 2010-04-29 22:39:26 20952 ----a-w- C:\Windows\system32\drivers\mbam.sys
2010-06-30 02:41:29 . 2010-06-30 02:41:35 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-06-25 21:25:50 . 2010-06-28 05:59:44 -------- d-----w- C:\ARENA
2010-06-24 01:46:25 . 2010-06-24 01:46:25 -------- d-----w- C:\Windows\system32\Adobe
2010-06-24 00:57:57 . 2010-06-24 00:57:56 509552 ----a-w- C:\ProgramData\Google\Google Toolbar\Update\gtb9D79.tmp.exe
2010-06-22 20:02:44 . 2009-11-08 17:55:32 99176 ----a-w- C:\Windows\system32\PresentationHostProxy.dll
2010-06-22 20:02:44 . 2009-11-08 17:55:32 49472 ----a-w- C:\Windows\system32\netfxperf.dll
2010-06-22 20:02:44 . 2009-11-08 17:55:32 297808 ----a-w- C:\Windows\system32\mscoree.dll
2010-06-22 20:02:44 . 2009-11-08 17:55:32 295264 ----a-w- C:\Windows\system32\PresentationHost.exe
2010-06-22 20:02:44 . 2009-11-08 17:55:32 1130824 ----a-w- C:\Windows\system32\dfshim.dll
2010-06-22 20:00:25 . 2010-04-16 16:43:35 28672 ----a-w- C:\Windows\system32\Apphlpdm.dll
2010-06-22 20:00:25 . 2010-04-16 14:39:07 4240384 ----a-w- C:\Windows\system32\GameUXLegacyGDFs.dll
2010-06-17 01:55:01 . 2010-06-17 01:55:01 -------- d-----w- C:\ProgramData\Office Genuine Advantage
2010-06-11 02:21:39 . 2010-06-28 20:29:11 -------- d-----w- C:\Program Files\Common Files\Steam
2010-06-11 02:21:37 . 2010-06-30 17:07:19 -------- d-----w- C:\Program Files\Steam
2010-06-08 23:07:14 . 2010-04-05 17:01:01 67072 ----a-w- C:\Windows\system32\asycfilt.dll
2010-06-08 23:07:10 . 2010-05-26 17:06:41 34304 ----a-w- C:\Windows\system32\atmlib.dll
2010-06-08 23:07:10 . 2010-05-26 14:47:41 289792 ----a-w- C:\Windows\system32\atmfd.dll
2010-06-08 23:07:00 . 2010-05-04 19:15:20 834048 ----a-w- C:\Windows\system32\wininet.dll
2010-06-08 23:06:57 . 2010-05-04 18:37:45 78336 ----a-w- C:\Windows\system32\ieencode.dll
2010-06-08 23:06:46 . 2010-05-01 14:13:48 2037248 ----a-w- C:\Windows\system32\win32k.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
Hey hey, a hymn to humanity, love has gone people, are you worried?
Register to Remove
#11
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 30 June 2010 - 12:55 PM
If that's all there is, you need to run the scan again.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#12
Nman
-
- Authentic Member
-
- 95 posts
Authentic Member
Posted 30 June 2010 - 01:34 PM
Okay so I ran it again and this time it was even shorter, the report I mean. I'll post it, but now I am getting worried (though maybe I shouldn't be as I do have a very good warranty on this thing)
ComboFix 10-06-29.04 - Nathaniel 06/30/2010 12:11:47.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.2008 [GMT -7:00]
Running from: C:\Users\Nathaniel\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
It says Window Defender is *enabled* however that is not true, I did disable all security on my laptop before running this, both times. Could there be some setting that is turning it back on?
I will be back shortly, thanks again for your help!
Also I should note that it crashed and when it recovered it said that windows had recovered from an unexpected crash. I did not get to see the crash, I had to leave the computer for a short time, but when I came back there was a black screen up that asked how I wanted to windows. I have seen this screen several times recently due to my current problems as it is.
Edited by Nman, 30 June 2010 - 01:42 PM.
Hey hey, a hymn to humanity, love has gone people, are you worried?
#13
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 30 June 2010 - 04:05 PM
Lets try this instead.
Download TDSSKiller and save it to your Desktop.
Download TDSSKiller and save it to your Desktop.
- Make sure all other windows are closed and to let it run uninterrupted.
- Extract the file and run it.
- Reboot your machine and see if the infection is gone
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#14
Nman
-
- Authentic Member
-
- 95 posts
Authentic Member
Posted 30 June 2010 - 04:07 PM
Thanks, I will do that when I get home, off to work for now. You have no idea how grateful I am for your help!
Hey hey, a hymn to humanity, love has gone people, are you worried?
#15
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 30 June 2010 - 04:18 PM
Have a good work dayThanks, I will do that when I get home, off to work for now. You have no idea how grateful I am for your help!
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
