Help with Hijack log, comp is very slow!
#1
Posted 29 June 2010 - 08:33 AM
Register to Remove
#2
Posted 29 June 2010 - 12:37 PM
My name is JonTom.
- Malware Logs can sometimes take a lot of time to research and interpret.
- Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
- Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
- Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
- PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
- I am looking over your log and will reply back shortly with instructions.
Member of UNITE
Proud Graduate of the WTT Classroom
#3
Posted 29 June 2010 - 01:20 PM
Thank you for the log.
Before we begin I would like to take a closer look at your system. Please work your way through the following steps. If you encounter any difficulties come back and let me know.
- Download and run OTL by Oldtimer
- Please download OTL by Oldtimer by clicking here and save the file (called OTL.exe) to your desktop.
- Close all open windows on your computer then Double click on the OTL.exe icon to run the program.
- Check the boxes beside "LOP Check" and "Purity Check".
- Under Custom Scan paste this in:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
CREATERESTOREPOINT
- Click the "Run Scan" button. Do not change any settings unless specifically told to do so. The scan will not take long.
- When the scan completes, it will open two notepad windows: OTL.Txt and Extras.Txt.
- Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please Copy and Paste the contents of both files in your next reply. You may need two posts to fit them both in.
- Please scan your system with GMER
Download GMER Rootkit Scanner from here or here.
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
Click the image to enlarge it - In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please provide the OTL logs and the GMER log in your next reply.
Member of UNITE
Proud Graduate of the WTT Classroom
#4
Posted 30 June 2010 - 07:29 AM
Attached Files
#5
Posted 30 June 2010 - 12:50 PM
Thank you for the logs.
Lets start with the following:
- Please open OTL
- Copy and paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL.
:OTL PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Value error. File not found O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found. O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} http://www.facebook.com/fbplugin/win32/axfbootloader.cab?1265431718171 (Reg Error: Value error.) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.) [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\*.tmp files -> C:\*.tmp -> ] :Commands [purity] [emptytemp] [emptyflash] [start explorer] [Reboot]
- Once you have pasted the information into the Custom Scans/Fixes box, click the "Run Fix" button at the top.
- Allow the program to run unhindered.
- Your machine will re-start itself. This is normal.
- A log will be created after your machine reboots. Please post the contents of the log in your next reply.
- Copy and paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL.
- Security Check
- Please download Security Check by screen317 from here or here and save the file (called securitycheck.exe) to your desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document in your next reply.
Please post the OTL log and the Security Check log in your next reply.
Also, please let me know how your machine is behaving now. Is it still slow?
Member of UNITE
Proud Graduate of the WTT Classroom
#6
Posted 30 June 2010 - 07:56 PM
Attached Files
#7
Posted 30 June 2010 - 07:57 PM
Attached Files
#8
Posted 01 July 2010 - 11:37 AM
Thank you for the logs.
- Security programs
- I cannot see any evidence of a real-time antivirus installed on your machine.
- You are strongly advised to install an AV. Using your computer without one is just asking for trouble.
- I have provided links to three trusted programs (just choose 1).
- IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system.
- Combofix
- VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
- Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
- Click on Yes, to continue scanning for malware.
- When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
- Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Member of UNITE
Proud Graduate of the WTT Classroom
#9
Posted 03 July 2010 - 04:25 PM
Attached Files
#10
Posted 04 July 2010 - 10:03 AM
Thank you for the log.
Please work your way through the following steps:
- IOBIT Products
- We note you are using one or more products from IOBit.
- IOBit has been accused by Malwarebytes of illegally using their intellectual property without permission.
- Please see this for additional information on these allegations: http://www.malwareby...showtopic=29681.
- Additionally, both WOT and SiteAdvisor have flagged IOBit’s site.
- A thread in the IOBit’s forum responded to the accusations from MalwareBytes. It is noteworthy that several responses from users raising specific questions about IOBit’s response and finding it unsatisfactory were deleted and the thread was closed. The bottom line from IOBit was: “No hard proof shows that IObit stole the database of Malwarebytes.”
- From what is said above, at least until the issues of possible database theft and spyware packaging is resolved, I do not recommend the use of IOBit products.
- You can remove IOBit products by clicking on "Start" and then on "Control Panel" and then on "Add or Remove Programs".
- Foistware
- I can see from your log that you have Viewpoint Manager installed.
- Viewpoint Manager is considered as foistware rather than malware since it is installed without user's approval but doesn't spy or do anything "bad".
- It is recommended that you remove Viewpoint products. However, this choice is up to you.
- To remove these programs, click "Start" and then on "Control Panel" and then on "Add or Remove Programs".
- Select Viewpoint Manager and click on "Remove".
- MalwareBytes AntiMalware
- I can see that you have MBAM installed.
- Double click on your MalwareBytes AntiMalware icon to launch the program.
- Click on the "Update" tab and then on "Check for Updates".
- The program will now install the latest Malware definition files.
- Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
- Once the program has scanned your computer, a log file will be created in Notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
- The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
- Come back here to this thread and Paste the log in your next reply.
- Please update your Java
- To update your Java, Click on "Start" then on "Control Panel" and then on the Java icon (looks like a coffee cup).
- In the window that opens, click on the "Update" tab, and then on "Update Now".
- Your Java should begin to update. Please follow any prompts that you receive.
- Please perform the following scan:
- This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.
- It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
- DO NOT surf the net while your resident protection is disabled!
- Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.
- Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run (at times it may appear to stall).
- Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Once the scan is complete, click on View scan report. To obtain the report:
- Click on: Save Report As
- Next, in the Save as prompt, Save in area, select: Desktop
- In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
- Then, click: Save
- Please post the Kaspersky Online Scanner Report in your reply.
- If you need help performing the above steps, an animated tutorial can be found here.
Please provide the MBAM log and the Kaspersky Online Scan log in your next reply.
Also, please describe how your machine is behaving now. Are you still having problems?
Member of UNITE
Proud Graduate of the WTT Classroom
#11
Posted 08 July 2010 - 07:23 PM
#12
Posted 08 July 2010 - 11:28 PM
Member of UNITE
Proud Graduate of the WTT Classroom
#13
Posted 12 July 2010 - 01:33 PM
Member of UNITE
Proud Graduate of the WTT Classroom
#14
Posted 15 July 2010 - 12:22 AM
Member of UNITE
Proud Graduate of the WTT Classroom
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users