12 replies to this topic

[Rogue]

Welcome to Tom Coyote Forums

Please observe these rules while we work:

• Perform all actions in the order given.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Since there may be other issues with your system besides your original symptoms, please continue to follow this thread until I have given you an "All Clean.".

If you can do these things, everything should go smoothly.

I see you are at XP's SP1. Be prepared to update to SP2 when I have given the all clean..but not before.

Ready? Let's go.

*=========================*

We need to Relocate Hijackthis

You currently are running HijackThis[b/] from a Temporary location:
Temp\Rar$EX23.304
HijackThis will not be able to make backups of the removed entries, if it's running from a Temp folder and we risk the chance of aacidently removing the application when you clean the temp file from your system.

Please make a folder here: c:\HJTand place HijackThis.exe in that folder.
DO NOT follow the steps below until you have moved HijackThis
*=========================*

Rename Hijackthis:

Locate the program Hijackthis.
Select the file, Hijackthis.exe, right-click and select Rename.
Please change the name to: icmore.exe
Then please could you post a new Hijackthis log.
*========================*

Please download VundoFix by Atribune to your Desktop
http://www.atribune..../click.php?id=4

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the [b]Scan for Vundo button." when VundoFix appears at reboot.
*=========================*

Please post the following;

New hijackthis log
vundofix.txt

Thanks,
Rogue

[Rogue]

Hi jeppy,

Geeez that log is short.
What have you tried prior to comming here for help?


Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.
*=========================*

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
• Now click the Run Scan button on the toolbar.
• The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

*=========================*

Run Kapersky Online AV Scanner
Using Internet Explore Go to http://www.kaspersky.com/virusscanner and click the Kaspersky Online Scanner button.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer" and then put the kettle on!
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
*=========================*

Create Uninstall List with Hijackthis
This is how you do that:
Open HiJackThis
Click on the tab "Open the Misc Tools Session"
Click on the Box that says "Uninstall Manager"
Click on the button "Save list"
Copy and past the List from notepad into your post
*=========================*

Please post the following;

GMER log
WinPFind log
Kapersky Log
Uninstall list

Some of these logs can be large and may require seperate posts

Thanks,

Rogue

[Rogue]

Jeppy,

That's all good information.
Can you post the SDFix log located in the c:\sdfix folder and the ComboFix log located at c:\combofix.txt
If you haven't already run WinPFind or the Kapersky Online AV you can hold off on those for now. If you have those please post those logs also.

Whats the difference between Vundo and GME ( GME looks more complicated and through)

The GMER is a rootkit scanner and VundoFix is the removal tool for the Vundo infection, which you had/have. When I see a log with as few entries as yours I get concerned that a rootkit is hiding this. That's why GMER. No rootkit by the way.

Looking at your uninstall list explains the short logs. You don't have hardly any programs installed.

Why no Windows update files in the uninstall list? Is your copy of XP legit?

Rogue

[Rogue]

Hi jeppy,

I'll wait for you to run ComboFix again before I give any further instructions.

Download Combofix by sUBs! from
http://www.techsuppo...Bs/ComboFix.exe
or
http://download.blee...Bs/ComboFix.exe

Save it to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log C:\ComboFix.txt
Post that log in your next reply

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

Yes you will want to install SP2. It fixes a number of security flaws with XP. Do not install it until I have given you an All Clean. If still infected it may cause problems since it will install a large number of files.

Thanks,

Rogue

[Rogue]

Hi Jeppy, Did you just re-install XP since March? I'm not seeing anything else malicious in the logs. You had Vundo back in March and then now. Which was removed. I would say you are safe to install XP SP2 now. Unless you are having problems. If so please advise what those are. After XP if you could post a new hijackthis log that would be great. If no problems I'll give you some security tips and applications you can use. Thanks, Rogue

[Rogue]

Hi jeppy,

Computer's running at lightning speed even though it only has around 200 meg of RAM and 500mHz CPU.

Yes I would say you a little low on system resources How much free disk space do you have?

Many thanks for your help, Is there any classes on the forum where you can learn and become a helper ??

Two links in my signature

Whats the next stage ?

You said you had the XP SP2 disk. I would strongly suggest installing that.
With the exploits that are out there I would like to see a highjackthis log after installing SP2 just to be safe.


Rogue