semi-fixed PC

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by finderne, Jan 3, 2010.

  1. finderne

    finderne Private E-2

    My daughter's laptop was running with disabled AVG (oops). About a week ago, she told me it was broken because she lost internet access. I ran some scans with AVGfree and MalwareBytes, with many detected problems. So I went through the MajorGeeks Cleaning Procedure for Win XP and thought it went fine. Initial scans showed problems, but later repeats with all tools were clean. Only obvious problem was that there was still no internet connection using her user profile. My admin profile had internet access, so I assume it was a corrupted profile. I created a new profile, and copied her info from old profile to new profile, which seemed to work and PC was returned to her, with Avira AntiVir and Windows Firewall running.

    One week later, she says the problem is back. There were now many malware "virus warning" popups, and her internet access was broken on the new profile. So I ran the MajorGeeks process, except MalwareBytes wouldn't run, so I skipped it until after I ran ComboFix. Combifix seemed to remove some kind of block because I was then able to run MalwareBytes. The system seems stable now, but internet access is still broken on my daughter's new profile. I'm attaching logs to see if anyone has thoughts on possible remaining problems.
     

    Attached Files:

    finderne, Jan 3, 2010
    #1
  2. finderne

    finderne Private E-2

    5th logfile attached...
     

    Attached Files:

    finderne, Jan 3, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You should move all the jpg's off your C:\ drive and put them in a folder. Such as My Pictures.

    Now, all your user accounts have admin. privileges...not a good idea. You should have only one with those privileges for doing changes to your system such as adding programs and such, and let the others have limited accounts for everyday surfing.

    You appear to have had Comodo installed at some point, but I don't see if being used. You need a firewall!

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
chtjx

File::
c:\windows\system32\drivers\chtjx.sys
C:\khkil.exe
C:\Documents and Settings\Gary\Local Settings\Temp\SVNA0.TMP  

Folder::
C:\Documents and Settings\Gary\Local Settings\Temp\SVNA0.TMP  

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\chtjx]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jan 5, 2010
    #3
  4. finderne

    finderne Private E-2

    Thanks for the help. Here's feedback to your post.
    1) Comodo was downloaded after the malware infection, but it failed to install properly. I was using Zonealarm and removed it. I'm now using Windows Firewall. Please let me know if that's not adequate.
    2) As far as the copy/paste of the script - I'm not sure what you meant by scrolling through the code box. I copied 11 lines of code (ignoring blank lines). The last line I copied was:
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\chtjx]
    3) Dragging the CFScript file onto Combofix launched it. The program ran and did an auto-restart after finishing. I didn't remember this happening from earlier runs of the program. Anyway, Combifix window popped back up after restart which read: "Preparing Log Report." (next line) "Do not run any programs until ComboFix has finished". That window stayed up for at least 10 minutes without any change, so I closed the window. Hopefully no harm done.
    4) Status is that IE8 connects to the internet for 3/4 user accounts. On that 4th acct, I can ping yahoo.com. I haven't tested much else so far.
    5) Logs attached and fingers crossed :)
     

    Attached Files:

    finderne, Jan 5, 2010
    #4
  5. finderne

    finderne Private E-2

    Oh, and on another user acct. IE8 works, but it treats every time I launch it as a new setup. Very annoying there. No idea why it can't save the configuration. Oh well, if worse comes to worse, I can probably reinstall or use another browser.
     
    finderne, Jan 5, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not adequate at all!!
    Just part of our boilerplate, as some code box's may have more than what shows on the window.
    It wasn't finished as you can see if you compare this last log with your previous one. I need you to re-run Combo.
    Which user account. You still have all accounts with admin. privileges...which means any malware gaining access to any account with admin. privileges can infect all other accounts.

    Please use windows explorer to find and delete:
    C:\Documents and Settings\Lynn again\Local Settings\Application Data\ieaoss
    C:\Program Files\COMODO

    Now attach the below logs:

    * C:\ComboFix.txt
     
    TimW, Jan 8, 2010
    #6
  7. finderne

    finderne Private E-2

    Sorry for the delay. I deleted the folders as requested (they appeared to be empty) and re-ran Combofix today (log attached). I changed all accounts except 1 from admin to limited.
     

    Attached Files:

    finderne, Jan 17, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What malware issues are you still having? That log caught a few things that weren't in previous logs.
     
    TimW, Jan 19, 2010
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds