MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 06-07-09, 12:54
hmouta hmouta is offline
Private E-2
 
Join Date: Jun 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default internet was connecting but IE fails to load pages

i'm trying to clean a friends laptop. a few months ago he had infections and i did my best to clean them. he had more infections recently. the last time his browser was hijacked and all searches led to dummy pages. i disabled tdsss (i think thats it) and was able to start the cleaning process (i did use smitfraudfix and sdfix and recently deleted them to make it easier to scan for real infections-these 2 programs show up as malicious in other scanners, i know they arent). this time around his laptop shows connected to the network (at his house and mine) but IE won't load pages like something was intercepting the page requests. i started the cleaning process with the programs i had and then found this site (which is awesome). i went thru the run me first cleanup tutorial and the how to protect yourself tutorial first. when i completed the combofix step IE finally started loading pages. i continued and finished with mgtools. thinking everything was allset i reran some basic scanner programs to confirm it was clean before i did the restore points step. SAS did find something and after that IE stopped loading pages again so i reran combofix and mgtools again. i know i wasnt supposed to but it did correct IE again and I haven't run the afterthefact scanners again.

i'll list the info from all previous scans to help get a picture of the laptop and will attach the first set of combofix and mgtools log. the next post i'll attach the 4 newest logs as requested (with newer combofix and mgtools). the computer seems to be working ok but it was working ok a few months ago too so my friend wants to reformat to be certain the computer is clean. i told him i'd try to avoid that. thanks in advance for any help.


ADAWARE
6-3-09 win32.trojanspy.agent, win32.trojandownloader.bho, win32.worm.koobface, win32.trojanproxy.agent
6-6-09 win32.trojan.spy c:\system volume information\_restore{3a579f61-82cf-4117-919a-db7b394cd5bc}\a0000533.exe



sas
1-27-09 Rootkit.TDSServ
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#group
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSserv
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSl
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssservers
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssmain
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsslog
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssadw
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssinit
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssurls
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsspanels
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsserrors
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSproc
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#INITSTARTFAILED

Adware.Vundo Variant
C:\SWSETUP\MSWORKS\US\SYSTEM32\USP10.DLL
D:\MININT\SYSTEM32\USP10.DLL

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSOSVD.DAT

5-4-09 Trojan.Dropper/Win-NV
C:\WINDOWS\MSTRE18.EXE
C:\WINDOWS\MSTRE18.EXE
C:\WINDOWS\PP06.EXE
C:\WINDOWS\PP06.EXE
[sysLDtray] C:\WINDOWS\LD08.EXE
C:\WINDOWS\LD08.EXE
[sysmstray] C:\WINDOWS\MSTRE18.EXE
[pp] C:\WINDOWS\PP06.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#sysldtray [ C:\windows\ld08.exe ]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#sysmstray [ C:\windows\mstre18.exe ]
C:\WINDOWS\Prefetch\LD08.EXE-0CB609EE.pf
C:\WINDOWS\Prefetch\MSTRE18.EXE-1905F08F.pf
C:\WINDOWS\Prefetch\PP06.EXE-33D9D96C.pf

Trojan.Agent/Gen-DL32
C:\WINDOWS\SYSTEM32\DL32.EXE
C:\WINDOWS\SYSTEM32\DL32.EXE
C:\WINDOWS\Prefetch\DL32.EXE-1820A76F.pf

Trojan.Agent/Gen-Freddy
[sysfbtray] C:\WINDOWS\FREDDY42.EXE
C:\WINDOWS\FREDDY42.EXE
C:\WINDOWS\Prefetch\FREDDY42.EXE-10324AC7.pf

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}
HKCR\CLSID\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}
HKCR\CLSID\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}
HKCR\CLSID\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}\InprocServer32
HKCR\CLSID\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\WINCONFIG.DLL

Trojan.Downloader/ZLob
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}
HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}
HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}
HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\InprocServer32
HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\InprocServer32#ThreadingModel
HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\ProgID
HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\Programmable
HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\TypeLib
HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\VersionIndependentProgID
HKCR\y537.y537mgr.1
HKCR\y537.y537mgr.1\CLSID
HKCR\y537.y537mgr
HKCR\y537.y537mgr\CLSID
HKCR\y537.y537mgr\CurVer
HKCR\TypeLib\{E63648F7-3933-440E-AAAA-A8584DD7B7EB}
C:\WINDOWS\SYSTEM32\796525\796525.DLL

Trojan.Agent/Gen-Zlob
C:\DOCUMENTS AND SETTINGS\CHRIS\LOCAL SETTINGS\TEMP\JOPAXX_1241500089.EXE

Trojan.Agent/Gen-Freddie41
C:\WINDOWS\FREDDY41.EXE
C:\WINDOWS\Prefetch\FREDDY41.EXE-29994379.pf


6-6-09 1am Trojan.Unknown Origin c:\WINDOWS\PEV.EXE


MBAM
1-27-09 Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64858849920652462534544112936363 (Rogue.Antivirus) -> Quarantined and deleted successfully.

5-4-09 Folders Infected:
C:\Program Files\A360 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Start Menu\A360 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Chris\Start Menu\A360\A360.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Start Menu\A360\Help.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Start Menu\A360\Registration.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.



the new scans come up clean (for now)
Attached Files
File Type: txt ComboFix1.txt (12.4 KB, 3 views)
File Type: zip MGlogs1.zip (96.8 KB, 2 views)
Reply With Quote
Sponsored links
  #2  
Old 06-07-09, 12:57
hmouta hmouta is offline
Private E-2
 
Join Date: Jun 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: internet was connecting but IE fails to load pages

these are the 4 newest logs as requested. i apologize for doing combofix and mgtools twice.
Attached Files
File Type: log SAS - 06-06-2009 - 22-36-14.log (465 Bytes, 3 views)
File Type: txt mbam-log-2009-06-06 (23-29-23).txt (845 Bytes, 3 views)
File Type: txt ComboFix2 (updated exe).txt (12.1 KB, 3 views)
File Type: zip MGlogs2.zip (97.0 KB, 3 views)
Reply With Quote
  #3  
Old 06-09-09, 10:32
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,453
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: internet was connecting but IE fails to load pages

Welcome to Major Geeks!

According to the logs, the PC appears to be in good shape now. I do have a couple things for you to do though.

First you need to remove some left overs from Symantec/Norton. Please run the below then reboot. After reboot run it one more time.

Norton Removal Tool (SymNRT)

Now uninstall the below outdated version of Spybot:
Spybot - Search & Destroy 1.4


If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /u
      • Notes: The space between the combofix" and the /u, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    • Delete the C:\combofix folder from combofix (if it exists)
  3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  5. Go to add/remove programs and uninstall HijackThis.
  6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
  7. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  8. After doing the above, you should work thru the below link:
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #4  
Old 06-09-09, 16:42
hmouta hmouta is offline
Private E-2
 
Join Date: Jun 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: internet was connecting but IE fails to load pages

under add/remove there's 2 listings: spybot and spybot 1.4. i assume the spybot is the newer version thats on the computer. will deleting 1.4 affect the new version, maybe they shared files during the upgrade to 1.62
Reply With Quote
  #5  
Old 06-09-09, 22:27
hmouta hmouta is offline
Private E-2
 
Join Date: Jun 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: internet was connecting but IE fails to load pages

i uninstalled the rest of norton and the old spybot. before doing the system restore steps i wanted to make sure the computer was clean so i ran sas and malwarebytes again.

sas flagged trojan.unknown.origin
c:\windows\pev.exe
c:\windows\prefetch\pev.exe-0ce2bf4a.pf

comodo also has been flagging 8-9 files in system volume information under the nircmd.exe -> application.win32.nircmd & applicunsaf.win32.hide (7 files-2 .hide and 5 .nircmd, all about 1 second apart)

malwarebytes had previously flagged some .exe for peoplepc. it appears to be an internet provider preloaded from hp so i set it to ignore. i ran mb again and when it got to this file, comodo flagged it along with c:\swsetup\pccs\setup.exe. the pccs folder appears to contain files from AMD chipmaker (which the hp is running) but there's no setup.exe visible in the pccs folder and i have hidden files shown.

when i had smitfraudfix and sdfix running a few months ago they would give false positives in sas and the other scanners. i googled nircmd and it seemed to be linked to combofix. pev.exe i get 50/50 results if its good or bad but other people's hjt logs show pev being created at same time as combofix:

=============== Created Last 30 ================

2009-05-26 01:14 161,792 a------- e:\windows\SWREG.exe
2009-05-26 01:14 154,624 a------- e:\windows\PEV.exe
2009-05-26 01:14 98,816 a------- e:\windows\sed.exe
2009-05-26 01:14 <DIR> --ds---- E:\ComboFix

=============== Created Last 30 ================

2009-05-25 22:21 359,883 a------- C:\dds.scr
2009-05-24 16:40 <DIR> --d----- c:\program files\ESET
2009-05-24 16:36 2,668,240 a------- C:\esetsmartinstaller_enu.exe
2009-05-23 13:26 161,792 a------- c:\windows\SWREG.exe
2009-05-23 13:26 139,776 a------- c:\windows\PEV.exe
2009-05-23 13:26 98,816 a------- c:\windows\sed.exe
2009-05-23 13:25 <DIR> --ds---- C:\ComboFix

peoplepc isnt in the add/remove program list. can i just delete the folder from the program files\online services folder? this should remove this false positive from scanning. i was thinking the pccs folder was linked to peoplepc but now i'm not sure.

if pev and nircmd are from combofix, i think the computer is clean. if i uninstall combofix these possible false positives should go away also, right? combofix is still installed in case i have to still run it.

that leaves the pccs\setup.exe file in question.

comodo appears to not let u copy and paste nor save logs to be able to attach.

should i just delete the peoplepc folder and uninstall combofix then run the scanners again? any way to tell if the pccs/setup.exe file really exists?

i think i made this sound confusing. sorry ahead of time.
Reply With Quote
Sponsored links
  #6  
Old 06-12-09, 19:59
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,453
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: internet was connecting but IE fails to load pages

Quote:
Originally Posted by hmouta View Post
will deleting 1.4 affect the new version,
No! Just uninstall the old version.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #7  
Old 06-12-09, 20:14
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,453
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: internet was connecting but IE fails to load pages

Quote:
Originally Posted by hmouta View Post
sas flagged trojan.unknown.origin
c:\windows\pev.exe
c:\windows\prefetch\pev.exe-0ce2bf4a.pf
SUPERAntiSpyware is incorrect. That file is PevFind which is a program used by ComboFix. It is not a problem but you don't need it anyway. If you had uninstalled ComboFix as requested and the file was still there, it could just be deleted. Since SAS deleted it, it does not matter anyway.

Quote:
Originally Posted by hmouta View Post
comodo also has been flagging 8-9 files in system volume information under the nircmd.exe -> application.win32.nircmd & applicunsaf.win32.hide (7 files-2 .hide and 5 .nircmd, all about 1 second apart)
Also false positives since NirCmd is a well known program used by many tools including ComboFix, but you have not finished my final instructions which included steps for toggling System Restore. You need to complete my final instructions which asked you to uninstall ComboFix and remove MGtools and toggle System Restore.

Quote:
Originally Posted by hmouta View Post
but there's no setup.exe visible in the pccs folder and i have hidden files shown.
Then perhaps MBAM or Comodo deleted it an you would need to restore it from their quarantine. I don't think this is a People PC folder and could just be something for your PC or something you put here and forgot about. It is contains AMD related files, perhaps it is for your HP computer which is AMD based.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #8  
Old 06-14-09, 20:10
hmouta hmouta is offline
Private E-2
 
Join Date: Jun 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: internet was connecting but IE fails to load pages

i deleted the peoplepc folder and uninstalled combofix and deleted the desktop icon and deleted the 3 mgtools files then did the restore points steps and reran sas and malwarebytes.

sas flagged: trojan.agent/gen c:\32788r22fwjfw\pev.exe

i assume this is a leftover from combofix so i deleted it and rebooted to complete the deletion.

malwarebytes came up clean. i got rid of the ignore file for peoplepc before running malwarebytes.

comodo still flagged stuff. its quarantining stuff in system volume information when malwarebytes is scanning these files and coming across the nircmd related stuff. i figured it wouldn't since combofix was uninstalled and restore points reset. i searched for these restore files but windows wouldn't allow me to deleted them manually.

in previous scans i'd get c:\system volume information\_restore (a bunch of numbers letters)rp3 or rp5\a0000###.exe the last quarantined stuff listed rp1. does rp stand for restore point? if i cleared the restore points then rp1 is the newest point? how does it create the nircmd stuff for rp1 if combofix is gone. is there a way to further remove the combofix remnants so they aren't showing up in the system volume information files?
Reply With Quote
  #9  
Old 06-17-09, 23:10
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,453
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: internet was connecting but IE fails to load pages

Quote:
Originally Posted by hmouta View Post
sas flagged: trojan.agent/gen c:\32788r22fwjfw\pev.exe

i assume this is a leftover from combofix so i deleted it and rebooted to complete the deletion.
Yes it was. The whole folder can be deleted.

Quote:
Originally Posted by hmouta View Post
comodo still flagged stuff. its quarantining stuff in system volume information
If you toggled System Restore after all the cleanup including removing the above pev.exe file, it should not be finding anything in system restore. So toggle SR once more just to be sure.

Quote:
Originally Posted by hmouta View Post
when malwarebytes is scanning these files and coming across the nircmd related stuff. i figured it wouldn't since combofix was uninstalled and restore points reset.
ComboFix does not uninstall everything it puts on your PC. It does a very poor job of cleaning up and is hard for us to keep up with since it scatters things around in many places. Either way, Malwarebytes, Comodo, or any other scanner detecting nircmd.exe or pev.exe as problems are having false detection issues. These are valid programs. It is most likely an issue with where they are seeing the programs run from (the Windows root folder) which is causing the problem.


Quote:
Originally Posted by hmouta View Post
does rp stand for restore point?
RP = Restore Point.

Quote:
Originally Posted by hmouta View Post
if i cleared the restore points then rp1 is the newest point? how does it create the nircmd stuff for rp1 if combofix is gone. is there a way to further remove the combofix remnants so they aren't showing up in the system volume information files?
As I was saying above you will have to cleanup all of these remnants from ComboFix like C:\Windows\nircmd.exe and C:\Windows\pev.exe and the ComboFix folder in your C:\ root directory and then empty your Recycle Bin. Then you need to toggle SR.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #10  
Old 06-18-09, 17:42
hmouta hmouta is offline
Private E-2
 
Join Date: Jun 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: internet was connecting but IE fails to load pages

your right. i guess the combofix uninstall still leaves stuff behind. i searched and found two folders:

c:\qoobox google search show this being combofix's "quarantining vault"

c:\32788r22fwjfw google search shows other people with this folder too so i assume its installed by combofix only. this folder has a bunch of files inside. some files contain names combofix, nircmd, restore_pt, srestore, etc.

i deleted both. maybe thats why the restore points still contained stuff. these folders seemed to have logs of combofix's restore point info.

i searched for pev, nircmd, combofix and deleted everything.

i toggled the restore point and rescanned. sas and mbam came up clean. comodo didn't flag anything either when mbam was scanning. should i post a hjthis log to finalize the cleanup?
Reply With Quote
Sponsored links
  #11  
Old 06-18-09, 18:10
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,453
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: internet was connecting but IE fails to load pages

Quote:
Originally Posted by hmouta View Post
should i post a hjthis log to finalize the cleanup?
No! It would not be of any use anyway since it does not show any of this stuff anyway. That's part of the reason we don't ask for HJT logs.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #12  
Old 06-19-09, 20:43
hmouta hmouta is offline
Private E-2
 
Join Date: Jun 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: internet was connecting but IE fails to load pages

well, i'm still getting hits with comodo for nircmd. i toggle the restore points then run sas and mbam which always come up clean. when mbam scans the system volume info, comodo quarantines 13 nircmd files. if i let them sit in quarantine and rerun the scans nothing happens. if i retoggle the restore points and leave the files in quarantine and run mbam, comodo does nothing. once i clear the quarantine and retoggle and run mbam, comodo flags the restore files again. i search the hard drive for nircmd and its clean. i deleted every file. but something is still creating the restore points. any way to track down where the restore points come from, like what app is making them since combofix is deleted. the same file, for example heur.suspicious@22980792, shows under c:\system volume info...............rp1\a0000047.exe. when i clear the quarantine and retoggle the restore points, this same file shows up as a0000016.exe so even if i add them to the safe files list then retoggle, it'll be created under a different a00000##.exe each time and comodo will quarantine it when mbam reads that file. i believe the computer is clean but it would be nice to stop the nircmd files from reappearing every time i retoggle. i cant access the system volume info folder. if i could, and right clicked properties on the respective files would it tell me what app is originating that restore point file?
Reply With Quote
  #13  
Old 06-21-09, 14:55
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,453
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: internet was connecting but IE fails to load pages

Disable System Restore on ALL drives and then reboot. Keep it disable until I ask you to enable it. Now do the below.

Make sure that you have complete all of my final cleanup instructions from message # 8 and uninstall all that I stated.

Empty all quarantine folders for things like Comodo, SUPERAntiSpyware, Malwarebytes,....etc

Now delete any of the below folders if they are found:
C:\ComboFix
C:\QooBox
C:\32788R22FWJFW <<-- anything like this or similar

Now delete the below files if found:
C:\Windows\nircmd.exe
C:\Windows\pev.exe
c:\windows\sed.exe
c:\windows\SWREG.exe

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now reboot again and run a full scan with Comodo. If anything is found, provide a log of what is found.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #14  
Old 06-22-09, 19:27
hmouta hmouta is offline
Private E-2
 
Join Date: Jun 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: internet was connecting but IE fails to load pages

i followed your last post. the two files that i hadn't previously deleted were the c:\windows\sed.exe and c:\windows\SWREG.exe so those are gone now.

there were 2 other sw files after swreg but i left them. swsc.exe and swxcacls.exe all 3 sw files are from steelwerx and had the same date created of june 5 2009, which is likely the date i installed combofix. should these 2 files be deleted too?

comodo scan was clean. since comodo was quarantining stuff previously while mbam was accessing files during its own scan, i ran mbam too after the comodo scan and it was clean and comodo still didn't quarantine anything (maybe the system restore being off is doing this or swreg was creating the nircmd restore points?). i saw mbam scan the system volume info folder but since its probably empty from restore being off comodo didn't flag anything.

restore is still off.

should the next step be toggling the restore on and running the scans again. if it still flags stuff, maybe deleting the 2 remaining sw files and retoggling restore and more scans?
Reply With Quote
  #15  
Old 06-25-09, 00:56
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,453
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: internet was connecting but IE fails to load pages

Quote:
Originally Posted by hmouta View Post
there were 2 other sw files after swreg but i left them. swsc.exe and swxcacls.exe all 3 sw files are from steelwerx and had the same date created of june 5 2009, which is likely the date i installed combofix. should these 2 files be deleted too?
These were all used by ComboFix and can be deleted.

Quote:
Originally Posted by hmouta View Post
should the next step be toggling the restore on and running the scans again. if it still flags stuff, maybe deleting the 2 remaining sw files and retoggling restore and more scans?
After deleting the files above, and any others we have mentioned in the past, empty your Recycle Bin. Then turn System Restore back on and see how things look now.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #16  
Old 06-26-09, 16:20
hmouta hmouta is offline
Private E-2
 
Join Date: Jun 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: internet was connecting but IE fails to load pages

i deleted those final 2 files and turned restore back on. ran mbam and rebooted a few times and comodo stayed clean each time, never flagging anything. ran sas a final time and it was clean still.

i feel good about the computer being clean. thank you very much!!! i have another friends computer to do and will use my thread as a guideline to do the same cleaning process on his, barring any stubborn files. this was a good learning process for me.
Reply With Quote
  #17  
Old 06-28-09, 22:44
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,453
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: internet was connecting but IE fails to load pages

You're welcome. Surf safely!

Quote:
Originally Posted by hmouta View Post
! i have another friends computer to do and will use my thread as a guideline to do the same cleaning process on his
Make sure you start a new thread for this other computer.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet pages take 1-59 minutes to load! Petite_Blonde Software 13 05-26-09 17:23
Internet shows pages as 'Done' or 'Stopped' when pages arent loaded.. Jambone Hardware 4 03-23-09 07:58
Internet Explorer does not fully load pages after boot. Hangs until 5 minutes after dpz700 Software 3 02-18-08 08:53
Internet Pages Load Very Slowly Global2004 Hardware 4 09-07-06 19:44
Internet selective - doesn't load certain pages! alishya Hardware 2 06-25-06 03:15


All times are GMT -5. The time now is 13:33.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger