Clean machine?

Cleaning a computer at work. It was taking a long time to boot up (10-15 minutes at best) and acting general funky & sluggish.

I uninstalled Zone Alarm (paid version) and replaced with MS Security Essentials. Soon after install, MS Security Essentials removed what it listed as 5 severe threats from temp folders:

Exploit:Java/CVE-2010-0840.GC
Exploit:Java/CVE-2010-0840.GS
Exploit:Java/CVE-2010-0840.Z
Exploit:Java/Midesq.A
TrojanDownloader:Java/OpenStream.BA

I ran the scans (logs attached). Also installed Comodo Firewall to replace the ZA firewall.

Question... We have the Pro version of Malwarebytes. Is it ok to run (scheduled) with MS Security Essentials, or should I just run it weekly on demand?

4 logs are attached and #5 will be added in next message.

I appreciate any info as to whether you see anything suspicious in the logs or if we look clean now. Thanks Major Geeks!

Diane

 

MGlogs.zip is attached.

Thank you!

 

Yes it is safe to run alongside an Anti-Virus program such as MSE.

Your logs look pretty clean, just follow these steps and let me know how the PC is running afterwards.

http://img716.imageshack.us/img716/4756/msmsg.gif Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

http://img839.imageshack.us/img839/3005/combofixicon.gif Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\3DHAD3
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\roboot.exe
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\WINDOWS\3DHOME.INI
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

I uninstalled Messenger per your instructions.

I copied the script into Notepad and tried to run it in ComboFix...several times. It gets to Stage 4 or 5 and then hangs forever. I shutdown & restarted and tried again. My virus protection and firewall is off. I left it running the last time for at least and hour and it doesn't get past Stage 5. No other windows or messages...

Suggestions?

Thanks for your help!
Diane

 

Let's try it another way.

http://img6.imageshack.us/img6/2163/avengerh.gif Please download The Avenger by Swandog46 to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Open avenger.zip and extract avenger.exe to your desktop
• Run avenger.exe by double-clicking on it.
• Click OK at the warning to continue to use The Avenger.
  Note: Do not change any of the check box options!
• Shut down your protection software now to avoid possible conflicts.
• Copy everything in the code box below, and paste it into the Input script here: text-field.
  
  Code:

  [COLOR="DarkRed"]Files to delete:[/COLOR]
  c:\windows\system32\roboot.exe
  [COLOR="DarkRed"]Registry keys to delete:[/COLOR]
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}
  

• Now click the http://img651.imageshack.us/img651/7710/avengerexec.png button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
• Attach avenger.txt to your next message. (How to attach items to your post)

Are you familiar with what is inside this folder? C:\3DHAD3

Can you upload this file C:\WINDOWS\3DHOME.INI
to VirusTotal and let me know the results?

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

Thanks! I downloaded and ran Avenger.exe. Avenger.txt is attached.

C:\3DHAD3 contains the files for a program called 3D Home Architect Deluxe 3.0. It's software by Broderbund (paid-for software, not freeware), that is sometimes used in our office.

I attached a pdf of the results from the VirusTotal upload.
Also MGlogs.zip is attached.

Thanks again. Let me know what else I can do on this end. I appreciate all your help!

Diane

 

It kind of concerns me that ComboFix did not run properly before.
Please delete ComboFix.exe from your desktop. This is important as I do not want you to overwrite your existing copy as that may cause an issue.
Once ComboFix has been removed from your desktop and deleted from the Recycle Bin:
Now download a new copy from here to your desktop: Download link

http://img839.imageshack.us/img839/3005/combofixicon.gif Now we need to make use of ComboFix by sUBs

• If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\Clinton\Local Settings\Temp\alm.log
C:\Documents and Settings\Clinton\Local Settings\Temp\amt.log
C:\Documents and Settings\Clinton\Local Settings\Temp\amtconfig.log
C:\Documents and Settings\Clinton\Local Settings\Temp\Av-test.txt
C:\Documents and Settings\Clinton\Local Settings\Temp\Twain001.Mtx
C:\Documents and Settings\Clinton\Local Settings\Temp\Twunk001.MTX
C:\Documents and Settings\Clinton\Local Settings\Temp\Twunk002.MTX
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Documents and Settings\Clinton\Local Settings\Temp\{94DAE9F9-655D-4358-B646-2F5B5E19640A}

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

Followed your instructions and delete ComboFix from the desktop & recycle bin. Re-downloaded from bleepingcomputer.com.

Firewall/virus-malware programs are closed. The script is running as I type this (on another pc) and is again stuck at Stage 5. I think it's been there about 20-30 minutes. I will continue to let it run for a while, but if you have any additional options, please let me know. I will continue to check the forum.

Thanks
Diane

 

It is around 10:30am here - still stuck at Stage 5... <sigh>

 

I'm not sure what is going on yet. Let's check a couple more things. How is the PC running btw?

http://img685.imageshack.us/img685/3557/tdsskiller.gif Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

 

I have tried numerous times throughout the day to run the ComboFix script...letting it sit for hours. One time I quickly got to Stage 33, but then it stopped. I tried running without a network connection, thinking that might make a difference, but it didn't.

I'm at a loss...

 

Just saw your latest message. Will try your suggestions and get back to you...

 

OK...TDSS and MBRCheck logs are attached. Doesn't seem they found anything.

As for how the computer is running...we haven't really used it except to run the scans. When it reboots, it seems to be doing to much faster.

We'll try to use it some tomorrow and see how it performs.

Thanks...looking forward to hearing from you. I really appreciate it!

Diane

 

Let's see if these find anything:

http://img87.imageshack.us/img87/5562/gmer.gif Now we need to run GMER.
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

http://dus.x10.mx/canned/otlicon.gifPlease download OTL by Old Timer to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Under the Extra Registry section, check Use SafeList.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  atapi.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  regedit.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\tmp\U /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

OK...scans are done and logs are attached.

When I first tried to run the GMER scan, it stopped early in the scan and closed. Just disappeared from the screen. I re-started the scan and it completed.

Will start using the computer a bit today to see how it performs and let you know.

Thank you!

Diane

 

Ok.

All of your logs are clean of malware, however, based off the Extras.txt, I think it's safe to say something with the Wave Support Software installed is not working properly as it is creating many Application Event log errors.

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/20/2011 8:01:52 AM | Computer Name = CSUGGS | Source = Wave TCG Client Services | ID = 123
Description = The NTRU TSS is not running, Wave Software is unable to communicate
to TPM

Error - 9/20/2011 8:20:19 AM | Computer Name = CSUGGS | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\CLINTON\DESKTOP\CFSCRIPT2.TXT>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 9/20/2011 5:55:10 PM | Computer Name = CSUGGS | Source = Wave TCG Client Services | ID = 123
Description = The NTRU TSS is not running, Wave Software is unable to communicate
to TPM

Error - 9/20/2011 7:04:26 PM | Computer Name = CSUGGS | Source = Wave TCG Client Services | ID = 123
Description = The NTRU TSS is not running, Wave Software is unable to communicate
to TPM

Error - 9/20/2011 8:32:33 PM | Computer Name = CSUGGS | Source = Wave TCG Client Services | ID = 123
Description = The NTRU TSS is not running, Wave Software is unable to communicate
to TPM

-----------
I figure this is probably something for your business, but it seems as this is what may be causing your computer to be "sluggish".

 

Thank you so much for all your help!! I will investigate that Wave Support Software and see if it's something we need to keep.

Thanks again!
Diane

 

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!