Not sure if computer is clean, please look at logs

electech77 · Dec 27, 2008

I was surfing the internet when I noticed a random pop-up that wasn't supposed to be there. I closed it, then a short time later the red shield with an x appeared in my taskbar telling me that automatic updates were disabled, and the pop-ups started getting faster. I went through the clean up method, and I think the computer is clean cause the red shield is gone, but I don't know and would like my logs checked just to be safe.

electech77 · Dec 27, 2008

Also, I had ran the malwarebytes program before I came to this forum and started going by the "read and run me first" posting. So below is the log of when i ran it before following the post, and the one i ran while i was following the post. The one before found some things, while the one during did not.

dr.moriarty · Dec 28, 2008

Hello, electech77

We are currently reviewing your logs and will get back to you with a set of instructions as soon as possible.

Thank you for being for patient.
dr.m

dr.moriarty · Dec 30, 2008

Hello, electech77

The below fixes are specific to your problem and should only be used for issue(s) on this machine. Also, please do not install any other software while we are still working with you unless instructed. Once we have given you the all clean and final instructions you will be free to install what you want.

A question: Did you once have 4oD installed? I don't see C:\Program Files\Kontiki in your Un-install listing, but KService remains.

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed

Viewpoint Media Player
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Click to expand...

Step 2:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Click to expand...

Step 3:
Run Ccleaner

Step 4:
Now install the latest Sun Java Runtime Environment

Step 5:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Then attach the below logs to your next reply:

C:\MGlogs.zip

Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

Thanks!
dr.m

electech77 · Dec 30, 2008

As far as I know I have not had 4oD installed on my computer, but I could be mistaken.

I could not uninstall Java(TM) SE Runtime Environment 6 Update 1 using add/remove, but everything else removed just fine.

When running hijackthis the O4 (quicktime task) was not there, but the other was and it was fixed.

I ran Ccleaner and installed the new Java and attached are the logs obtained after the steps were finished.

I only connected my infected computer to the internet for about 5 to 10 min. during that time I did not see any pop-ups and everything looked ok. It was still a little slow, but that could be because I haven't been online with it since it was infected and it was looking for updates for different things.

dr.moriarty · Dec 31, 2008

electech77

re: How to Protect yourself from malware! You have 3 realtime antispyware blockers installed...

TrendMicro

Spy Sweeper

Windows Defender

You should only have 1 reatime anti-spyware blocker installed. * Windows Defender isn't very effective and SpySweeper (Free or Paid versions) should not be used along with Trend Micro Antispyware which is included in their Internet Security Suite. ** Additionally, A-squared uses too many system resources and has too many FPs (false positives)... un-install that too.

Step 1:
Please look in Add/Remove Programs and un-install:

Two of your three anti-spyware appls

A-squared Free

Step 2:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
Click to expand...

Step 3:
Now we need to use ComboFix to remove a left-over.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.

Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

Driver::
KService
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 4:
Run Ccleaner

Step 6:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Then attach the below logs to your next reply:

C:\MGlogs.zip

C:\combofix.txt

Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

Thanks!
dr.m

electech77 · Dec 31, 2008

I was able to follow all of the procedures with no problem, and all of them were completed. Attached are the two logs that you requested.

When connected to the internet again, there is no red shield with an x in it saying my automatic updates are disabled, and there have been no pop-ups that i can see. Things are running faster and it looks as if everything is ok again. I thank you very much for your help so far (especially during the holidays) and if there is anything else I need to do please let me know.

dr.moriarty · Jan 1, 2009

:cool

"You're Welcome" -- your logs look good, electech77. If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (=This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

If we had you run Avenger, you can delete all files related to Avenger now.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware

Click to expand...

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif

electech77 · Jan 1, 2009

Thank you very much. My computer is running better than ever now. I appreciate all your time and effort.

dr.moriarty · Jan 1, 2009

You're very welcome! "Happy New Year" and enjoy your pc.

dr.m http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif

Log in or Sign up

Not sure if computer is clean, please look at logs

electech77 Private E-2

Attached Files:

SAS.log

log.txt

MGlogs.zip

electech77 Private E-2

Attached Files:

mbam-log-2008-12-26 (13-59-40).txt

mbam-log-2008-12-26 (16-07-42).txt

dr.moriarty Malware Super Sleuth Staff Member

dr.moriarty Malware Super Sleuth Staff Member

electech77 Private E-2

Attached Files:

MGlogs.zip

dr.moriarty Malware Super Sleuth Staff Member

electech77 Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

dr.moriarty Malware Super Sleuth Staff Member

electech77 Private E-2

dr.moriarty Malware Super Sleuth Staff Member