Clean or Not Yet

Hi Everyone,

A couple of days ago I had decided to clean my pc from infections. I started reading topics on the internet about removing infections, and followed their directions. In the process I downloaded many tools, and many infections were deleted. when it seemed everything is fine, I removed everything downloaded and chose to keep the following programs: Advanced System Care Pro 5, Malwarebytes Anti Malware, and Avast Antivirus.

As a last check I downloaded ComboFix and did a scan; it produced the following log:

Please find the Log attached, it seems to be too long to be posted in the topic.

I downloaded the Recovery Console, and new scans don’t show any infections.

I installed aswMBR and the scan showed the following Log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software Run date: 2012-03-24 11:58:23 ----------------------------- 11:58:23.109 OS Version: Windows 5.1.2600 Service Pack 2 11:58:23.109 Number of processors: 2 586 0x403 11:58:23.109 ComputerName: USER-42137CEAB2 UserName: 11:58:24.937 Initialize success 11:58:25.375 AVAST engine defs: 12032302 11:59:12.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e 11:59:12.234 Disk 0 Vendor: STM3250318AS CC38 Size: 238475MB BusType: 3 11:59:12.296 Disk 0 MBR read successfully 11:59:12.296 Disk 0 MBR scan 11:59:12.312 Disk 0 Windows XP default MBR code 11:59:12.312 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 49999 MB offset 63 11:59:12.328 Disk 0 Partition - 00 0F Extended LBA 188465 MB offset 102398310 11:59:12.359 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 188465 MB offset 102398373 11:59:12.359 Disk 0 scanning sectors +488376000 11:59:12.453 Disk 0 scanning C:\WINDOWS\system32\drivers 11:59:21.781 Service scanning 11:59:31.125 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32 11:59:34.109 Modules scanning 11:59:37.781 Disk 0 trace - called modules: 11:59:37.828 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x863921e8]< \Device\Harddisk0\DR0[0x86338ab8] 11:59:37.859 3 CLASSPNP.SYS[f761705b] -> nt!IofCallDriver -> \Device\0000007b[0x8633c3b8] 11:59:37.875 5 ACPI.sys[f7477620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x86383d98] 11:59:37.890 \Driver\atapi[0x863889c8] -> IRP_MJ_CREATE -> 0x863921e8 11:59:39.203 AVAST engine scan C:\WINDOWS 11:59:42.578 AVAST engine scan C:\WINDOWS\system32 12:01:36.671 AVAST engine scan C:\WINDOWS\system32\drivers 12:01:47.875 AVAST engine scan C:\Documents and Settings\AdministratorMMD 12:02:18.359 AVAST engine scan C:\Documents and Settings\All Users 12:02:46.109 Scan finished successfully 12:03:14.937 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\AdministratorMMD\Desktop\MBR.dat" 12:03:14.953 The log file has been saved successfully to "C:\Documents and Settings\AdministratorMMD\Desktop\aswMBR.txt"

It shows that there is a problem with the following:

“11:59:31.125 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys LOCKED 32”
“11:59:37.828 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x863921e8]<<”
“11:59:37.890 \Driver\atapi[0x863889c8] → IRP_MJ_CREATE → 0x863921e8”

[ol]- The first is probably from a program Deamon Tools Or Alcohol 120% which I had installed before as what a google search showed, should I delete it since I don’t have them anymore? I don’t know if I should fix the other two as well.

  • Do I need any more Program checks to insure that my system is clean? and Can you please help me with the process.
  • I searched and the anti-wares installed doesn’t seem to conflict however any recommendations. And should I download any other programs to keep my system safe?
    [/ol]

I would appreciate your assistant and support.

Advanced System Care Pro 5, Malwarebytes Anti Malware, and Avast Antivirus.
you may want to remove system care from IObit after reading this

http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217

you should not run Combofix unless told so by an instructor as it may damage your comp

if you suspect infection, follow this guide and attach the logs
http://forum.avast.com/index.php?topic=53253.0

if you have problems attaching, use www.mediafire.com and post the download link

I have followed the instruction of the http://forum.avast.com/index.php?topic=53253.0

The Logs are attached. (The rest of the files are attached in the next post due to attachment limit)

Awaiting your response.

Essexboy is notified…may take some hours before he arrive

Ok, meanwhile, Regarding Advance System Care.

I don’t exactly want to use it as a malware detector but, for its tools, I especially like the “Uninstaller” since it removes programs leftovers. Would you recommend any other alternative?

CCleaner and Revo uninstaller (do not use on security programs)

Ok, Thanks Pondus for your help so far :).

I’ll be waiting for the next instructions.

TDSSKiller also shows 5 possible infections, the Log is attached.

What do you think?

I must admit I am not overly happy with the network files, are you experiencing any problems ?

I will remove SPTD and a few remaining malware/useless files

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV - File not found [Kernel | On_Demand | Stopped] -- -- (XDva393) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (XDva392) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (XDva391) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (XDva389) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (XDva385) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (XDva383) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (TKRgFt) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (TKRgAc) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (TKPcFt) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (TKFsFt) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (TKFsAvM) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (TKFsAv) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (TKFsAc) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~2\LOCALS~1\Temp\catchme.sys -- (catchme) DRV - [2011/11/26 20:14:20 | 000,443,448 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd) IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found [2012/03/12 19:51:34 | 000,003,766 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml [2012/03/18 00:28:26 | 000,002,310 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml [2010/09/14 16:48:25 | 000,002,506 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\BearShareWebSearch.xml [2012/03/17 00:10:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Secure Search [2011/03/12 04:25:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\32251 [2012/03/17 00:10:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Secure Search [2011/05/02 14:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar [2012/03/17 00:09:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10 [2011/11/26 20:13:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I did as instructed however, the program isn’t moving. It says “Killing processes. DO NOT INTERRUPT” and that’s it.

I rebooted the first time after like 15 minutes of waiting. retried the process again but, still the same result.

I’m posting this from another computer, the one being fixed is still not responding. How long should I actually wait until it’s finished?

Do you have malwarebytes installed ? If so remove this line from the fix script

[emptytemp]

yes, will do.

You are a genius!

The fix scan finished, I rebooted and, here is the OTL Log from the Quick Scan.

How is it running now - any problems ?

I it is running fine, There never really was a big problem I just wanted to make sure I’m completely clear before making the final restore point. Thanks so far.

If everything is ok, what programs should I download to prevent future infections, other than Malwarebytes and Avast.
Also, what’s a good program to replace Advanced System Care if I needed at all?

To be honest I do not what good advanced system care does, I am always wary of tweaking tools as they can do more harm than good

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

Well, I cleared all the restore points, and removed combofix. I ran OTL and while it was doing the cleanup it froze while it was removing itself so I rebooted. When the pc restarted, the internet connection is disabled even tho the cable is plugged.

I’m posting this from another pc.

What should I do?

Reboot the system again please

OTL at that stage is just removing the tools and nothing else

Problem solved, it appears that one of my brothers moved the router which caused the cable to be unplugged somewhat.

Sorry for the trouble, I’ll continue with the process.