Infected please help avast admin..

I have restored this computer in the past when it was infected and have now run a scan on avast and MBAM free versions. Avast found = ProcessLoger.exe. MBAM found a “registry data” infection. Here is the log. I selected remove after saving this log for MBAM.

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.02.03

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
HP_Owner :: HAPPYPLACE [administrator]

Protection: Enabled

9/2/2012 8:22:47 AM
mbam-log-2012-09-02 (09-56-49).txt

Scan type: Full scan (C:|D:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231348
Time elapsed: 1 hour(s), 32 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

** I will download OTL and the other logs as described in the malware infection section, please take a look and instruct me what i should do after posting the logs - Polonus, Essexboy…or any other avast forum admin.

Also, i have tried more than 5 times trying to submit this post and it will not work. The captcha is almost impossible to read and it keeps saying the letters i type are incorrect?! Sorry if this post is posted multiple times but from what i see, it is not going through.

Thanks

The captcha is almost impossible to read and it keeps saying the letters i type are incorrect?!
it is only the first 3 posts ;)
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
did you click the "remove selected" after scan ?......or do you want to have this setting as it is ? (Firewall Disable Notify)

Heres the OTL log.

It’s only allowing me to post one at a time. I will post the extras log in a new reply

Here is the "extras log’

I will now download aswMBR and run that scan…

Here’s the aswMBR log.

Do i need to download Roguekiller, or is this the end of my scans?

I assume someone will respond back and give me further instructions…essexboy?

i await…

Nope only OTL and aswmbr suffice for most cases along with malwarebytes log…

At essexboy: By the way, Adwcleaner is great program…Just ran it and got rid of orphan registry keys… ;D

What problems are you experiencing ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O3 - HKU\S-1-5-21-215924604-33753978-349616352-1009\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-215924604-33753978-349616352-1009\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O33 - MountPoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

The only issues i seem to be having is slow system responses. Delay or lag when opening programs such as a web browser and slow loading times. This is sporadic though. Then again this is an older system on win xp…

Before i run the fix in OTL, may i ask what this will be fixing on my system?

Thank You very much for the assistance. I will check back for a response then run the fix and post the log afterwards…

thanks again

Just removing some orphaned BHO’s and emptying your temporary files

I will commence the fix and post the log of the quick scan after. Thank you essexboy.

Please help, i ran the fix in OTL and it ended up hanging on the “killing processes” part for about 2 hours. Assuming this wasnt normal, i held down the power button until my sys restarted. Is it safe to run the same fix again? Any suggestions.

i await…

Essexboy is probably in bed now …check back tomorrow :wink:

OK that is Malwarebytes flexing its muscles again
Remove this from the OTL script and it will run sweetly
[emptytemp]

So i will run the same script in OTL and then click “run fix” but without the [emptytemp] ?

I will report the log after i do that.

Thanks

Here is the log after running the fix and then the quick scan in OTL

Am i clean now?

What to do next ?

  • H

Are you experiencing any problems

Just running a little slow ex. opening control panel, opening browser… But i think its just my system. I’m not receiving any pop ups or any redirecting etc…

Curious - When a user submits a scan in OTL - is it to identify malware in the log ? Was there any Malware or “significance” found in my log?

I was initially concerned because MBAM and avast found an infection on my system, but im getting the impression that if i’m not experiencing symptoms then i am now clean? Does the log confirm this? How do i clear the progs downloaded?

Thanks

OTL shows all the system run keys and main drivers/services along with recently amended files/folders

So I can locate any malware launch points. As it stands your system is showing no indicators of malware

Delete aswMBR from the desktop
Run OTL and hit the cleanup button to remove it

Thanks for the help essexboy.

I think everything is back to normal now.

Not sure if anyone knows how to solve this or not but, i have to re-doubleclick on my browser icon for it to finally load. This is annoying. Any insight would be appeciated.

What browser is that ?