I’m working on an older Gateway laptop with Windows XP that belonged to someone else. Aside from all the infections (HiJackers, viruses, Trojans, RootKits), they installed something to try and make it look like a Mac OS X. I’ve removed everything I could find, and while it now brings up the Windows startup screen instead of Apple, when you get to the login screen it still shows the apple. I can live with this.
I’m really a novice, but I’ve been working on this thing, trying everything I can Google. I ran Malwarebytes and SuperAntiSpyware. Among other things, one of them showed 3 RootKits. I ran Microsoft Security Essentials, but it didn’t appear to be working right. So I removed that with AppRemover, and then I installed the Avast Internet Security trial version since I have the paid version of that on my desktop.
There were some infections that the last boot scan couldn’t move to the chest. It said error 0xC000007F because the disk was full. I am running another boot scan now and so far it’s at 74% with no infections so maybe I am getting them. Also, I did a full scan a bit ago and it showed 1 infection that couldn’t be moved to the chest because disk was full.
Can anyone offer any advice on this?
If I have RootKits, will Avast remove them? If not, can someone suggest a good, free RootKit scanner?
I ran MBAM and also SAS and saved the logs to post. Then I ran the OTL and I wonder if I did something wrong. I thought the instruction page said this scan doesn’t take too long to run, but it appears to still be running on my machine, even though there is no longer anything running through the box on the bottom.
Various things in those items I had to paste in that box will disappear and then reappear. On my desktop, some of the text under icons will get dark and smeary and several of hose have cleared up, but several are still that way.
Also, I had IE open/minimized when the scan started and I was going to maximize it and try and go back to this post and look at it again. The page opened but I couldn’t do anything else. I am using my desktop to post this reply.
I think something has definitely gone wrong on this OTL. I tried to open task manager to see if it was still running. All I get is a blank popup window (not the task manager windwo) with nothing in it. This has been running for at least 40 minutes so what should I do now?
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
Everything finally went back to normal after running OTL and it said at the very bottom that the scan was complete, however, no log files appeared. I saved OTL to my desktop so to my undertanding that’s where the two log files should have appeared. Where else would I look for them? I am on the laptop now so I will attach MBAM and SAS logs.
I don’t think the MBAM log got attached so will try that again.
I am ashamed of myself; thought I could follow directions better than I did.
I think i know what happened to the OTL logs. Avast window popped up telling me I should run sonething in Sandbox. I just closed it and later noticed that this option is selected within the box. Since I didn’t change it that’s probably why nothing was saved. Should I run OTL again? Do you still want me to run that aswMBR?
I really messed up on the ComboFix. I did change the name to Gotcha, but I forgot to turn off my Avast. I gave me a box reminding me to shut it off, but right after that I got a blue screen, a very quick flash, and then it rebooted. Should I try to run it again? Sorry for messing this up so.
I had downloaded that aswMBR.exe, so if I should run that let me know.
You told me to change the name of that ComboFix to Gotcha before running it, which I did. Now, when I open my C drive there is a folder that says Gotcha. It has an icon like a Mac. When I open it what appears is the same thing that appears when I open My Computer. The previous owner had installed a bunch of junk to make it look like a Mac. I uninstalled so much but still get a white box in the center of my login screen which has the Apple on it and says Mac OS X. That is the only apparent Mac stuff left, except this icon that appears under My Computer/C Drive and is labeled Gotcha, as explained. If you happen to know what is causing that, would you advise?
That is to do with the icon set up on the system - I will have a rummage around and see if I can find a way to reset the defaults. Did cobofix produce a log ? And yes please run aswMBR
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.startup.homepage: "http://search.babylon.com/?babsrc=HP_ss&affID=100842&mntrId=96a6b0d40000000000000013024cdbb2"
FF - prefs.js..keyword.URL: "http://search.babylon.com/?babsrc=adbartrp&affID=100842&mntrId=96a6b0d40000000000000013024cdbb2&q="
FF - HKLM\Software\MozillaPlugins\@funwebproducts.com/Plugin: C:\Program Files\FunWebProducts\Installr\1.bin\NPFunWeb.dll File not found
2011/09/16 20:38:50 | 000,000,000 | ---D | M] (Babylon) -- C:\Documents and Settings\Cindy\Application Data\Mozilla\Firefox\Profiles\14vtphd7.default\extensions\ffxtlbr@babylon.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
[2011/09/16 20:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cindy\Application Data\BabylonToolbar
[2011/09/16 20:38:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cindy\Local Settings\Application Data\Babylon
[2011/09/16 20:38:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cindy\Application Data\Babylon
[2011/09/16 20:38:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2011/04/09 17:20:28 | 000,014,248 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\808i25420l26k
[2011/04/08 22:01:47 | 000,014,244 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1396238970
[2011/04/08 22:01:47 | 000,014,240 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3400359798
[2011/04/05 07:55:27 | 000,014,366 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\808i25420l26k
[2011/04/05 07:55:27 | 000,014,244 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\808i25420l26k
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
No log on ComboFix. There, too, that sandbox window kept opening and I didn’t realize what I needed to do so nothing was saved. I did go into Avast and turn off the Autosandbox now.
May be a bit of a problem with this second OTL run. I copied everything in that blue box and pasted it in the OTL window, then selected Run Fix. At the bottom of the window it shows “Processing Complete” – Task Manager shows OTL as running.
It has not restarted and I can’t do anything. If I click on the box to try and close it so I can restart it just dings. Please advise.
UPDATE:
I ran the aswMBR first - log attached.
On the Run Fix for OTL, I finally had to open new task in Task Mgr. (explorer.exe) and then was able to close the OTL box and restart. On restart the OTL run box opened on desktop so I clicked run and it gave me a report, which is attached.
I then ran OTL quick scan again. It only generated one report this time.
I’m still wondering about those 3 rootkits that were found by one of the programs I used previously. Is there any way to check and make sure they don’t still exist?
I’m thanking you for all your help. Sure wish I would not have messed up that ComboFix run.
I can see you have a lot of people to help, but hope you will get back to me so I can get my computer cleaned up and ready to go. I would like to hear on the three files I submitted last yesterday.
I’m sure it was Microsoft Security Essentials. It was malfunctioning after I finally got it installed so I uninstalled it. I then installed Avast IS which gave no problems even with all the problems on this computer. It is definitely getting better all the time. I worry about the rootkits because I’ve read that rootkits can stay well hidden.
I ran scans yesterday with Avast, Mbam and both were clean. Ran SAS and it still shows 1 infection which is System.BrokenFileAssociation HKCR.exe.
I scanned with Reimage (thinking about using it to solve my Windows Update probelm) and it indicates that Microsoft Security Client and Microsoft Security Client Setup have both been crashing. I don’t know what these are. I do not find in program list in Revo Uninstaller, and nothing in C/program files. I did find one entry when I searched registry. Googling said it could be one of those rogue security programs.
I also found a bunch of AVG items in registry. Apparently this machine had AVG on it and I think it was uninstalled, but not a clean uninstall. I ran their removal tool and the log would indicate there are still items on the computer but many instances showed “failed” so just in case it would be helpful I will attach that log.
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
Since I already have that first ComboFix file on my desktop, named Gotcha, will you tell me how I can get rid of that? I’m assume that this old file is not going to interfere with downloading a new one???
Below see a window that popped up while ComboFix was running. I clicked yes. Window said installation was successful. Said on restart I would be get a black screen offering to boot into recovery console mode. Said for normal use to just ignore the black screen and Windows would boot normally in 2 seconds. Now, I assume I am to ignore this black screen for the purposes of ComboFix. I am going to send this and hope you will answer before the black screen appears.
This machine does not have the Microsoft Windows recovery console installed. Alternately, an existing installation of the recovery console may be present but requires updating.
Without it, ComboFix shall not attempt the fixing of some serious infections.