Hello and Welcome to Tech Support Team! Before you can start posting and answering questions, you'll have to register. Registration is fast, simple and absolutely free! Feel free to browse through existing questions by choosing the forum you want to visit below.
NOTE:NEVER follow someone elses fix. Just because the symptoms may appear to be the same, it does NOT mean your system has the same malware infection. ALWAYS start a new thread so that a member of our Security Team can take you through the steps of cleaning your computer.
Hey everyone, I have been unlucky to be infected with a virus and so this is my first post!
I sook help on www.techspot.com but they were not informative and as a result not much has changed. My thread was here: http://www.techspot.com/vb/topic94985.html
I got infected about a month ago but I have been overseas and so could not do much about the virus. As you can see on the other thread, the computer generally booted extremely slowly and ads for spyware removal kept popping up. Nearly no background programs would load as well. I followed the preliminary removal instructions, but it showed a lot of the system files were infected- LSASS.exe etc.. but I still removed them. That was before I went overseas, and now when I came back it has gotten only marginally better. The blue screen at startup no longer shows. But for some reason when using internet browsers the computer now hangs every few seconds for about 3 seconds. This makes browsing and watching videos annoying to the point of smashing the box :frown: None of my background programs load, and popups keep on telling me that files in the registry are corrupt, or system files are broken.. But this hasnt had any effects that I know of. Here they are: http://img137.imageshack.us/img137/9719/popup1yg3.jpg
and http://img208.imageshack.us/img208/7443/popup2ps2.jpg
I have also included the old malware logs before I left and the one I have done now. thanks all!
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
It will search your system drive looking for any modified .exe files
When done it will produce a log for you.
Please add this log to your reply.
Step 2
Go to Start > Run > type Notepad.exe > click OK.
Copy the entire contents of the quote Box below to Notepad.
It must be Notepad.
Name the file as Log.txt (Overwrite any existing one)
Change the Save as Type to All Files
and Save it on the desktop
Refering to the picture below.
Drag Log.txt into RenV.exe
Add the resulting log to your reply.
Quote:
C:\WINDOWS\lsass .exe
C:\WINDOWS\lsass .exe
=========================================
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
===================================
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
Post the RenV log, the Combofix log and a fresh HJT log.
Regards Howard
This thread is for the use of DarkVisor only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.
Last edited by Howard; 4th February 2008 at 06:14 PM.
Hey thankyou very much for the reply Howard!!
I have attached the logs you requested, but because i didnt quite understand, 1Hijackthis.log is the one I did before the removal, and 2hijackthis.log is the one I did after what you instructed me to check. Just out of interest though, what was the point of deleting Co2saver.exe?
CO2Saver.exe Doesn`t need to be run on startup and we didn`t actually delete it.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
Apart from the above inactive entry, your HJT log is clean.
Unfortunately you`ve posted the CFScript, rather than a Combofix log. Please run Combofix again and post the log file.
Regards Howard
This thread is for the use of DarkVisor only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.
thanks again for your reply Howard!
Hmm I was sure it was the correct log, but I have just done another scan to make sure, here is the new log!
Hmm everything seems to be fixed except that extremely annoying lag when browsing the internet! Do you get what I mean? maybe I could post a video or something lol. Every about 15 seconds it would just freeze for about 2 seconds, everyhting except the mouse.. I might have been typing, and nothing would come up but after 2 seconds that whole sentence just pops up like it was on fast forward! Its happened about 15 times while I was typing this message.
I have checked the processes tab on taskmanager, but there seems to be nothing hogging the cpu, just system idle process and firefox, although the cpu fan seems to speed up and the slow down when the freeze happens. I checked the error report in services.msc but their time does not have much to do witht them!
Maybe there is a clue in the symptom you mention about the fan speed changing. This happens all the time to a small degree but it might indicate your PSU is not working properly.
You could download Everest from majorgeeks.com and run computer - sensor to see what the voltages are - if you report them we can check for you.
I asked you to post a fresh Combofix log, not a HJT log.
Regards Howard
This thread is for the use of DarkVisor only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.
This thread is for the use of DarkVisor only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.
Hey Lionheart, lol thats good and bad to hear, good that my PSU isnt broken but bad that I still havent found the source of this stupid problem! Hmm I just tried running MSN messenger, and it does the exact same thing to that.. I dont know maybe its the .Net framework or something.. What do firefox IE and masn messenger all have in common?
Still looking forward to your reply about the log Howard!
If this only happens when accessing the net from any of the browsers or msn then perhaps it is a firewall issue.
If you have a firewall in the modem router, turn off any other
firewall(s) in windows.
If this doesn't make a difference, try turning off the antivirus software temporarily to see if this improves?
I have not heard of a problem running firefox and IE side by side but you could try uninstalling Firefox.
For whatever reason, that still isn`t a full combofix log. Let`s do this instead.
Download Deckard's System Scanner and save it to your desktop. Note: You must be logged onto an account with administrator privileges. Save all your work and close all opened programs. Double click on dss.exe to run it. Follow the prompts. When the scan is complete, two log files will be produced. The first one, main.txt, will be maximized, the second one, extra.txt, will be minimized. Please post the contents of the 2 log files in your next reply.
Regards Howard
This thread is for the use of DarkVisor only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.
Hmm I dont know why they weren't the full logs, but at the end of the combofix scan after the computer restarts, the little box that loads onto the desktop freezes for some reason, so I have to close it manually. Maybe it was supposed to save the logs after this? It stays like that for an abnormal amount of time (I had it there for half an hour before I closed it)
But I have included the system scanner logs!
Hmm I dont know if its a firewall issue, the virus disabled all of my startup programs except for sound manager, so I don't have the firewall or antivirus up!
Also, the virus seems to have disabled autoplay support, any idea on how to turn this back on?
Until such time as we can get rid of whatever infections you have, we`re going to struggle to fix this.
Regards Howard
This thread is for the use of DarkVisor only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.
Once done, run a fresh DSS scan and post the DSS Main.txt as well as the RenV log.
Regards Howard
This thread is for the use of DarkVisor only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.
Hey everyone! Here are the logs you requested Howard, the log2 is the one after I did removal of those files, the other one is before.
By the way, do you know what
C:\Program Files\Bonjour\mDNSResponder.exe
is? It keeps trying to access the internet, and \i don't know if it is a Microsoft file!
Submit Your Article 
Forum Rules 
FAQ 
About Us 
Main Menu
Contact Us