Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

serious infection [Solved]

Started by heat123 , Feb 27 2010 02:38 PM

This topic is locked

#1
heat123

Posted 27 February 2010 - 02:38 PM

Member

Member
298 posts

I have removed the mywebseachtoolbar using MalwareBytes Antimalware. There is a remant left on the system that Malwarebytes could not remove not even on reboot. The file name is C:\Windows\system32\f3PSSavr.scr. This is the only infection on my computer according to a scan by Threatfire, full AVG scan, and a quick scan by Malwarebytes. I used TFC to clear the temporary files. Erunt, GMER, and your main log scanner would install but not open on my computer and I got Erunt open but my computer freezed. So I rebooted and removed it from the computer. So the quick scan is the only thing that was sucessful. The quick scan is below. Please help me remove this remant from the infection and any other hidden infections. I also need to restore my desktop to the colorful design wants the infection is fully removed because it is grey and it is not the colored taskbar etc. Thanks for the help and effort.

Malwarebytes' Anti-Malware 1.44
Database version: 3803
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

2/27/2010 1:40:10 PM
mbam-log-2010-02-27 (13-40-05).txt

Scan type: Quick Scan
Objects scanned: 114373
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\f3PSSavr.scr (Trojan.Agent) -> No action taken.

#2
Essexboy

Posted 27 February 2010 - 03:04 PM

GeekU Moderator

Retired Staff
69,964 posts

Can you get into safe mode ? If so run this

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#3
heat123

Posted 27 February 2010 - 03:17 PM

Member

Topic Starter
Member
298 posts

Here is the file. It is attached. It was not necessary to run it in safe mode it ran it normal mode. Then also I followed all the steps you said and double checked to made sure I did everything right.

Thanks,
heat123

Attached Files

OTS.Txt 143.73KB 172 downloads

#4
Essexboy

Posted 27 February 2010 - 03:56 PM

GeekU Moderator

Retired Staff
69,964 posts

OK lets run this first and then look at the desktop problem - I will need to boot to my Vista partition to get it right

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "" -> []
[Custom Items]
:files
C:\Windows\system32\f3PSSavr.scr 
:end
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

#5
heat123

Posted 28 February 2010 - 12:25 PM

Member

Topic Starter
Member
298 posts

Yes I ran the fix and it said I needed to reboot so it rebooted then the log came up on startup. The file was not found so that may be a good sign since it may not be on the system or it may still be hiding. There has been no problems at all. The only problem is the taskbar and desktop is still grey when it is supposed to normally be the more colorful design. The log that appeared on the screen at startup is below.

All Processes Killed
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
[Custom Items]
========== FILES ==========
File/Folder C:\Windows\system32\f3PSSavr.scr not found.
[Empty Temp Folders]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mark
->Temp folder emptied: 164767 bytes
->Temporary Internet Files folder emptied: 32152132 bytes
->Java cache emptied: 50608918 bytes

User: Public

User: TEMP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10811832 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 89.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.22.3 fix logfile created on 02282010_131928

Files\Folders moved on Reboot...
C:\Windows\temp\JET1D9D.tmp moved successfully.
C:\Windows\temp\wbxtra_02272010_141038.wbt moved successfully.

Registry entries deleted on Reboot...

Thanks,
heat123

Edited by heat123, 28 February 2010 - 12:25 PM.

#6
Essexboy

Posted 28 February 2010 - 12:30 PM

GeekU Moderator

Retired Staff
69,964 posts

OK for the background etc... Have you right clicked the screen and selected personalise ? When you do you will see this screen, from here you can change the background - theme - screensaver and toolbar

Let me know if this works

#7
heat123

Posted 28 February 2010 - 03:58 PM

Member

Topic Starter
Member
298 posts

I will check on that when I get back to that computer. So is there any infection on it or is it completely removed with no remnants? Is the onl isssue left just changing the background on the desktop etc.? I will reply tomorrow around 4 p.m. eastern time. Sorry for the delay.

Thanks,
heat123

#8
Essexboy

Posted 28 February 2010 - 04:02 PM

GeekU Moderator

Retired Staff
69,964 posts

Aye I can see nothing untoward - I will remove the tools and tidy up tomorrow when you check out the background and ensure that all appears well

Nearly my bedtime now anyway

#9
Essexboy

Posted 02 March 2010 - 07:33 AM

GeekU Moderator

Retired Staff
69,964 posts

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

VISTA
To manually create a new Restore Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive i.e. C
For a few moments the system will make some calculations
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

You are now done

SPRING CLEAN

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

SpywareBlaster to help prevent spyware from installing in the first place.
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

#10
heat123

Posted 02 March 2010 - 03:18 PM

Member

Topic Starter
Member
298 posts

Did all those steps. My system appears to be running fine without any issues.

Thanks,
heat123

#11
Essexboy

Posted 02 March 2010 - 03:21 PM

GeekU Moderator

Retired Staff
69,964 posts

Glad all is well Keep safe

#12
Essexboy

Posted 02 March 2010 - 03:22 PM

GeekU Moderator

Retired Staff
69,964 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.