Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please check my HijackThis results ASAP! [Solved]


  • This topic is locked This topic is locked

#16
Joey23

Joey23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Buddierdl,

MSE went well. Thank you for your help :)

Virus total link:
https://www.virustot...sis/1363773830/


Mcshield said the drive was infected... then said scan is complete? It's Protection is currently on.
  • 0

Advertisements


#17
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts

Mcshield said the drive was infected... then said scan is complete? It's Protection is currently on.



Let's look at the log. You will find it by clicking the "Start" button, then following this path:


all programs > MCShield > logs > all scans
  • 0

#18
Joey23

Joey23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
This is what I found...it's the HP Clouddrive rather than my mobile.

>>> MCShield AllScans.txt <<<



>>> MCShield ::Anti-Malware Tool:: v 2.5.4.20 / DB: 2013.3.17.1 / NT6.1 <<<


20/03/2013 8:02:38 PM > Drive C: - scan started (no label ~448 GB, NTFS HDD )...



=> The drive is clean.


20/03/2013 8:02:39 PM > Drive D: - scan started (RECOVERY ~17 GB, NTFS HDD )...



=> The drive is clean.


20/03/2013 8:03:09 PM > Drive Z: - scan started (HP CloudDrive ~2048 MB, FAT32 flash drive )...



---> Note: traces of file replicators have been found!

---> Executing generic S&D routine...


>>> Z:\Data JOESPHINE.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\01_Genesis\01_Genesis.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Agpia\Agpia.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\bible studies from st marks church website..arncliffe\Yr 11 and 12\Yr 11 and 12.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\bible studies from st marks church website..arncliffe\Yr 3\Yr 3.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\bible studies from st marks church website..arncliffe\Yr 3 and 4\Yr 3 and 4.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\bible studies from st marks church website..arncliffe\Yr 4\Yr 4.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\bible studies from st marks church website..arncliffe\Yr 4 and 5\Yr 4 and 5.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\bible studies from st marks church website..arncliffe\Yr 5\Yr 5.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\bible studies from st marks church website..arncliffe\Yr 6\Yr 6.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\bible studies from st marks church website..arncliffe\Yr 7 and 8\Yr 7 and 8.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\bible studies from st marks church website..arncliffe\Yr 9 and 10\Yr 9 and 10.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\Coptic Fonts\Coptic Fonts.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\deuterocanonical books\deuterocanonical books.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\PREPARED SUNDAY SCHOOL LESSONS FROM ST MARKS CHURCH ARNCLIFFE, SYDNEY\PREPARED SUNDAY SCHOOL LESSONS FROM ST MARKS CHURCH ARNCLIFFE, SYDNEY.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\Saneksar\Saneksar.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\servants prep\servants prep.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\StMark\E-Katamarous3\E-Katamarous3.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Coptic Orthodox Documents\StMark\E-Katamarous3\Pict\Pict.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\English Tasbeha - St Anthony Monastery California\part 1\part 1.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\English Tasbeha - St Anthony Monastery California\part 2\part 2.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Great Lent -sunday vesper praises\Great Lent -sunday vesper praises.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Great Lent Liturgy- Wadgi bishara\Great Lent Liturgy- Wadgi bishara.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Griffith University, Nursing.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Anatomy and Physiology 1974MSC\Anatomy and Physiology 1974MSC.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Anatomy and Physiology 1974MSC\Labs\week 2\week 2.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Anatomy and Physiology 1974MSC\Labs\week 4\week 4.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Anatomy and Physiology 1974MSC\Lectures\wk1\wk1.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Anatomy and Physiology 1974MSC\Lectures\wk2\wk2.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Anatomy and Physiology 1974MSC\Lectures\wk3\wk3.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Anatomy and Physiology 1974MSC\Lectures\wk4\wk4.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Anatomy and Physiology 1974MSC\Lectures\wk5\wk5.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Clinical Health Assessment 1977NRS\Clinical Health Assessment 1977NRS.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Clinical Health Assessment 1977NRS\wk 1\wk 1.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Clinical Health Assessment 1977NRS\wk 2\wk 2.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Clinical Health Assessment 1977NRS\wk 3\wk 3.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Clinical Health Assessment 1977NRS\wk 4\wk 4.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Clinical Health Assessment 1977NRS\wk 5\wk 5.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Effective Communication 1801NRS\Effective Communication 1801NRS.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Effective Communication 1801NRS\Lectures\Week 1\Week 1.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Effective Communication 1801NRS\Lectures\Week 2\Week 2.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Effective Communication 1801NRS\Lectures\Week 3\Week 3.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Effective Communication 1801NRS\Lectures\Week 4\Week 4.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Effective Communication 1801NRS\Tutorials\Week 3\Week 3.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Effective Communication 1801NRS\Tutorials\Week 4\Week 4.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\Griffith University, Nursing\Effective Communication 1801NRS\Tutorials\Week 5\Week 5.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\J\Basil Liturgy - A-rab\Basil Liturgy - A-rab.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\J\Christmas Liturgy 1998\Christmas Liturgy 1998.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\J\Gregorian Liturgy - English\Gregorian Liturgy - English.exe - Malware > Deleted. (; MD5: 73c723d924b3b8c9459655fc8cfa1f1e)

>>> Z:\J\Gregorian Liturgy - English\desktop.ini - Malware > Deleted. (; MD5: aea2fa668453e23c431649801e5ea548)


=> Malicious files : 50/50 deleted.

____________________________________________

::::: Scan duration: 1min 43sec ::::::::::::
____________________________________________

Edited by Joey23, 20 March 2013 - 07:02 AM.

  • 0

#19
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi Joey23,

Almost there! Do you recognize the files shown in that last log? They seem to have legit document names, but they are all identical executables.

Step 1: Run Farbar's Service Scanner.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the all of the options are checked:

    Posted Image
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Step 2: Update Windows. You need to update Windows 7 to Service Pack 1 to make sure that your computer is secure. You should automatically get this update through Windows Updates. Check for it as follows. Also install any other important or critical updates.
  • Click the Start button, click All Programs, and then click Windows Update.
  • In the left pane, click Check for updates.
  • If any important updates are found, click the link to view available updates. In the list of updates, select Service Pack for Microsoft Windows (KB976932), and then click OK.
  • Click Install updates. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  • Follow the instructions on your screen.
  • After the installation is complete, log on to your computer at the Windows logon prompt. You might see a notification indicating whether the update was successful.

  • 0

#20
Joey23

Joey23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi :)

Yes, I recognized them...but they weren't initially exe files.


FSS Log:

Farbar Service Scanner Version: 03-03-2013
Ran by Joesphine (administrator) on 21-03-2013 at 16:50:35
Running from "C:\Users\Joesphine\Desktop"
Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-02-18 19:29] - [2013-01-04 15:41] - 1893224 ____A (Microsoft Corporation) 5CFB7AB8F9524D1A1E14369DE63B83CC

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****


I think the update was successful because when the Laptop restarted, it was configuring the update.
  • 0

#21
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts

Yes, I recognized them...but they weren't initially exe files.


Can you check and see if you have the original (not exe) files. I think the virus may have named some of its files using your file names. If you still have the legit files, then go ahead and delete the bad ones by emptying the McShield quarantine. To do this, open the McShield Control Center and click on the "Quarantine" tab. There should be a button to "Delete all."

Other than that...

Congratulations, Joey23 :). Your computer now appears to be clean. Please complete the followings steps to finalize the cleaning process.

It would be a good idea also to reset your firewall in case the malware opened any ports.

Please update these programs, as old versions pose a security risk.
  • Java

    WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
    See this article and this article.
    I would recommend that you completely uninstall Java unless you need it to run an important software.
    In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

    If you do need java, then you should definitely update to the latest version:

    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe, then click Remove JRE.
    • Run the built-in uninstallers for all copies of java listed
    • Click the Next button
    • Click the Next button again
    • Click the Java Manual Download link
    • A browser window will open with the Java download page
    • Click the Windows Offline (32-bit) or Windows Offline (64-bit) link to download Java (based on your browser type)
    • Run the installer
    • Close JavaRa
  • Adobe Reader -> You can get the latest version here.

    I would recommend securing Adobe Reader against the latest exploits as follows:

    • Launch Adobe Reader.
    • Click on Edit and select Preferences.
    • On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
    • Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
    • Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
    • Click the OK button.

Uninstall Combofix:
  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box.
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK.
  • Follow the prompts on the screen.
  • A message should appear confirming that ComboFix was uninstalled.

Clean up OTL:
  • Open OTL and select the "CleanUp" button.
  • Allow the computer to reboot.
  • Any logs or removal tools left over can be deleted now. If ESET is still installed, you can uninstall it from the "Programs and Features" menu in the control panel.

Delete possibly infected restore points. Your computer may have saved a restore point while it was infected, so we need to delete the old restore points and create a new, clean one.

First set up a new, clean restore point:
  • Open System by clicking the Start button, right-clicking Computer, and then clicking Properties.
  • In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  • Click the System Protection tab, and then click Create.
  • In the System Protection dialog box, type a description, and then click Create.

Then delete the old, infected ones:
  • Go Start > All Programs > Accessories > System Tools
  • Right click Disc Cleanup and select run as administrator
  • Then select the more options tab
  • Select system restore and shadow copies "Clean up"
  • Follow the prompts

Empty temp files. I would recommend doing this every so often to free up some space on your computer.

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Defragment your hard drive. Your hard drive is showing 27% fragmentation. This refers to how your files are spread out on the physical "disk" in your hard drive. You could possibly gain a little better performance from your PC if you defragment your hard drive. You can find instructions here.

Ensure that Windows is always updated. Keeping Windows updated is very important to prevent security vulnerabilities. I recommend turning on automatic updates following the instructions below:
  • First, click on Start and click onAll Programs, then Windows Update.
  • Click on Change Settings in the left pane and then check the option for Automatic Updates.

Always ensure that your firewall and anti-virus program are updated and running. These are your first line of defense against infection.

Make sure that you keep all of your programs updated. Out-of-date programs can make your computer more vulnerable to infection. Software manufacturers release updates to fix security problems as they are discovered. Secunia Personal Software Inspector, free to download here, is a good program that will scan your computer looking for programs that need to be updated.

This article has good information about how computers get infected. You can read it for good tips on staying clean and safe.
  • 0

#22
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP