Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Infection right after format

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Infection right after format

Unread postby Vegeta » September 28th, 2009, 12:33 pm

I have installed java and avira. I followed the instructions for atf cleaner

Here's the kaspersky log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 28, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 28, 2009 15:54:36
Records in database: 2930131
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 32421
Threats found: 3
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 00:56:18


File name / Threat / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Qoobox\Quarantine\C\Documents and Settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe.vir Infected: Trojan.Win32.Antavmu.eqx 1
C:\System Volume Information\_restore{0B38D124-F7F6-41E9-BC30-B270D23407F6}\RP4\A0000300.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\System Volume Information\_restore{0B38D124-F7F6-41E9-BC30-B270D23407F6}\RP5\A0000334.EXE Infected: Trojan.Win32.Antavmu.eqx 1
C:\System Volume Information\_restore{0B38D124-F7F6-41E9-BC30-B270D23407F6}\RP5\A0000336.exe Infected: Backdoor.Win32.Hupigon.ckzs 1
C:\System Volume Information\_restore{0B38D124-F7F6-41E9-BC30-B270D23407F6}\RP6\A0000849.exe Infected: Trojan.Win32.Antavmu.eqx 1

Selected area has been scanned.

and here's hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:36 PM, on 9/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Documents and Settings\jack\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\jack\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Unknown owner - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe (file missing)

--
End of file - 3281 bytes
Vegeta
Active Member
 
Posts: 11
Joined: September 17th, 2009, 4:19 pm
Top
Advertisement
Register to Remove

Re: Infection right after format

Unread postby francis327 » September 28th, 2009, 9:03 pm

Hi Vegeta, looking good.
We will need to do some clean up here.

You can get rid of the tools we used:
  • GMER & ATF(You can just delete the exe file from your desktop)
  • HijackThis(You can uninstall it from Add/Remove Programs)
  • Malwarebytes Anti Malware(I would recommend to keep this program)

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between combofix and /u is needed

    Image

OTL - Clean up
  • Launch OTL.exe
  • Click on CleanUp!
  • When done, you will be prompted to restart your computer. Please do so at this time.


It seems to me that... you appear to be clean :cheers:
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.


Step 1. Create a new System Restore Point: If your not sure how to do this, you can read these tutorials:
Method for XP:

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done

Step 2. You may download some free programs, that will help improve your computer's security.
These kinds of protection programs (adware, spyware, etc...) tend to overlap in coverages.
Many feel that having a "layered" protection scheme, is beneficial. Each individual has to decide what works best for their situation.
There are many available...here are a few you can look into, if you want. :)

SpywareBlaster 4.2
Download Spyware Blaster 4.2
A SpywareBlaster tutorial can be found Here.

WinPatrol
Download WinPatrol
Information about how WinPatrol works, is available Here.
(The free version of WinPatrol...does not provide any real-time protection)

Firetrust SiteHound
Download Firetrust SiteHound
Information of Firetrust SiteHound is available at its homepage

Step 3. Update your Antivirus programs and other security products regularly.
Avoid new threats that could infect your system. You can also check if any application updates are needed for your PC.
Secunia Software Inspector - Copyright 2002-2008 Secunia.
F-secure Health Check - Copyright F-Secure Corporation.


Step 4. Visit Microsoft often
Keep on top of critical updates , as well as other updates for your computer.
How to configure and use Automatic Updates in Windows XP
Using Windows Update for Windows XP
Microsoft Update Home


Step 5. Read
Please check out these articles:
Tony Klein's "How did I get infected in the first place?"
How to prevent Malware:? miekiemoes - Microsoft MVP - Consumer Security .
Interesting Articles by Emsi Software

Happy Surfing!!

francis327
User avatar
francis327
Regular Member
 
Posts: 939
Joined: September 4th, 2008, 3:42 am
Location: Far East (GMT + 8)
Top

Re: Infection right after format

Unread postby Vegeta » September 29th, 2009, 9:05 pm

Done.
Thank you for everything you've done.
Vegeta
Active Member
 
Posts: 11
Joined: September 17th, 2009, 4:19 pm
Top

Re: Infection right after format

Unread postby francis327 » September 30th, 2009, 2:54 am

You are most welcome.

Regards
francis327
User avatar
francis327
Regular Member
 
Posts: 939
Joined: September 4th, 2008, 3:42 am
Location: Far East (GMT + 8)
Top

Re: Infection right after format

Unread postby NonSuch » October 3rd, 2009, 12:47 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Advertisement
Register to Remove
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 536 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index