[jimbeis462]

Well HJT don't work so here RSIT log again.

MBAM found nothing :|

[evilfantasy]

It's not creating a HijackThis log.

Also I'm not seeing any malware except for this, unless you know what it is? C:\WINDOWS\system32\abcebbebbcfce.dll

Also you need to either uninstall either AVG or F-secure. Running two antivirus will just cause problems and could be part of what's wrong now.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[jimbeis462]

ok combofix has finished

the log says that abcebbebbcfce.dll failed to delete.

should i delete it manually using move on boot seeing as it is still there?

cheers

[evilfantasy]

I need you to stop downloading different tools until I get a chance to look at the logs I request. If you are adding and removing things it gets confusing. All I wanted to know was if you knew what that file was, or not.


Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
C:\FOUND.001
C:\FOUND.000
c:\windows\system32\tmp.reg

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abcebbebbcfce]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[jimbeis462]

sorry about me downloading more stuff.

i just want this to be over with ha ha.

here's new log.

and no, I don't know what that abc dll is.

[evilfantasy]

Quote:

2008-11-22 21:11 . 2008-11-22 21:11 <DIR> d-------- c:\program files\Comodo
2008-11-22 21:11 . 2008-11-22 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Comodo
2008-11-22 21:11 . 2008-11-22 21:11 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-11-22 21:11 . 2008-11-22 21:11 434,252 --a------ c:\windows\system32\MSVCRTD.DLL
2008-11-22 21:11 . 2008-11-22 21:11 216,576 --a------ c:\windows\system32\monln.dll
2008-11-22 21:11 . 2008-11-22 21:11 102,400 --a------ c:\windows\system32\drivers\cavasm.sys
2008-11-22 21:11 . 2008-11-22 21:11 73,728 --a------ c:\windows\system32\CavEmLSP.dll

Seriously. You have to STOP downloading new tools. It's just making things harder! We are working together but things have to be done in a certain order. There is no shortcut with this sort of malware. Uninstall Comodo AntiVirus before continuing. It will just cause more problems!

----------

Check to be sure Spybot's TeaTimer is turned OFF. I think it is blocking the fixes we are trying to make.

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with certain fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abcebbebbcfce]

:files
c:\windows\system32\abcebbebbcfce.dll

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Also let me know what problems you are still having with the computer.

[jimbeis462]

Still just same problems as before. Its really nothing too problematic, its just that I don't want that crap on my computer!


========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abcebbebbcfce\\ deleted successfully.
========== FILES ==========
LoadLibrary failed for c:\windows\system32\abcebbebbcfce.dll
c:\windows\system32\abcebbebbcfce.dll NOT unregistered.
File move failed. c:\windows\system32\abcebbebbcfce.dll scheduled to be moved on reboot.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11222008_221156

Files moved on Reboot...
LoadLibrary failed for c:\windows\system32\abcebbebbcfce.dll
c:\windows\system32\abcebbebbcfce.dll NOT unregistered.
File move failed. c:\windows\system32\abcebbebbcfce.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

[evilfantasy]

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
• An Express Scan of your PC notice will appear.
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
• Back at the main window, select the Complete scan button.
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
• Copy and paste that log in the next reply

[jimbeis462]

Haha. Awesome

After the Express Scan finished, it came up with that abc dll as a virus.
When I clicked on Cure, it asked what to do with the uncurable, so I clicked Delete Uncurable.
It asked to restart, so I did.
When I started up again just now, I went to system32, and voila, there was no abc.dll anymore.

You are a true legend evilfantasy.

Thank You very very much. Greatly appreciated. I can also type AVG into google now. HJT is up and running.

If you want the log of the DrWeb Express Scan I've added it here.

If you want HJT I can post that too. But I will do Tomorrow morning as I am going to bed now. (work at 7 tomorrow and its 11PM here :/

Thank you very much again

Jim - Satisfied Customer

[evilfantasy]

Let's do some cleanup first then look at a HJT log to see if anything else needs to be done.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
  
• Then hit Enter.

• The above procedure will:
  
• Delete the following:
  
• ComboFix and its associated files and folders.
  
• Reset the clock settings.
  
• Hide file extensions, if required.
  
• Hide System/Hidden files, if required.
  
• Set a new, clean Restore Point.

----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

Important: Restart the computer before continuing.

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa

• Unzip the file and open the JavaRa.exe
• Click Remove Older Versions
• JavaRa will search for and remove any outdated version of Java and remove any that are found.
• Click Additional Tasks
• Place a check next to Remove Useless JRE Files and click Go
• Exit JavaRa
• Delete the JavaRa files from the Desktop

----------

Now run a HJT scan and post the log please.