DriveCleaner - why?

andyrules

Can anyone tell me if I am able to safely use my Ccard online while I have this infection? Thanks

Browntoa

I would say no


Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log along with the Vundo report if anything was found and\or removed.

Browntoa

if that fails try this in normal windows mode

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log please.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

andyrules

cheers browntoa - am off to do it now. Are my bank details safe do you think?

Browntoa

not until it's clean...I'm concerned tha something is stopping the software from doing it's job

if still no joy from either of these then do a hijackthis log for me

http://www.tomcoyote.org/hjt/

andyrules

hi browntoa that seemed to go ok, i've got reports from that and smitfraud, nothing from vundo or hijack. Shall I post them?

andyrules

didnt do the combofix

Browntoa

do combo now and then post that and the other logs...

any sign of it going yet ??

andyrules

not sure, it pops up often so I'll soon know! I've put the report thing here, now will do the combo. Cheers for a while..

SDFix: Version 1.87

Run by Administrator - 12/06/2007 - 20:51:42.64

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\winsys.exe - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:

---

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

---

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Documents and Settings\Dave\My Documents\work docs\~WRL0087.tmp
C:\Documents and Settings\Dave\My Documents\work docs\~WRL0167.tmp
C:\Documents and Settings\Dave\My Documents\work docs\~WRL1489.tmp
C:\Documents and Settings\Dave\My Documents\work docs\medium term planning\~WRL3811.tmp
C:\Documents and Settings\Dave\My Documents\work docs\PLANNING AND OUTCOMES\2006-2007\NEW LITERACY\~WRL0001.tmp
C:\Documents and Settings\Dave\My Documents\work docs\PLANNING AND OUTCOMES\2006-2007\NUMERACY\~WRL0168.tmp

Listing User Accounts:

User accounts for \\HOME-VLXXBPRCM8

Administrator Dave Guest
HelpAssistant SUPPORT_388945a0


Finished

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:

---

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

---

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Documents and Settings\Dave\My Documents\work docs\~WRL0087.tmp
C:\Documents and Settings\Dave\My Documents\work docs\~WRL0167.tmp
C:\Documents and Settings\Dave\My Documents\work docs\~WRL1489.tmp
C:\Documents and Settings\Dave\My Documents\work docs\medium term planning\~WRL3811.tmp
C:\Documents and Settings\Dave\My Documents\work docs\PLANNING AND OUTCOMES\2006-2007\NEW LITERACY\~WRL0001.tmp
C:\Documents and Settings\Dave\My Documents\work docs\PLANNING AND OUTCOMES\2006-2007\NUMERACY\~WRL0168.tmp

Listing User Accounts:

User accounts for \\HOME-VLXXBPRCM8

Administrator Dave Guest
HelpAssistant SUPPORT_388945a0


Finished

Browntoa

runnccleaner to get rid of your temp files

www.ccleaner.com

after combofix