iambigbrother(A) beast (A) noadware (A) android exploit and others part 1

doing it now

how long should the blue bar be filling across the bottom? I hit create log and it just keeps going across the bottom filling and refilling. its been 5 minutes now

its scanning now

If it doesn't respond in 30 mins. we'll try something else.

right when it started scanning a bunch of things happened. The device manager popped up, the windows update icon appeared in the sys tray and the start button opened.
I tried to fix the firewall issue before I started with this scanner with microsoft fixit for firewall issue. It reported back that it repaired the firewall and restarted the computer. It still shows the firewall turned off

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\acfs1nn1.SYS
Service Name: ---
Module Base: B91F0000
Module End: B9232000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B4C28000
Module End: B4C40000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA5EE000
Module End: BA5F0000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found

yeah the firewall is on the esisoft was guarding it

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

C:\Documents and Settings\HP_Administrator\My Documents\samsung files sd card\App_Manager\App_Backups\user_apps\com.charmingapps.rebelflag.apk a variant of Android/Adware.AirPush.G application deleted - quarantined
C:\Documents and Settings\HP_Administrator\My Documents\samsung files sd card\TitaniumBackup\com.charmingapps.rebelflag-2e43b4cc0c66b79c382df1a4044e5191.apk.gz a variant of Android/Adware.AirPush.G application deleted - quarantined
C:\Documents and Settings\HP_Administrator\My Documents\samsung files sd card\TitaniumBackup\com.charmingapps.rebelflag-ec930064db8a53503f88c34c285a17ba.apk.gz a variant of Android/Adware.AirPush.G application deleted - quarantined

How's your computer working now? Any other issues before we clean up?

Is the system clean. each time it scans there seems to be files found. If its clean then I am making an image so I have a clean start.
The only thing I see now is that explorer thing. The tray is frozen until I kill explorer in processes and then start a new task and then its ok. I see if I let it sit for 20 minutes sometimes it returns to normal. Any suggestions?
If we are done I have my second system that I will need help with since I infected all my pc's by using usb sticks between them.
Let me know if this one os clean and about the explorer thing.
Thanks a ton

tornado here now shutting down I will check back here after the storms are past

Do you mean Internet explorer?

no when I boot to desktop the tray icons are frozen so is the start button and there are no icons in the sys tray. I have to shutdown explorer.exe under processes and then restart it as a new task and they all work and the icons appear in the sys tray. When this happens I cant get to device manager or system restore. This all occurred after the infection.

to be clear when that freeze thing happens the device manager or system restore are not accessible. When I shut down explorer and restart it everything works

Please try this even if you don't have the OS disk and tell me what happens.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

no I have only the HP restore discs but they do not work since I changed the processor a couple years ago.
I did install Microsoft Security Essentials and when it scanned it found 2 trojans
trojan:Win64/Sirefef.E and trojan:Win64/Sirefef.D it has quarantined them and suggests I remove them. What should I do?
Yes, remove them and please run the SFC even if you don't have the disk. If it finds something wrong, it will ask for the disk. Please let me know.

doing it now

it ran for awhile and is now asking for the Win Pro Service Pack 3 disc

it ran for awhile and is now asking for the Win Pro Service Pack 3 disc

That means that a file is missing or corrupted. Can you borrow a disk? It must be a Win Pro Service Pack 3 disc.

I will see. Does that sound right? This pc is running Media Center Edition. Will that Win Pro work?
I did run Kellys taskbar repair tool and it seemed to fix the explorer issues. I have been using the pc all day and so far it seems fine. Am I virus free?
If you think we are done I will start another post with the other system.
Thanks for all your help. You guys are great.

The only way to be sure is to try running SFC with that disk in the drive but if you repaired the explorer issue, there's no need to do SFC.

I did run Kellys taskbar repair tool and it seemed to fix the explorer issues. I have been using the pc all day and so far it seems fine. Am I virus free?

Yes, I'm quite sure it's clean. We were only dealing with those other issues you had.
Let's do some cleanup and keep our fingers crossed.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

**************************************************
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

• Click the CleanUp button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
************************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
**************************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Thanks you really have made a difference. I will be posting the other system shortly after I run scans.

cybor462 wrote:

Thanks you really have made a difference. I will be posting the other system shortly after I run scans.

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.