[Resolved] Microsoft - Teamviewer scam - Remote access granted to scammer...

  • 13 Replies
  • 5810 Views
*

Offline BunnySlave

  • Bronze Member
  • 27
Greeting All,

Recently a caller with indian accent convinced my sister he was from Microsoft and needed to fix her Win 7.
Luckily my sister broke connection prior to scam/encryption/damage...

hxxp://www.snopes.com/fraud/telephone/microsoft.asp

posted are the DDS logs.  We are unsure of any "surprises" left by scammer...
Thanx in advance for consult/advice.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.55.2
Run by Cathy at 12:44:43 on 2014-05-07
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2047.1171 [GMT -5:00]
.
AV: Avira Desktop *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleCrashHandler64.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Advanced SystemCare Browser Protection: {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Advanced SystemCare 7] "C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe" /Auto
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: NameServer = 192.168.2.1 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{9045BA95-9DAD-403E-846F-B53F55515667} : DHCPNameServer = 192.168.2.1 68.105.28.12 68.105.29.12 68.105.28.11
SSODL: WebCheck - <orphaned>
x64-BHO: ExplorerWnd Helper: {10921475-03CE-4E04-90CE-E2E7EF20C814} - C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Cathy\AppData\Roaming\Mozilla\Firefox\Profiles\bnoyzx9u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1210150.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_182.dll
FF - ExtSQL: 2014-04-16 10:24; ascsurfingprotection@iobit.com; C:\Users\Cathy\AppData\Roaming\Mozilla\Firefox\Profiles\bnoyzx9u.default\extensions\ascsurfingprotection@iobit.com
FF - ExtSQL: !HIDDEN! 2011-12-30 01:44; smartwebprinting@hp.com; C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\System32\drivers\SmartDefragDriver.sys [2014-4-16 21184]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2014-4-15 28600]
R2 AdvancedSystemCareService7;Advanced SystemCare Service 7;C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe [2014-1-24 881952]
R2 AntiVirMailService;Avira Mail Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [2014-4-15 910416]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2014-4-15 440400]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2014-4-15 440400]
R2 AntiVirWebService;Avira Web Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [2014-4-15 1017424]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2014-4-15 108440]
R2 avnetflt;avnetflt;C:\Windows\System32\drivers\avnetflt.sys [2014-4-15 84720]
R2 TeamViewer9;TeamViewer 9;C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [2014-5-6 5024576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-4-20 111616]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-4-20 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-5-6 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-4-20 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2013-3-18 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-4-16 1255736]
.
=============== Created Last 30 ================
.
2014-05-06 22:12:56   --------   d-----w-   C:\Program Files (x86)\TeamViewer
2014-05-06 22:11:03   6574592   ----a-w-   C:\Windows\System32\mstscax.dll
2014-05-06 22:11:03   5694464   ----a-w-   C:\Windows\SysWow64\mstscax.dll
2014-05-06 21:31:40   388096   ----a-r-   C:\Users\Cathy\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2014-05-06 21:31:40   --------   d-----w-   C:\Program Files (x86)\Trend Micro
2014-05-06 17:55:17   1030144   ----a-w-   C:\Windows\System32\TSWorkspace.dll
2014-05-06 17:55:16   792576   ----a-w-   C:\Windows\SysWow64\TSWorkspace.dll
2014-05-06 17:24:52   --------   d-sh--w-   C:\Users\Cathy\AppData\Local\EmieUserList
2014-05-06 17:24:52   --------   d-sh--w-   C:\Users\Cathy\AppData\Local\EmieSiteList
2014-05-05 00:47:24   2724864   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2014-05-05 00:47:24   2724864   ----a-w-   C:\Windows\System32\mshtml.tlb
2014-04-27 17:44:37   --------   d-s---w-   C:\Windows\System32\CompatTel
2014-04-27 17:44:35   465408   ----a-w-   C:\Windows\System32\aepdu.dll
2014-04-27 17:44:35   424448   ----a-w-   C:\Windows\System32\aeinv.dll
2014-04-21 00:49:33   3174912   ----a-w-   C:\Windows\System32\rdpcorets.dll
2014-04-21 00:49:33   243200   ----a-w-   C:\Windows\System32\rdpudd.dll
2014-04-21 00:49:33   228864   ----a-w-   C:\Windows\System32\rdpendp_winip.dll
2014-04-21 00:49:33   19456   ----a-w-   C:\Windows\System32\drivers\rdpvideominiport.sys
2014-04-21 00:49:33   192000   ----a-w-   C:\Windows\SysWow64\rdpendp_winip.dll
2014-04-21 00:49:33   15360   ----a-w-   C:\Windows\System32\RdpGroupPolicyExtension.dll
2014-04-21 00:49:32   30208   ----a-w-   C:\Windows\System32\drivers\TsUsbGD.sys
2014-04-21 00:46:35   514560   ----a-w-   C:\Windows\SysWow64\qdvd.dll
2014-04-21 00:46:35   366592   ----a-w-   C:\Windows\System32\qdvd.dll
2014-04-19 03:12:20   --------   d-----w-   C:\Windows\Migration
2014-04-16 21:34:08   --------   d-----w-   C:\Users\Cathy\AppData\Local\Macromedia
2014-04-16 20:55:20   33240   ----a-w-   C:\Windows\System32\drivers\GEARAspiWDM.sys
2014-04-16 20:55:10   --------   d-----w-   C:\Program Files\iPod
2014-04-16 20:55:09   --------   d-----w-   C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-04-16 20:55:09   --------   d-----w-   C:\Program Files\iTunes
2014-04-16 20:37:38   2871808   ----a-w-   C:\Windows\explorer.exe
2014-04-16 20:37:38   2616320   ----a-w-   C:\Windows\SysWow64\explorer.exe
2014-04-16 20:37:37   465920   ----a-w-   C:\Windows\System32\WMPhoto.dll
2014-04-16 20:37:37   417792   ----a-w-   C:\Windows\SysWow64\WMPhoto.dll
2014-04-16 20:37:36   3928064   ----a-w-   C:\Windows\System32\d2d1.dll
2014-04-16 20:37:36   3419136   ----a-w-   C:\Windows\SysWow64\d2d1.dll
2014-04-16 20:37:36   2565120   ----a-w-   C:\Windows\System32\d3d10warp.dll
2014-04-16 20:37:36   1987584   ----a-w-   C:\Windows\SysWow64\d3d10warp.dll
2014-04-16 20:04:02   --------   d-----w-   C:\ProgramData\WEBREG
2014-04-16 20:02:31   --------   d-----w-   C:\Users\Cathy\AppData\Local\HP
2014-04-16 20:01:37   249856   ----a-w-   C:\Windows\System32\Spool\prtprocs\x64\hpfpp70w.dll
2014-04-16 18:41:07   26341664   ----a-w-   C:\Windows\System32\nvoglv64.dll
2014-04-16 18:41:06   9184760   ----a-w-   C:\Windows\System32\nvcuda.dll
2014-04-16 18:41:06   7754560   ----a-w-   C:\Windows\SysWow64\nvcuda.dll
2014-04-16 18:41:06   2749216   ----a-w-   C:\Windows\System32\nvcuvid.dll
2014-04-16 18:41:06   2577184   ----a-w-   C:\Windows\SysWow64\nvcuvid.dll
2014-04-16 18:41:06   2222880   ----a-w-   C:\Windows\System32\nvcuvenc.dll
2014-04-16 18:41:06   19915552   ----a-w-   C:\Windows\SysWow64\nvoglv32.dll
2014-04-16 18:41:06   1869088   ----a-w-   C:\Windows\SysWow64\nvcuvenc.dll
2014-04-16 18:41:06   15413704   ----a-w-   C:\Windows\SysWow64\nvd3dum.dll
2014-04-16 18:41:06   13531936   ----a-w-   C:\Windows\System32\drivers\nvlddmkm.sys
2014-04-16 18:41:05   2446416   ----a-w-   C:\Windows\SysWow64\nvapi.dll
2014-04-16 17:53:12   119512   ----a-w-   C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-04-16 17:52:56   88280   ----a-w-   C:\Windows\System32\drivers\mbamchameleon.sys
2014-04-16 17:52:56   63192   ----a-w-   C:\Windows\System32\drivers\mwac.sys
2014-04-16 17:52:56   25816   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2014-04-16 17:52:56   --------   d-----w-   C:\ProgramData\Malwarebytes
2014-04-16 17:52:56   --------   d-----w-   C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-16 17:06:02   27456   ----a-w-   C:\Windows\System32\RegistryDefragBootTime.exe
2014-04-16 16:20:09   --------   d-----w-   C:\Windows\SysWow64\spool
2014-04-16 16:18:30   --------   d-----w-   C:\Windows\hpoj4500g510a-f
2014-04-16 16:18:09   136704   ----a-w-   C:\Windows\System32\hpf3l70w.dll
2014-04-16 16:17:09   902656   ----a-w-   C:\Windows\System32\hpwwiax7.dll
2014-04-16 16:17:09   642360   ----a-w-   C:\Windows\System32\hpzids40.dll
2014-04-16 16:17:09   551424   ----a-w-   C:\Windows\System32\hppldcoi.dll
2014-04-16 16:17:09   503296   ----a-w-   C:\Windows\System32\hpwvst01.dll
2014-04-16 16:17:09   1418240   ----a-w-   C:\Windows\System32\hpwtiop6.dll
2014-04-16 15:40:38   34080   ----a-w-   C:\Windows\System32\SmartDefragBootTime.exe
2014-04-16 15:40:08   128288   ----a-w-   C:\Windows\System32\IObitSmartDefragExtension.dll20140416104035.dll
2014-04-16 15:40:08   128288   ----a-w-   C:\Windows\System32\IObitSmartDefragExtension.dll
2014-04-16 15:40:01   21184   ----a-w-   C:\Windows\System32\drivers\SmartDefragDriver.sys
2014-04-16 15:05:11   --------   d-----w-   C:\ProgramData\{3C5CBD7B-3D1D-411E-96C2-513FFCA84D2D}
2014-04-16 15:05:10   --------   d-----w-   C:\ProgramData\ProductData
2014-04-16 15:04:46   --------   d-----w-   C:\Users\Cathy\AppData\Local\Programs
2014-04-16 15:03:59   --------   d-----w-   C:\ProgramData\IObit
2014-04-16 14:27:13   --------   d-----w-   C:\Users\Cathy\AppData\Local\Google
2014-04-16 13:25:33   --------   d-----w-   C:\Program Files (x86)\GPLGS
2014-04-16 13:24:56   85504   ----a-w-   C:\Windows\System32\cpwmon64.dll
2014-04-16 13:24:55   --------   d-----w-   C:\Program Files (x86)\Acro Software
2014-04-16 13:15:05   --------   d-----w-   C:\Program Files (x86)\OpenOffice.org 3
2014-04-16 13:11:51   --------   d-----w-   C:\ProgramData\Oracle
2014-04-16 13:11:27   96168   ----a-w-   C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-04-16 13:02:18   --------   d-----w-   C:\ProgramData\Licenses
2014-04-16 13:02:13   129872   ----a-w-   C:\Windows\SysWow64\MSSTDFMT.DLL
2014-04-16 13:02:13   1070352   ----a-w-   C:\Windows\SysWow64\MSCOMCTL.OCX
2014-04-16 12:54:27   --------   d-----w-   C:\Users\Cathy\AppData\Local\Apple
2014-04-16 12:53:58   --------   d-----w-   C:\Program Files\Bonjour
2014-04-16 12:42:11   70832   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-16 12:42:11   692400   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2014-04-16 12:39:52   --------   d-----w-   C:\Users\Cathy\AppData\Local\Adobe
2014-04-16 12:38:00   --------   d-----w-   C:\Windows\SysWow64\Adobe
2014-04-16 05:58:53   --------   d-----w-   C:\Users\Cathy\AppData\Local\Apple Computer
2014-04-16 05:51:08   13368   ----a-w-   C:\Windows\SysWow64\drivers\AsUpIO.sys
2014-04-16 05:51:07   24576   ----a-w-   C:\Windows\SysWow64\AsIO.dll
2014-04-16 05:51:06   13440   ----a-w-   C:\Windows\SysWow64\drivers\AsIO.sys
2014-04-16 05:50:55   --------   d-----w-   C:\Program Files (x86)\ASUS
2014-04-16 05:50:36   77824   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2014-04-16 05:50:36   32768   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2014-04-16 05:50:36   225280   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2014-04-16 05:50:36   176128   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2014-04-16 05:50:35   614532   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2014-04-16 05:45:20   --------   d-----w-   C:\Program Files (x86)\Realtek
2014-04-16 05:42:55   4223008   ----a-w-   C:\Windows\SysWow64\NVStWiz.exe
2014-04-16 05:09:53   --------   dc----w-   C:\Users\Cathy\AppData\Local\MigWiz
2014-04-16 05:02:59   97880   ----a-w-   C:\Program Files (x86)\Internet Explorer\pdmproxy100.dll
2014-04-16 05:00:41   --------   d-----w-   C:\Windows\SysWow64\Wat
2014-04-16 05:00:41   --------   d-----w-   C:\Windows\System32\Wat
2014-04-16 04:56:39   --------   d-----w-   C:\Users\Cathy\AppData\Roaming\Avira
2014-04-16 04:55:09   84720   ----a-w-   C:\Windows\System32\drivers\avnetflt.sys
2014-04-16 04:55:09   28600   ----a-w-   C:\Windows\System32\drivers\avkmgr.sys
2014-04-16 04:55:09   108440   ----a-w-   C:\Windows\System32\drivers\avgntflt.sys
2014-04-16 04:55:03   --------   d-----w-   C:\ProgramData\Avira
2014-04-16 04:55:03   --------   d-----w-   C:\Program Files (x86)\Avira
2014-04-16 04:45:35   --------   d-sh--w-   C:\Windows\Installer
2014-04-16 04:41:12   --------   d-----w-   C:\System Components
2014-04-16 04:37:58   540192   ----a-w-   C:\Windows\System32\NVUNINST.EXE
2014-04-16 04:05:43   --------   d-----w-   C:\Windows\Panther
2014-04-16 04:01:27   --------   d-----w-   C:\Program Files (x86)\NVIDIA Corporation
2014-04-16 04:01:04   63776   ----a-w-   C:\Windows\System32\nvshext.dll
2014-04-16 04:00:38   61216   ----a-w-   C:\Windows\System32\OpenCL.dll
2014-04-16 04:00:38   53024   ----a-w-   C:\Windows\SysWow64\OpenCL.dll
2014-04-16 03:59:37   --------   d-----w-   C:\ProgramData\NVIDIA Corporation
2014-04-16 03:59:28   --------   d-----w-   C:\Program Files\NVIDIA Corporation
2014-04-16 03:55:13   167424   ----a-w-   C:\Program Files\Windows Media Player\wmplayer.exe
2014-04-16 03:55:13   164864   ----a-w-   C:\Program Files (x86)\Windows Media Player\wmplayer.exe
2014-04-16 03:55:12   12625920   ----a-w-   C:\Windows\System32\wmploc.DLL
2014-04-16 03:55:11   12625408   ----a-w-   C:\Windows\SysWow64\wmploc.DLL
2014-04-16 02:38:58   2560   ----a-w-   C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2014-04-16 02:00:45   87040   ----a-w-   C:\Windows\System32\drivers\WUDFPf.sys
2014-04-16 02:00:45   84992   ----a-w-   C:\Windows\System32\WUDFSvc.dll
2014-04-16 02:00:45   744448   ----a-w-   C:\Windows\System32\WUDFx.dll
2014-04-16 02:00:45   45056   ----a-w-   C:\Windows\System32\WUDFCoinstaller.dll
2014-04-16 02:00:45   229888   ----a-w-   C:\Windows\System32\WUDFHost.exe
2014-04-16 02:00:45   198656   ----a-w-   C:\Windows\System32\drivers\WUDFRd.sys
2014-04-16 02:00:45   194048   ----a-w-   C:\Windows\System32\WUDFPlatform.dll
2014-04-16 01:59:11   8199504   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2014-04-16 01:59:07   10521840   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{101D141D-4C56-46EB-8E8E-B32B008494EC}\mpengine.dll
2014-04-16 01:56:27   --------   d-----w-   C:\Windows\System32\MRT
2014-04-16 01:55:09   5120   ----a-w-   C:\Windows\SysWow64\wmi.dll
2014-04-16 01:55:09   5120   ----a-w-   C:\Windows\System32\wmi.dll
2014-04-16 01:55:09   23408   ----a-w-   C:\Windows\System32\drivers\fs_rec.sys
2014-04-16 01:50:48   70144   ----a-w-   C:\Windows\System32\appinfo.dll
2014-04-16 01:48:53   245760   ----a-w-   C:\Windows\System32\OxpsConverter.exe
2014-04-16 01:47:55   39936   ----a-w-   C:\Windows\System32\drivers\tssecsrv.sys
2014-04-16 01:40:35   210944   ----a-w-   C:\Windows\System32\drivers\rdpwd.sys
2014-04-16 01:40:34   68608   ----a-w-   C:\Windows\System32\taskhost.exe
2014-04-16 01:40:34   624128   ----a-w-   C:\Windows\System32\qedit.dll
2014-04-16 01:40:34   509440   ----a-w-   C:\Windows\SysWow64\qedit.dll
2014-04-16 01:38:59   715776   ----a-w-   C:\Windows\System32\kerberos.dll
2014-04-16 01:32:34   805376   ----a-w-   C:\Windows\SysWow64\cdosys.dll
2014-04-16 01:30:16   826880   ----a-w-   C:\Windows\SysWow64\rdpcore.dll
2014-04-16 01:30:16   23552   ----a-w-   C:\Windows\System32\drivers\tdtcp.sys
2014-04-16 01:30:16   1031680   ----a-w-   C:\Windows\System32\rdpcore.dll
2014-04-16 01:25:17   2622464   ----a-w-   C:\Windows\System32\wucltux.dll
2014-04-16 01:25:08   99840   ----a-w-   C:\Windows\System32\wudriver.dll
2014-04-15 19:00:28   --------   d-----w-   C:\Program Files (x86)\Windows Easy Transfer 7
2014-04-09 21:41:57   --------   d-----w-   C:\Program Files (x86)\Belarc
.
==================== Find3M  ====================
.
2014-04-16 05:03:06   194048   ----a-w-   C:\Windows\SysWow64\elshyph.dll
2014-04-16 05:03:01   71680   ----a-w-   C:\Windows\SysWow64\RegisterIEPKEYs.exe
2014-04-16 05:03:01   645120   ----a-w-   C:\Windows\SysWow64\jsIntl.dll
2014-04-16 05:03:01   235008   ----a-w-   C:\Windows\System32\elshyph.dll
2014-04-16 05:03:01   182272   ----a-w-   C:\Windows\SysWow64\msls31.dll
2014-04-16 05:03:00   62464   ----a-w-   C:\Windows\SysWow64\tdc.ocx
2014-04-16 05:03:00   337408   ----a-w-   C:\Windows\SysWow64\html.iec
2014-04-16 05:03:00   24576   ----a-w-   C:\Windows\SysWow64\licmgr10.dll
2014-04-16 05:03:00   1051136   ----a-w-   C:\Windows\SysWow64\mshtmlmedia.dll
2014-04-16 02:22:40   9728   ---ha-w-   C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-03-31 14:35:08   270496   ------w-   C:\Windows\System32\MpSigStub.exe
2014-03-04 09:44:21   362496   ----a-w-   C:\Windows\System32\wow64win.dll
2014-03-04 09:44:21   243712   ----a-w-   C:\Windows\System32\wow64.dll
2014-03-04 09:44:21   13312   ----a-w-   C:\Windows\System32\wow64cpu.dll
2014-03-04 09:44:03   16384   ----a-w-   C:\Windows\System32\ntvdm64.dll
2014-03-04 09:17:19   14336   ----a-w-   C:\Windows\SysWow64\ntvdm64.dll
2014-03-04 09:17:05   44032   ----a-w-   C:\Windows\apppatch\acwow64.dll
2014-03-04 09:16:54   25600   ----a-w-   C:\Windows\SysWow64\setup16.exe
2014-03-04 09:16:18   5120   ----a-w-   C:\Windows\SysWow64\wow32.dll
2014-03-04 08:09:30   7680   ----a-w-   C:\Windows\SysWow64\instnm.exe
2014-03-04 08:09:29   2048   ----a-w-   C:\Windows\SysWow64\user.exe
2014-02-07 01:23:30   3156480   ----a-w-   C:\Windows\System32\win32k.sys
.
============= FINISH: 12:45:08.68 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 4/15/2014 8:24:30 PM
System Uptime: 5/7/2014 12:01:10 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | M2N68-AM
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ | AM2 | 2300/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 373 GiB total, 312.499 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP25: 4/27/2014 12:44:12 PM - Windows Modules Installer
RP26: 5/4/2014 7:46:49 PM - Windows Modules Installer
RP27: 5/6/2014 12:55:30 PM - Windows Update
RP28: 5/6/2014 4:31:00 PM - Installed HiJackThis
RP29: 5/6/2014 5:13:46 PM - Windows Update
.
==== Installed Programs ======================
.
4500_G510af_Help
4500G510af
4500G510af_Software_Min
64 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 13 ActiveX
Adobe Flash Player 13 Plugin
Adobe Reader XI (11.0.06)
Adobe Shockwave Player 12.1
Advanced SystemCare 7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASUSUpdate
Avira Antivirus Suite
Bonjour
BufferChm
CutePDF Writer 2.8
Destinations
DeviceDiscovery
DocMgr
DocProc
Fax
Google Earth
Google Update Helper
GPBaseService2
HiJackThis
HP Customer Participation Program 13.0
HP Document Manager 2.0
HP Imaging Device Functions 13.0
HP Officejet 4500 G510a-f
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HPProductAssistant
HPSSupply
IObit Uninstaller
iTunes
Java 7 Update 55
Java Auto Updater
Java(TM) 6 Update 22
Malwarebytes Anti-Malware version 2.0.1.1004
MarketResearch
Microsoft .NET Framework 4.5.1
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mozilla Firefox 28.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Control Panel 307.83
NVIDIA Graphics Driver 307.83
NVIDIA Install Application
NVIDIA Update 1.10.8
NVIDIA Update Components
OCR Software by I.R.I.S. 13.0
OpenOffice.org 3.3
Realtek 8136 8168 8169 Ethernet Driver
Scan
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Shop for HP Supplies
Smart Defrag 3
SmartWebPrinting
SolutionCenter
SpywareBlaster 5.0
Status
Surfing Protection
swMSM
TeamViewer 9
Toolbox
TrayApp
WebReg
WinZip
.
==== Event Viewer Messages From Past Week ========
.
5/7/2014 12:02:15 PM, Error: Microsoft-Windows-WHEA-Logger [18]  - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Unknown Error Processor ID: 1 The details view of this entry contains further information.
5/6/2014 12:59:27 PM, Error: volmgr [46]  - Crash dump initialization failed!
.
==== End Of File ===========================






« Last Edit: May 08, 2014, 03:00:12 PM by Hoov »

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
I go by Hoov, and I will be helping you with your problem. As it has been a while since we helped you last, I am going to go over a few things. I must ask you to do a few things for me.

First, tell me everything that you have done, if anything, to try and fix this problem.Also tell me any other problems you are having, no matter how small or long you have been dealing with them.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Fifth, if we start this fix, I need you to stick with me until the end. Just because your computer is running better does not mean it is fixed.

Before we start trying to fix your computer, you need to make sure your data is backed up. Also let me know of any software you have running that encrypts your harddrive.

One last thing, I need you to tell me if this computer belongs to a school or to a company or orginization of some kind. If it does, please let me know. Also tell me if there is an IT department responsible for this computer.

Now onto trying to fix your computer.



Before we actually start going thru the computer, did she follow any instructions to install a particular piece of software? If all she did was listen to a phone call, then there is not damage. The people responsible for this sort of thing are cold calling people. Even if she followed instructions to download something, there is a good chances that there is still no issue. Some of these groups are good at social engineering, but rate poor when it comes to actually taking over a computer.

Was she having any problems before the phone call?

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline BunnySlave

  • Bronze Member
  • 27
Sir Hoov,

Been years since I have been here.  I believe you may have helped me years ago.  I have been here before (days of HJT), and know to stay on this thread and site only.
As requested, I will follow all instructions and assist you to the best of my ability...  And I do have faith, as I have seen you guys clean up HORRID messes.
This computer is backed up, not under care of IT (other than me/wife), personal home PC with no encryption.  We just moved her to Win7 and Firefox, and everything was running fine.  Also got her on Avira Security suite.
Now on to business...
This was a cold caller, and may not have done damage.  When the scammer told Sis that my wife did not know what she was doing (we built machine), she then sensed a scam and shut down teamviewer.  My wife uses Teamviewer to maintain family computers. 

The scammer told her that he was from Microsoft, windows was not updating and he needed to fix.  He did direct her to Teamviewer site, but it was already installed, and she gave him access. 
My wife examined the Teamviewer log, and it appears that he installed SUPERantispyware and Chrome via script, and other activities we cannot identify (log available).  Time stamps appear to indicate only a few minutes in the computer before disconnected. This freaked us out, as we have not seen this scam before. 
An editor from Wired.co.uk  played the scam through to see it done. Interesting.
hxxp://www.wired.co.uk/news/archive/2013-04/11/malwarebytes

Immediate actions taken:
NOTE: ALL uninstalls done with IO Bit uninstaller
uninstall SUPERantispyware / uninstall Chrome
Ran IO Bit Advanced System Care 7.2 (latest version)
Ran Spywareblaster / Ran Avira scan
uninstall Teamviewer/re-install (to get new ID number)
shutdown/restart router/moden (new Cox IP)
All scans came up clean.
Run hijack log, then found that I needed DDS instead.  Shutdown Avira and ran DDS...

On a side note, we put out FB posts (hundreds of friends and family) to warn of this.  It is a perfect scam to pull on anyone that does not understand their PC (85% of users),
and with XP going away, Microsoft is like a GOV agency to many.  Anyone who does not have someone to watch over them, is vulnerable to fear-mongering techo-babble and
will open a Paypal acct. to give away money. 
The computer we are trying to fix is 10 miles from here.  My wife would like to know if we can run any of the needed "fixes" remotely with Teamviewer.
We will follow your recommendation on this, and will happily travel if needed.  Keep this in mind.

Thanx for your Counsel and Time...
BS





*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
To be honest I am not sure if these can be run remotely, but you can try. Sounds like the connection was shutdown just in time. Please zip up the log generated and attach it to your next reply. If it is to large to attach, let me know and I will send you a PM with instructions on what do to with it. Has the user noticed anything wrong with the computer?

Other than that we can run a few scans just to make sure that you are safe.

Please follow these steps:

1.- Download AdwCleaner by Xplode onto your Desktop.
  •   Please close all open programs and internet browsers.
  •   Double click on Adwcleaner.exe to run the tool.
  •   Click on the Scan button..
  •   Please be patient as this can take a while to complete.
  •   You will get a prompt asking to close all programs. Click OK.
  •   Click OK again to reboot your computer. A text file will open after the restart.
  •   Please post the content of that logfile in your reply.
  •   You can find the logfile at C:\AdwCleaner[Sn].txt.
2.- Download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.
3.- Please download RogueKiller and Save to the desktop.
  • Close all windows and browsers
  • Double click on RogueKiller.exe to run the tool.
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.


Now startup Malwarebytes' Anti-Malware and update it. Run a threat scan on your system. If it finds nothing, post that log. If it does find something, fix it and then post that log instead.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
BunnySlave, do you still need help.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline BunnySlave

  • Bronze Member
  • 27
TESTING

Sir Hoov,

I cannot post last logs, as website blocks.....
If you can see this, it no longer detect issues... 
Logs to follow

*

Offline BunnySlave

  • Bronze Member
  • 27
sir hoov...

cannot post or message....
Server/firewall blocking...
tried to post block message, but blocked also....
appears i can add text to this massage, but if I try to post Block message or logs, BLOCKED
All scanners and cleaners find nothing.....
« Last Edit: May 18, 2014, 10:44:12 AM by BunnySlave »

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Are you getting a 404 error? If you are zip up the logs and attach them instead of trying to post them.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline BunnySlave

  • Bronze Member
  • 27
sir Hoov,

Logs attached
Success!!!
After we check this one, maybe need your help with this station.
Thanx

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Please run ADWCleaner again, this time after the scan is done click the clean button and then post the resulting log. Also the log from roguekiller was not in the zipped file. Please post that as well.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline BunnySlave

  • Bronze Member
  • 27
Sir Hoov....

Sorry for delay...

Attached are logs requrested

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
I did the same thing as well, missed your post.

How is the computer running? To this point there has been some malware on the computer, but nothing nasty, and nothing that points to further problems. The type of scam that you said happened usually results in nasty malware. But if your computer is running normally, with the logs from the scans that you have run, I believe that your sister did break the connection before anything happened.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline BunnySlave

  • Bronze Member
  • 27
Sir Hoov,

THanx for your assistance.
The machine in question is running well...
I will post DDS logs for me own machine in another thread...
 :t

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Now  there are a few thing's you need to do to fully clean your system and keep it secure.

Run OTC
Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Cleaning out Temporary Files etc. There are several different products that you can use for this. You can go thru the Internet Options in the windows Control Panel. There are several programs that also do the job better than windows does it, in my opinion. There is System Security Suite, EasyCleaner, Ccleaner. Also sometimes other program sometimes do it as well as what you originally got it for like ZoneAlarm Security Suite. Just make sure to keep them updated and use them regularly.

Disable and Enable System Restore.
I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.
For Vista use these instructions, Windows Vista Restore Guide
For XP use these instructions, Windows XP System Restore Guide
Reboot
Re-enable system restore with instructions from tutorial above
Create a System Restore Point
Go to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.

Make your Internet Explorer more secure - This can be done by following these simple instructions: (unless you are using ZoneAlarm Security Suite or something similar, then you would secure the browser thru the firewall). There are some good basic instructions for that here.

Use a different browser other than  IE (most exploits are pointed towards IE). One of them is
Firefox.
It is also worth trying Thunderbird for controlling spam in your e-mail.

Always use an UPDATED anti-virus program Make sure you update this at least weekly, if not more often. This is one thing that may save you more than anything else.

Run malware scanners. Three free ones are Spybot Search and Destroy, and AdAware and Malwarebytes' Anti-Malware

Always use a firewall.
Any firewall is better than none, and you should pick a firewall that you will use, as even the best firewall is worthless if you turn it off.
 
Learn how to use your firewall Only programs that need it should have access to the net. But these are specific to the firewall you use, so you will need to learn how. Several firewalls have support forums here. My page will help you with ZoneAlarm if that is what you choose. 


Never run two Antivirus programs or two Firewalls  at the same time. They can interfere with each other and cause problems. Some people swear that more protection is provided, but the reverse is true. They tend to argue amongst themselves and end up leaving holes. Now I have more than 1 AV installed on my computer, and I keep them up to date. I only run one at a time, but each program has weakness's, so I keep a backup in case my computer starts acting up.


 MOST IMPORTANT : Windows and IE, and whatever other software that you have that connects to the net, needs to be kept updated. The reason is, these programs connect to the net, and if there is an internal security problem, you have already told your firewall to allow the communication, and thus you will have allowed a hole. UPDATES are important. I suggest that you make sure that Windows Updates and the updates for your antivirus and antimalware programs are set for automatic updates. I also suggest running Secunia PSI. Download version 2. It is not the download button, but just underneath it. It will monitor the software you have installed and let you know when something needs to be updated.

Don't ever use P2P or filesharing software Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Before using any malware detection / removal software Check with Rogue/Suspect Spyware List That way you will know if the program you are looking at is on the up and up. If you want to know how it stacks up against other programs check out SpywareWarrior

We have a good guide here at Spyware Hammer on how to prevent Malware in the Future. You might want to peruse this and follow the recommendations in there.
PLEASE READ IT AND FOLLOW THE RECOMMENDATIONS TO PROTECT YOURSELF.

Let us know if you have any more problems, either new or old.
Have a good time surfing the net, but stay safe.
If you have no more problems, let me know and I will mark this as resolved. Or if you have more questions, ask away, that is why I am here.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!