[Resolved] Infected with Vista security 2012

[Hoov]

Save this file to the desktop and then right click on it and select merge. Do that from within the profile with the problem. Once it is done, reboot the computer and let me know if that fixed the issue.

[Hualong]

Everything seems to be ok now that I was able to remove those file.  I am able to open programs even when I changed the account to limited user. Do you still want me to safe that file? If yes, how do I do that? ONCE i click on "this file", these opened up ...[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice] what do I do next?

[Hoov]

If everything is well, then don't worry about the last instructions I gave you. How is the computer running, any problems left?

[Hualong]

well I woke my computer from sleep this morning and noticed kaspersky notify me of one threat detected. I clicked on the recommended actions which is to disinfect and it start scanning with 2 additional threats.  It said it will reboot when it's done.  I never seen this action by kaspersky before.  Normally it would just disinfect. Anyway when it rebooted my computer, I black screen with a small popped up window saying window: bad image and many more comments after that which I can't remember.  It just stuck there and the computer was unresponsive. I forced shutdown the computer and restarted.  After restart and logged into the original infected account, kaspersky alerted me that it will search for damaged done to my computer done by malware and attempt to fix.  When It was done it, the first step it want me to fix is to enable autorun.  I find this to be odd since I remember someone told autorun can put your computer at risk.  So I canceled kaspersky and reboot my computer.  Now I can't log into the account.  It just stuck there once I entered the password.  Had to forced shut down and then try to log into other accounts.  I was able to get in but when I want to open a program, it just stuck there as well.  In safe mode, the computer seems to respond fine.  I typing this in safe mode with this computer. my wife watched some oneline movie last night so I am not sure if this is a new infection or damged from the previous infection.  Ran malwarebytes in safe mode and came up zero.

[Hoov]

Can you get into Kaspersky in safe mode? If you can I would like to know what it found and where, if it is in the logs.

[Hualong]

Date: Yesterday (614)   
System (1)   
1/2/2012 8:33:02 AM   File Anti-Virus   Detected: Trojan.Win32.FakeAV.jyhz   C:\Users\HUONG\APPDATA\LOCAL\HUN.EXE      
Kaspersky Anti-Virus (42)   
1/2/2012 12:54:53 AM   Update   Task started   Update      
1/2/2012 12:55:26 AM   Update   Task completed   Update      
1/2/2012 12:55:26 AM   Protection Center   Detected: Trojan.Win32.FakeAV.jeqb   C:\Users\Huong\AppData\Local\temp\241.0012.exe      
1/2/2012 12:55:26 AM   Protection Center   Detected: Trojan.Win32.FakeAV.jrdu   C:\Users\Huong\AppData\Local\temp\oiu0.8295253070349344.exe      
1/2/2012 8:32:07 AM   Update   Task started   Update      
1/2/2012 8:32:57 AM   Update   Task completed   Update   Not all components were updated   
1/2/2012 8:32:57 AM   Protection Center   Detected: Trojan.Win32.FakeAV.jeqb   C:\Users\Huong\AppData\Local\temp\241.0012.exe      
1/2/2012 8:32:57 AM   Protection Center   Detected: Trojan.Win32.FakeAV.jrdu   C:\Users\Huong\AppData\Local\temp\oiu0.8295253070349344.exe      
1/2/2012 8:33:02 AM   Protection Center   Threats have been detected         
1/2/2012 8:39:04 AM   Custom Scan   Task started   Disinfect active threats      
1/2/2012 8:39:41 AM   Protection Center   Threats have been detected         
1/2/2012 8:44:30 AM   Protection Center   Threats have been detected         
1/2/2012 8:47:55 AM   Custom Scan   Task completed   Disinfect active threats      
1/2/2012 8:51:36 AM   Protection Center   Threats have been detected         
1/2/2012 8:51:36 AM   Custom Scan   Task started   Full Scan      
1/2/2012 8:51:36 AM   File Anti-Virus   Task started   File Anti-Virus      
1/2/2012 8:51:36 AM   Mail Anti-Virus   Task started   Mail Anti-Virus      
1/2/2012 8:51:36 AM   IM Anti-Virus   Task started   IM Anti-Virus      
1/2/2012 8:51:36 AM   Proactive Defense   Task started   Proactive Defense      
1/2/2012 8:51:36 AM   Web Anti-Virus   Task started   Web Anti-Virus      
1/2/2012 8:51:36 AM   Protection Center   Your computer is protected         
1/2/2012 8:55:22 AM   Protection Center   Detected: Trojan.Win32.FakeAV.jeqb   C:\Users\Huong\AppData\Local\temp\241.0012.exe      
1/2/2012 8:55:22 AM   Protection Center   Detected: Trojan.Win32.FakeAV.jrdu   C:\Users\Huong\AppData\Local\temp\oiu0.8295253070349344.exe      
1/2/2012 9:54:32 AM   Protection Center   Protection is not running         
1/2/2012 9:54:33 AM   Custom Scan   Task stopped   Full Scan      
1/2/2012 9:55:35 AM   File Anti-Virus   Task started   File Anti-Virus      
1/2/2012 9:55:35 AM   IM Anti-Virus   Task started   IM Anti-Virus      
1/2/2012 9:55:35 AM   Mail Anti-Virus   Task started   Mail Anti-Virus      
1/2/2012 9:55:35 AM   Proactive Defense   Task started   Proactive Defense      
1/2/2012 9:55:35 AM   Web Anti-Virus   Task started   Web Anti-Virus      
1/2/2012 9:55:35 AM   Protection Center   Your computer is protected         
1/2/2012 10:04:29 AM   File Anti-Virus   Task started   File Anti-Virus      
1/2/2012 10:04:29 AM   IM Anti-Virus   Task started   IM Anti-Virus      
1/2/2012 10:04:29 AM   Mail Anti-Virus   Task started   Mail Anti-Virus      
1/2/2012 10:04:29 AM   Proactive Defense   Task started   Proactive Defense      
1/2/2012 10:04:29 AM   Web Anti-Virus   Task started   Web Anti-Virus      
1/2/2012 10:20:47 AM   File Anti-Virus   Task started   File Anti-Virus      
1/2/2012 10:20:47 AM   IM Anti-Virus   Task started   IM Anti-Virus      
1/2/2012 10:20:47 AM   Mail Anti-Virus   Task started   Mail Anti-Virus      
1/2/2012 10:20:47 AM   Proactive Defense   Task started   Proactive Defense      
1/2/2012 10:20:47 AM   Web Anti-Virus   Task started   Web Anti-Virus      
1/2/2012 10:20:47 AM   Protection Center   Your computer is protected         
Host Process for Windows Services (5)   
1/2/2012 2:28:32 AM   File Anti-Virus   Packed: Py2Exe   C:\Users\Long\AppData\Roaming\dropbox\bin\Dropbox.exe      
1/2/2012 8:49:13 AM   File Anti-Virus   Packed: UPX   C:\Users\Admin\Desktop\HijackThis.exe      
1/2/2012 9:07:15 AM   File Anti-Virus   Packed: PE_Patch.Stolen   C:\WINDOWS\SYSWOW64\wlanapi.dll      
1/2/2012 9:22:10 AM   File Anti-Virus   Packed: UPX   C:\Users\Long\DOWNLOADS\rkill.exe      
1/2/2012 9:22:18 AM   File Anti-Virus   Packed: UPX   C:\Users\HUONG\DOWNLOADS\FIREFOX SETUP 4.0 (1).EXE      
Microsoft Windows Search Indexer (3)   
1/2/2012 8:52:03 AM   Self-Defense   Denied   C:\ProgramData\Kaspersky Lab\AVP11\SysWHist\amlogs      
1/2/2012 10:04:33 AM   Self-Defense   Denied   C:\ProgramData\Kaspersky Lab\AVP11\SysWHist\amlogs      
1/2/2012 10:21:01 AM   Self-Defense   Denied   C:\ProgramData\Kaspersky Lab\AVP11\SysWHist\amlogs      
Windows Explorer (1)   
1/2/2012 9:20:02 AM   File Anti-Virus   Packed: UPX   C:\Program Files (x86)\Rosetta Stone\RS2.1.4.1A_Support\Uninstall_Rosetta Stone 2.1.4.1A\Uninstall Rosetta Stone 2.1.4.1A.exe      
Malwarebytes Anti-Malware (428)   
Firefox (83)   
Java(TM) Platform SE binary (1)   
1/2/2012 2:10:37 AM   File Anti-Virus   Processing error   C:\Program Files (x86)\JAVA\JRE6\lib\rt.jar   Read error   
Unknown application (2)   
1/2/2012 2:10:53 AM   Proactive Defense   Detected: PDM.RootShell   C:\USERS\HUONG\APPDATA\LOCAL\TEMP\853.6800.EXE      
1/2/2012 2:10:53 AM   Proactive Defense   Allowed: PDM.RootShell   C:\USERS\HUONG\APPDATA\LOCAL\TEMP\853.6800.EXE   Action selected according to the settings   
Unknown application (48)   

[Hoov]

1.Download and scan with CCleaner
When you get to the website, there is a dark grey box on the left side with two tabs along the top. Inside this Dark Grey box is a light grey box. Below that light grey box is where the download links are at. The pay amount is for paid support.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

• Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab: 

• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Then please run rkill again. Then update Malwarebytes' Anti-Malware and run a full scan with it. Fix anything found and then post the log.

Then using IE, please perform this online scan: F-Secure Online Scanner
   Follow the directions in the F-Secure page for proper Installation.
*  You may receive an alert on the address bar at this point to install the ActiveX control.
* Click on that alert and then click "Install ActiveX component".
* Read the license agreement and click "Accept".
* Click "Full System Scan" to download the scanning components and begin scan and cleaning.
* When the scan completes, click the "I want to decide item by item" button.
* For each item found, Select "Disinfect" and click "Next".
* When done, click the "Show Report" button, then copy and paste the entire report into your next reply.

[Hualong]

for ccleaner:
in windows tab: can u give me an example where one uses network passwords? I don't have any sites remember my password for anything but not sure what network password referring to.  also what is wipe free space? ccleaner warn it will take a very long time to run. want to make sure before i clean

[Hualong]

For ccleaner:
Under windows tab: can you give me an example of when one uses a network password? I want to make sure before I clean this.  Also what is wipe free space in advanced. ccleaner says it will take a long time.  thanx

[Hualong]

also what is tray notification cache? it says i need to restart explore.exe process once it resets..is that simple to do?

[Hoov]

Network passwords are passwords you use to get into another computer on your home network. Usually there is no need to check that one. As for the Tray notification cache, that is the cache that the system tray (down in the right corner of windows) uses if you have hide icons.

[Hualong]

u will show me how to restart explorer exe? also what is window size/location cache? it says it will reset any saved windows explorer location and view settings

[Hoov]

To restart explorer.exe you can just reboot the computer. Windows Size/Location cache is the settings that tell each window how big and where on the desktop to display the window.

If you are unsure about any of the options, just leave them unchecked. I am more concerned about all the temporary files, and the browser cache files.

[Hualong]

i can't perform f-secure scan. i am getting errors cannot download files to do scan.

[Hoov]

I need you to reboot windows cleanly. To do that please go to the run command and type in msconfig . Once that starts, select selective startup, and then uncheck the load startup items. Now click on the services tab, and down near the bottom of the window, check the box that says Hide all Microsoft Services now go up and uncheck all the services still listed, make sure you scroll down the list if need to unselect all the non Microsoft services. Now click apply, then click OK and reboot the computer.

Now go online and try running the scan. Don't go anywhere else, all your security is off. Once it is done, or fails, run msconfig and select normal startup then click apply then OK and reboot. Let me know how it goes.