Author Topic: [Resolved] Malware/Spyware Mayor problem, cant solve it or dont know what  (Read 3808 times)

0 Members and 1 Guest are viewing this topic.

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2675
Hi Vivian

You're doing just great.  I think we're getting there.

1.  Disable all of your Anti-Virus, Anti-Spyware programs again.

2.  Open Notepad, click on Format and be sure Word Wrap is NOT checked.  Then copy the text in the code box below and paste it into the Notepad window.  Now name this file CFScript.txt and save it to your Desktop.

Code: [Select]

KILLALL::

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

File::

Folder::
c:\users\Default\AppData\Local\AskToolbar

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= -


Driver::

Firefox::

dirlook::

FCopy::

DDS::


4. Close all open browsers.



5. Referring to the picture above, drag CFScript.txt onto the ComboFix.exe icon.  ComboFix will run and produce a report.  This report will be saved at C:\ComboFix.txt.

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.  Reboot your computer.

6.  Please download Malwarebytes Anti-Malware and save it to your desktop.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes. Make sure you are connected to the Internet.   Double-click on mbam-setup.exe to install the application.
   When the installation begins, follow the prompts and do not make any changes to default settings.
   When installation has finished, make sure you leave both of these checked:
o   Update Malwarebytes' Anti-Malware
o   Launch Malwarebytes' Anti-Malware
   Then click Finish.
   MBAM will automatically start and you will be asked to update the program before performing a scan.
   If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
   If you encounter any problems while downloading the definition updates, manually download them from updates  and just double-click on mbam-rules.exe to install.

7.  On the Scanner tab:
   Make sure the "Perform Full Scan" option is selected.
   Then click on the Scan button.
   If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
   The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
   When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
   Click OK to close the message box and continue with the removal process.

8.  Back at the main Scanner screen:
   Click on the Show Results button to see a list of any malware that was found.
   Make sure that everything is checked, and click Remove Selected.
   When removal is completed, a log report will open in Notepad.
   The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
   Exit MBAM when done.
   
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

9.  .  Download ESET Online Scanner ESET Online Scanner and save it to your desktop.

10.  Double-click on esetsmartinstaller and then click Run.  Click Yes on the license and then Start.

11.  Be sure that ONLY the following items are checked:
   Remove found threats
   Scan for potentially unwanted applications
   Enable Anti-Stealth technology

Click Start.

It may take some time for the virus definitions to download and the scan to finish.  Do not click on the interface, download or install anything until the scan completes.  When the scan completes click Finish.

12.  Navigate to the following file path, C:\Program Files\ESET\ESET Online Scanner and Double-click on the log.txt file.  Click File/Save As and name the file ESETLog.txt and save it to your desktop.

Now please post the following to me as a reply to this post:
ComboFix.txt
mbam-log-(date).txt
ESETLog.txt
Let me know how your computer and browser are operating
If you have any questions or problems, let me know that as well




Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline vivianaivett

  • Bronze Member
  • Posts: 32
Dear Bear:

I had a pop up screen while Combo Fix was running the file you told me to drop in it.  After it reboot Combo fix screen started "preparing Log Report" Donot run any program until Combofix is finished", but when this screen was coming up on the rebooting it came up a screen from Toshiba that just started coming up recently (2 screens one after the other) offering me to sign up with my password, I usually exit out both screens.  When I exit a windows (I think) came up and said  Illegal operation can not delete Toshiba (dont remember the remaining part) but I just exit it (it says at the bottom ok, but I did not click that).  Hope it was ok.  I got the first part done and I should be sending to you soon.

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2675
Hi Vivian

I'll see when I look at the data.  Once we get your PC all set up, if you're still having the popups we'll try to fix them.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline vivianaivett

  • Bronze Member
  • Posts: 32
Combofix.txt

part 1

ComboFix 12-01-23.02 - Ivett 01/25/2012  18:03:10.2.1 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1790.1080 [GMT -5:00]
Running from: c:\users\Ivett\Desktop\ComboFix.exe
Command switches used :: c:\users\Ivett\Desktop\CFScript.txt
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Default\AppData\Local\AskToolbar
c:\users\Default\AppData\Local\AskToolbar\Downloaded Program Files\avira.inf
c:\users\Default\AppData\Local\AskToolbar\Downloaded Program Files\AviraTrans.dll
.
.
(((((((((((((((((((((((((   Files Created from 2011-12-25 to 2012-01-25  )))))))))))))))))))))))))))))))
.
.
2012-01-25 23:12 . 2012-01-25 23:12   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-01-25 00:04 . 2012-01-06 01:19   6557240   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{89945950-D0B9-4B2D-943D-4CC2F90B646F}\mpengine.dll
2012-01-24 00:27 . 2012-01-24 00:27   --------   d-----w-   C:\_OTL
2012-01-23 04:06 . 2012-01-23 04:13   111872   ----a-w-   c:\windows\system32\drivers\TrueSight.sys
2012-01-23 01:06 . 2012-01-23 01:07   --------   dc----w-   c:\users\Ivett\AppData\Local\MigWiz
2012-01-22 03:22 . 2012-01-06 01:19   6557240   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-21 01:31 . 2012-01-21 01:31   703824   ------w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6FD05E23-70B2-406C-B748-DE3943E2AB0F}\gapaengine.dll
2012-01-21 01:30 . 2012-01-21 01:30   --------   d-----w-   c:\program files\Microsoft Security Client
2012-01-20 03:39 . 2012-01-20 03:46   --------   d-----w-   c:\programdata\SUPERSetup
2012-01-20 03:13 . 2012-01-20 03:13   7450888   ----a-w-   c:\program files\Common Files\Windows Live\.cache\6d7ccf7a1ccd72101\bingbarsetup.exe
2012-01-20 02:43 . 2012-01-20 03:23   --------   d-----w-   c:\programdata\PC Unleashed Online
2012-01-19 03:07 . 2012-01-20 00:05   1660   ----a-w-   c:\windows\system32\ASOROSet.bin
2012-01-08 02:39 . 2012-01-08 02:39   --------   d-----w-   c:\programdata\!SASCORE
2012-01-06 23:48 . 2012-01-06 23:48   --------   d-----w-   c:\program files\DIFX
2012-01-06 23:45 . 2012-01-06 23:45   --------   d-----w-   c:\programdata\Leapfrog
2012-01-06 23:45 . 2012-01-06 23:47   --------   d-----w-   c:\program files\LeapFrog
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-06 23:51 . 2011-05-15 19:03   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-18 16:29 . 2010-01-30 03:03   499712   ----a-w-   c:\windows\system32\msvcp71.dll
2011-12-18 16:29 . 2009-11-18 01:49   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2011-11-24 04:25 . 2011-12-13 23:32   2342912   ----a-w-   c:\windows\system32\win32k.sys
2011-11-05 04:26 . 2011-12-13 23:33   2048   ----a-w-   c:\windows\system32\tzres.dll
2011-11-03 22:47 . 2011-12-13 23:38   1798144   ----a-w-   c:\windows\system32\jscript9.dll
2011-11-03 22:40 . 2011-12-13 23:38   1427456   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-11-03 22:39 . 2011-12-13 23:38   1127424   ----a-w-   c:\windows\system32\wininet.dll
2011-11-03 22:31 . 2011-12-13 23:38   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-01-24_23.46.23   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:55 . 2012-01-25 23:16   56316              c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-12-25 02:08 . 2012-01-25 23:16   16862              c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2767901044-4139088532-1525254392-1002_UserData.bin
- 2010-12-25 01:02 . 2012-01-24 22:59   32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-25 01:02 . 2012-01-25 22:44   32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-12-25 01:02 . 2012-01-24 22:59   98304              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-12-25 01:02 . 2012-01-25 22:44   98304              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2012-01-24 22:59   32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2012-01-25 22:44   32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-12-29 02:18 . 2012-01-25 01:12   1772              c:\windows\System32\wdi\ERCQueuedResolutions.dat
- 2012-01-24 22:55 . 2012-01-24 22:55   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-25 22:40 . 2012-01-25 23:14   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-24 22:55 . 2012-01-24 22:55   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-25 22:40 . 2012-01-25 23:14   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-12-25 23:47 . 2012-01-24 23:50   280404              c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 04:47 . 2012-01-25 01:12   307600              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:47 . 2012-01-24 02:11   307600              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-01-25 02:50 . 2012-01-24 02:11   498622              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2767901044-4139088532-1525254392-1002-8192.dat
+ 2011-01-25 02:50 . 2012-01-25 01:12   498622              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2767901044-4139088532-1525254392-1002-8192.dat
+ 2011-06-23 04:23 . 2012-01-25 01:12   627780              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2767901044-4139088532-1525254392-1002-12288.dat
+ 2012-01-08 02:37 . 2012-01-25 01:12   2384870              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2767901044-4139088532-1525254392-1002-4096.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

Offline vivianaivett

  • Bronze Member
  • Posts: 32
Combofix.txt

part 2

.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"MyTOSHIBA"="c:\program files\toshiba\my toshiba\mytoshiba.exe" [2009-08-06 264048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]
"TosSENotify"="c:\program files\toshiba\toshiba hdd ssd alert\toswaitsrv.exe" [2009-09-17 611672]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"00TCrdMain"="c:\program files\toshiba\flashcards\tcrdmain.exe" [2009-08-05 738616]
"KeNotify"="c:\program files\toshiba\utilities\kenotify.exe" [2009-01-14 34088]
"HWSetup"="c:\program files\toshiba\utilities\hwsetup.exe" [2009-06-02 425984]
"SVPWUTIL"="c:\program files\toshiba\utilities\svpwutil.exe" [2009-07-10 352256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\users\Ivett\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37   843712   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonOnlineBackupReminder]
2009-07-16 19:04   529256   ----a-w-   c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2009-08-05 21:18   476512   ----a-w-   c:\program files\TOSHIBA\Power Saver\TPwrMain.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-26 135664]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-26 135664]
R3 LeapFrog-USBLAN;LeapFrog-USBLAN;c:\windows\system32\DRIVERS\btblan.sys [2009-10-10 33792]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;

R3 RtsUIR;Realtek IR Driver;

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-25 1343400]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE

R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-30 176128]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-02-11 54136]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-09-17 111960]

Offline vivianaivett

  • Bronze Member
  • Posts: 32
Combofix.txt

part3

.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15   264048   ----a-w-   c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-26 17:47]
.
2012-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-26 17:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:be,51,51,86,4b,d5,cc,01
.
[HKEY_USERS\S-1-5-21-2767901044-4139088532-1525254392-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2767901044-4139088532-1525254392-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe
c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2012-01-25  18:26:42 - machine was rebooted
ComboFix-quarantined-files.txt  2012-01-25 23:26
ComboFix2.txt  2012-01-24 23:57
.
Pre-Run: 200,894,181,376 bytes free
Post-Run: 200,833,933,312 bytes free
.
- - End Of File - - 284080B746BE0BD9EA7734250782BB05

Offline vivianaivett

  • Bronze Member
  • Posts: 32
mbam-log-(01-25-2012).txt

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.25.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Ivett :: IVETT-PC [administrator]

Protection: Enabled

1/25/2012 6:54:18 PM
mbam-log-2012-01-25 (18-54-18).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 273480
Time elapsed: 1 hour(s), 36 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
This program ask me if I wanted to accept a trial offer and it gave me the options accept or decline.  I accept because it was before the scan will start and I did not know if this will cancel the scan or not.  I dont know if I did the correct thing or not.  After I accepted it says that protection was enable and freaked out, but I let it finished.  Sorry.

Offline vivianaivett

  • Bronze Member
  • Posts: 32
ESETLog.text

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=20e211c0c7a1d54dbb21f5487360c377
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-01-26 02:56:15
# local_time=2012-01-25 09:56:15 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 0 79087819 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=112005
# found=0
# cleaned=0
# scan_time=3547


Done for now.  Waiting for you.  Thank you one more time.

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2675
Hi Vivian

Your logs are looking good.  It appears we that we removed all the malware.  We still need to do some clean up and then some work on hardening your PC to future infection.

1.  Uninstall ComboFix as follows:  Copy the code in the code box below.

Code: [Select]

combofix /uninstall


Now click on start/run and paste the copied code into the input box.
Click OK.  Reboot your PC.

2.  Download CCleaner (remove the checkmark from the Yahoo toolbar unless you want it).  Before first use, select Options / Advanced and uncheck "Only delete files in Windows Temp folder older than 48 hours" Then select the following:

In the Windows Tab:
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean Sun Java in the Internet Section.
Clean any others that you choose.

Click the "Run Cleaner" button.  A pop up box will appear advising this process will permanently delete files from your system. Click OK.  Click exit when done.

3.  Next disable and Enable System Restore. 

Go to Start/Control Panel/System and Security.  Then click on System.  Next click on Advanced system settings in the left panel.  Click on the System Protection tab.   Click on Disk C: and then click Configure.  Click on Delete, then Continue and OK.  Reboot your PC.

Now go back to the System Protection tab (as above) and click on Create to make a restore point.

4.  Download OTC to your desktop and run it.

Click Yes to beginning the Cleanup process and yes to remove these components, including this application.  You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
This will remove all the malware tools we have used except combofix.

5.   MOST IMPORTANT : Windows, IE and any other software you have that connects to the net, needs to be kept updated.  I recommend running Secunia PSI.  It will monitor the software you have installed and let you know when something needs to be updated.

6.  Go to Start/Windows Update and install all recommended updates.  You may have to do this more than once to get your operating system and Internet Explorer up to date.

7. Now update Java by clicking Here, click on Windows Online then click on Run/Install/Next and finally click Close when the installation is complete.

Click on Start/Programs and launch the Adobe Reader program.  Click on Help and Check for Updates and install all updates available.

8.  Now some tips for prevention of further infections:

Always use an updated anti-virus program. Make sure you update this weekly, if not more often. This is critical.

Keep Malwarebytes' Anti-Malware up to date as well.  Unless you have the paid version (which you can schedule), be sure to run scans several times per week.

Always use your firewall.  Learn how to use your firewall.   Only programs that need it should have access to the net.  But these are specific to the firewall you use, so you will need to learn how.  Check your firewall provider's web site for more information on making your firewall secure. 

9.  Go to WOT download and install this program.  It will help keep you safe on the internet.

Never run two Antivirus programs or two Firewalls at the same time.

NEVER use P2P or file sharing software.  Many P2P file sharing programs contain bundled spyware.  But all these programs expose you to risks because of the very nature of the P2P file sharing process.  Many very malicious worms and trojans target and spread across P2P file sharing networks.

Before downloading, installing or using any malware detection/removal software check Rogue/Suspeckt Spyware List andRogue Applications List.  That way you will know if the program you are considering is safe.  If you want to know how it rates against other programs check out SpywareWarrior.

We have a good guide on how to prevent malware infections here at SpywareHammer.  You might want to peruse this and follow the recommendations Prevent Infection.

Let us know if you have any more problems, either new or old.  The internet is a wonderful tool for work and fun, but always be safe.

I would appreciate if after a couple of days of using your computer you let me know if everything is running fine so that I can close this post. 

Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline vivianaivett

  • Bronze Member
  • Posts: 32
Dear Bear:

I am running Windows 7 and I know that on other computers I used XP, Vista usually "RUN" is on the right hand side of the menu when you click start, but I looked on my computer and I cant find it.  Sorry.  I tried right click on Combofix and Run as Administrator but it just starts running the program I am really sorry, forgive my ignorance. :o2

Offline vivianaivett

  • Bronze Member
  • Posts: 32
 :LOL

Disregard my silly question.  I found it!  lol

Offline vivianaivett

  • Bronze Member
  • Posts: 32
Dear Bear:

I need to check with you if this program was suppose to clean all the stuff or some.  I still have the logs that we saved on the desktop and some of the programs that I saved on my desktop???

I need to thank you for all the help, your patience, etc. I could not have done this without you and this web site that exist to help us be more protected against the evil things that are around the world.

You are a trooper, I can never say thank you enough to you all.  :p

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2675
Hi Vivain

OTC does an imperfect job of cleaning and certainly you can delete the rest.  I would wait a couple of days to be sure we haven't deleted something you might want to put back.  After that, go ahead and delete it all.  Any time you need help, feel free to come back to Spyware Hammer.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte