BleepingComputer.com: Vista Security 2012 virus infection help

How is computer doing?

Open Windows Explorer and delete following file:
C:\Users\Dorothy\Downloads\Google Updater.exe

Computer seems to be running good. I was able to run aswMBR in regular mode instead of safe mode this time. I still can not get a dskchk to run. Every time I schedule a dskchk, I reboot the computer, the dskchk comes up and says it is done but it never really started.

Also, should I now fix the hosts file like you asked earlier?

Thanks for all of the help. She will really appreciate getting her computer back soon.

I am now able to get chkdsk to run on the computer. It wasthe BootExecute data value in the Registry that had been changed so once I put it back to the default, the computer will check the disk on startup.

Any thing else I should do or know? You had mentioned the Hosts file. Otherwise, I'll give the computer back to my friend and she can play with it over the weekend to see if everything is good. Shes not leaving till after the first of the year so if there are any problems, I can get it back from her.

Thanks again and let me know if I should do anything else.

Yes, complete steps from my reply #8.

Then couple more steps...

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
  
• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• Accept any security warnings from your browser.
  
• Check Scan archives
  
• Click Start
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, click on List of found threats
  
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  NOTE. If Eset doesn't find any threats it'll NOT produce any log.

here is the SystemLook text:


SystemLook 30.07.11 by jpshortstuff
Log created at 20:29 on 22/12/2011 by Dorothy
Administrator - Elevation successful

========== dir ==========

C:\WINDOWS\SYSTEM32\DRIVERS\ETC - Parameters: "(none)"

---Files---
hosts --a---- 737 bytes [02:26 23/12/2011] [02:25 23/12/2011]
lmhosts.sam --a---- 3683 bytes [06:38 02/11/2006] [21:41 18/09/2006]
networks --a---- 407 bytes [10:23 02/11/2006] [21:41 18/09/2006]
protocol --a---- 1358 bytes [10:23 02/11/2006] [21:41 18/09/2006]
services --a---- 17244 bytes [10:23 02/11/2006] [21:41 18/09/2006]

---Folders---
None found.

-= EOF =-

Good

Go on...

ESetScan text file:

C:\Program Files\Guffins\bar\1.bin\u4datact.dll a variant of Win32/Toolbar.MyWebSearch.A application cleaned by deleting - quarantined
C:\Program Files\Guffins\bar\1.bin\u4html.dll probably a variant of Win32/Toolbar.MyWebSearch.F application cleaned by deleting - quarantined
C:\Program Files\Guffins\bar\1.bin\u4htmlmu.dll probably a variant of Win32/Toolbar.MyWebSearch.B application cleaned by deleting - quarantined
C:\Program Files\Guffins\bar\1.bin\u4Plugin.dll a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\Guffins\bar\1.bin\u4skin.dll a variant of Win32/Toolbar.MyWebSearch.P application cleaned by deleting - quarantined
C:\Program Files\Play Pickle\ppun.exe Win32/Adware.Gamevance.BE application cleaned by deleting - quarantined
C:\Users\Dorothy\AppData\Roaming\817D72739678DD2082487083283E1807\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
C:\Users\Dorothy\AppData\Roaming\817D72739678DD2082487083283E1807\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
C:\Users\Dorothy\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@plpickle.com\components\pptlf.dll a variant of Win32/Adware.Gamevance.BH application cleaned by deleting - quarantined
C:\Users\Dorothy\Downloads\defragsetup(1).exe a variant of Win32/Adware.Toolbar.Dealio application deleted - quarantined
C:\Users\Dorothy\Downloads\defragsetup.exe a variant of Win32/Adware.Toolbar.Dealio application deleted - quarantined
C:\Users\Dorothy\Downloads\slow-pcfighter_Web.exe a variant of Win32/SlowPCfighter application cleaned by deleting - quarantined

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  
• Accept any prompts.

================================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current.

3. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

4. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

5. Run Temporary File Cleaner (TFC) weekly.

6. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

7. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Except for MBAM and TFC, which are keepers you can simply delete all other tools we used as they don't install.

Got it done. She will be very happy to get her computer back.

Thank you very much and hope you have a great holiday.