Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ Internet Security Pro and other


  • This topic is locked This topic is locked
42 replies to this topic

#31 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 AM

Posted 09 August 2013 - 09:30 AM

Okay,

Sounds good.  The more unnecessary files/apps I can get rid of the better.  I will look up the startups to see if I want them and I will also run the scan and report back to you.  Thx


Edited by rsqme, 09 August 2013 - 09:38 AM.


BC AdBot (Login to Remove)

 


#32 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 AM

Posted 09 August 2013 - 09:28 PM

OK I will be looking for you


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#33 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 AM

Posted 10 August 2013 - 02:21 AM

Hi Gringo

I went ahead and removed the Startups with HijackThis per your instructions.  Wasn't sure about removing Adobe ARM at first, because from my understanding it is an updater file (?), but I decided to go ahead and try doing w/o it for now, though it is convenient to have the auto-update/reminders.  Don't know if I should look into an update monitor software...maybe you have some advice to offer on whether I even need one or not?

 

I'm also concerned about a software program ("Math 3" from School Zone Publishing, that my kids no longer use >> Location: C:\Program Files\sz8033_6).  I'd like to uninstall/remove it but it doesn't seem to have the option, and doesn't show up in Revo or Windows Add/Remove apps.  I tried clicking on the shortcut that is located in the (All) Programs menu (the only evidence of it, at least on the surface).  When I clicked on it, I was thrown into a black screen with a bulky safe mode type interface -- scared the beejezus out of me, but fortunately I was able to restart my pc and it rebooted normally.  Can you please help me get this Math 3 software out of my system?

 

And lastly, as you can see by the ESET scan results below, we still aren't out of the woods with more malware/trojan junk prowling the depths of my pc.  Thank goodness we're doing all these scans!  I really appreciate how thorough you're being.  :bowdown: Just let me know what's next.  Thx Gringo.

 

 

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\midefender.exe.vir a variant of Win32/Kryptik.BGGW trojan
C:\Qoobox\Quarantine\C\DOCUME~1\Admin\LOCALS~1\APPLIC~1\Google\Desktop\Install\{9a9140fb-565e-0e04-761d-943174e4b222}\C3C1~1\01C8~1\CFFE~1\{9a9140fb-565e-0e04-761d-943174e4b222}\GoogleUpdate.exe.vir Win32/Sirefef.FY trojan
C:\Qoobox\Quarantine\C\DOCUME~1\Admin\LOCALS~1\APPLIC~1\Google\Desktop\Install\{9a9140fb-565e-0e04-761d-943174e4b222}\C3C1~1\01C8~1\CFFE~1\{9a9140fb-565e-0e04-761d-943174e4b222}\U\00000001.@.vir Win32/Conedex.U trojan
C:\Qoobox\Quarantine\C\DOCUME~1\Admin\LOCALS~1\APPLIC~1\Google\Desktop\Install\{9a9140fb-565e-0e04-761d-943174e4b222}\C3C1~1\01C8~1\CFFE~1\{9a9140fb-565e-0e04-761d-943174e4b222}\U\80000000.@.vir Win32/Sirefef.FA trojan
C:\Qoobox\Quarantine\C\DOCUME~1\Admin\LOCALS~1\APPLIC~1\Google\Desktop\Install\{9a9140fb-565e-0e04-761d-943174e4b222}\C3C1~1\01C8~1\CFFE~1\{9a9140fb-565e-0e04-761d-943174e4b222}\U\800000cb.@.vir Win32/Sirefef.FL trojan
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{9a9140fb-565e-0e04-761d-943174e4b222}\0103~1\0103~1\CFFE~1\{9a9140fb-565e-0e04-761d-943174e4b222}\GoogleUpdate.exe.vir Win32/Sirefef.FY trojan
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{9a9140fb-565e-0e04-761d-943174e4b222}\0103~1\0103~1\CFFE~1\{9a9140fb-565e-0e04-761d-943174e4b222}\U\00000001.@.vir Win32/Conedex.U trojan
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{9a9140fb-565e-0e04-761d-943174e4b222}\0103~1\0103~1\CFFE~1\{9a9140fb-565e-0e04-761d-943174e4b222}\U\80000000.@.vir Win32/Sirefef.FA trojan
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{9a9140fb-565e-0e04-761d-943174e4b222}\0103~1\0103~1\CFFE~1\{9a9140fb-565e-0e04-761d-943174e4b222}\U\800000cb.@.vir a variant of Win32/Sirefef.FL trojan
 



#34 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 AM

Posted 10 August 2013 - 12:30 PM

The ESET scan was perfect - it only shows the backup folder for Combofix


Let me have the exact location of the math folder - my sure it is spelled exactly as you see it


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#35 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 AM

Posted 10 August 2013 - 10:44 PM

Well that's good to hear!  That's why you are the expert ;)

 

And why I'm probably going to sound like a moron when I ask, is this what you mean by exact location?

C:\Documents and Settings\All Users\Start Menu\Programs

or

C:\Documents and Settings\All Users\Start Menu\Programs\Math 3

 

And within that folder are the following files: 

C:\Program Files\sz8033_6\8033_6.exe

C:\Program Files\sz8033_6\Read Me.rtf

C:\Program Files\sz8033_6\8000_9.exe

And this folder:

C:\Documents and Settings\All Users\Start Menu\Programs\Math 3\Visit School Zone Online

Which contains these three files:
C:\Program Files\sz8033_6\Product Registration.url
C:\Program Files\sz8033_6\School Zone Publishing.url
C:\Program Files\sz8033_6\Tech Support.url

 

Do I just use the CCleaner to remove them?

And will that remove all traces of that Math 3 folder (program) and it's contents (like in the registry or where ever else)?

Really sorry if I'm making this more complicated than it really is.  I just want to make sure I do it correctly.

 

So just let me know if that's the "exact location" you were asking about and what I should do next.

 

Thx Gringo


Edited by rsqme, 10 August 2013 - 11:15 PM.


#36 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 AM

Posted 11 August 2013 - 10:29 AM


Hello rsqme,

This should remove the files and folder you want removed and the registry I would just leave alone as it will not hurt anything

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
C:\Documents and Settings\All Users\Start Menu\Programs\Math 3
 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#37 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 AM

Posted 11 August 2013 - 12:15 PM

Morning Gringo

 

Ran the script and ComboFix.  The math program and its contents seem to be removed.  Below is the log for you to review.

 

ComboFix 13-08-11.02 - Admin 08/11/2013   9:46.4.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1278.858 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\Math 3
c:\documents and settings\All Users\Start Menu\Programs\Math 3\Math 3.lnk
c:\documents and settings\All Users\Start Menu\Programs\Math 3\Read Me.lnk
c:\documents and settings\All Users\Start Menu\Programs\Math 3\School Zone Sampler.lnk
c:\documents and settings\All Users\Start Menu\Programs\Math 3\Visit School Zone Online\Math 3 Registration.lnk
c:\documents and settings\All Users\Start Menu\Programs\Math 3\Visit School Zone Online\School Zone Publishing.lnk
c:\documents and settings\All Users\Start Menu\Programs\Math 3\Visit School Zone Online\Technical Support.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-11 to 2013-08-11  )))))))))))))))))))))))))))))))
.
.
2013-08-11 02:30 . 2013-07-02 06:54 7143960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9067D1AB-81A3-4070-8279-DCFE04811B08}\mpengine.dll
2013-08-10 06:46 . 2013-07-02 06:54 7143960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-08-08 15:07 . 2013-08-08 15:08 -------- d-----w- c:\program files\CCleaner
2013-08-08 06:07 . 2013-08-08 06:07 -------- d-----w- c:\program files\Common Files\Java
2013-08-08 06:07 . 2013-08-08 06:06 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-08-08 06:07 . 2013-08-08 06:06 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-08-08 06:07 . 2013-08-08 06:06 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-08-08 06:04 . 2013-08-08 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2013-08-08 03:55 . 2013-08-08 03:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2013-08-08 02:19 . 2013-08-08 02:19 -------- d-----w- c:\program files\VS Revo Group
2013-08-06 01:20 . 2013-08-06 01:20 -------- d-----w- c:\windows\ERUNT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-08 06:06 . 2011-08-04 18:23 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-07-16 13:30 . 2012-04-05 14:38 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-16 13:29 . 2011-08-04 15:10 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-08 06:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2013-06-07 21:56 . 2003-02-11 19:29 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2003-02-11 19:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2003-02-11 19:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-04 07:23 . 2003-02-11 21:42 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2003-02-11 19:29 1876736 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMP110"="c:\program files\Linksys\WMP110\WMP110.exe" [2008-02-27 962560]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2002-07-23 19:09 477184 ----a-w- c:\windows\mHotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2002-10-16 07:05 114688 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2002-10-16 07:18 155648 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-07-13 20:00 28739 -c--a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7329:TCP"= 7329:TCP:Remote Assistance Local
"13896:TCP"= 13896:TCP:Remote Assistance Remote
.
R2 GTWPSService;GTWPSSRV;c:\program files\Linksys\WMP110\gtwpssrv.exe [8/5/2011 9:47 AM 34816]
R2 WLSng Service;WLSng Service;c:\program files\Linksys\WMP110\WLSngS.exe [8/5/2011 9:47 AM 233472]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [8/5/2011 9:47 AM 57344]
R3 WMP110;Linksys WMP110 RangePlus Wireless PCI Adapter Service;c:\windows\system32\drivers\WMP110.sys [8/5/2011 9:47 AM 1299520]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [10/10/2008 3:33 PM 18560]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Linksys\WMP110\jswpsapi.exe [8/5/2011 9:47 AM 352338]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ    getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 13:30]
.
2013-08-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 01:57]
.
2013-08-11 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 19:11]
.
2013-08-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-773439712-2133114299-3554154238-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 00:02]
.
2013-08-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-773439712-2133114299-3554154238-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = https://duckduckgo.com/privacy.html
msearch bar = hxxp://www.yahoo.com/search/ie.html
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-11 09:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-08-11  10:04:20
ComboFix-quarantined-files.txt  2013-08-11 17:04
ComboFix2.txt  2013-08-07 06:04
ComboFix3.txt  2013-08-07 02:24
ComboFix4.txt  2013-08-06 20:22
.
Pre-Run: 27,998,101,504 bytes free
Post-Run: 27,995,824,128 bytes free
.
- - End Of File - - 158646C04BA0D59E22BE8A70BC745D50
8F558EB6672622401DA993E1E865C861
 


Edited by rsqme, 11 August 2013 - 12:17 PM.


#38 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 AM

Posted 11 August 2013 - 09:25 PM


Hello rsqme,

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.

:Why we need to remove some of our tools:
  • Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
    They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

    The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.
  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK.
    Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:
  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • CF-Uninstall.png
:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.



:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.
  • Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

    CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

    Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.
  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

    Note** If you decide to install MSE you will need to uninstall your present Antivirus
:Security awareness:


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

As Java seems to get exploited on a daily basis I advise to disable java in your web browsers - How to disable java in your web browsers - Disable Java



The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internetHere is some more reading for you from some of my collegesquoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#39 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 AM

Posted 12 August 2013 - 01:00 AM

Hi Gringo

 

I went ahead and uninstalled ComboFix as instructed which did successfully uninstall ComboFix and the DDS logs.

 

I then downloaded and ran the OTCleanIt tool, also as directed, but the only thing it seemed to remove was the tool itself (OTCleanIT).  The items still sitting on my desktop that were not uninstalled/removed are...

 

these removal tools:

  AdwCleaner

  JRT

  HijackThis

 

and these text file logs:

  attach.txt

  hijackthis.txt

  JRT.txt

  ESET SCAN.txt

 

and this one folder:

  titled "backup"

(containing 6 random backup files--not sure from which removal tool they were created, but am assuming they too are no longer of any importance???)

 

Just let me know when you get a chance how you'd like me to remove all of the above.  Thx Gringo



#40 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 AM

Posted 12 August 2013 - 08:35 PM

Hello rsqme


anything left over only needs to be deleted


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#41 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 AM

Posted 12 August 2013 - 11:29 PM

Okay then, delete I shall.

 

Other than that, everything else seems good.  It's really nice having my system back on track and I will definitely continue to implement the tools you've offered and recommended.  Hopefully nothing else will come up, but if it does, I know where to come. :)

 

Thanks again for your time and guidance, Gringo.

 

rsqme



#42 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 AM

Posted 13 August 2013 - 12:22 AM

You are more than welcome and glad I was able to help


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#43 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:47 AM

Posted 20 August 2013 - 10:21 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users