Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: System Care Antivirus

  1. #1
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default System Care Antivirus

    I commited a cardinal sin yesterday by clicking on an e-mail attachment from DHL thinking it contained legitimate information about a delivery that I was awaiting. It did not. Instead, I got infected. McAfee almost immediately said it had identified and eliminated the threat, but I ran a scan using MBAM to be sure. MBAM found 4 infected files and identified the culprit as medfos. I asked MBAM to fix it, and the next scan was clean. After I rebooted my computer, I started getting the antivirus ads, and I knew I was in bigger trouble. Scans by McAfee and MBAM wouldn't work, and I could no longer access the web in normal mode. Following the instructions in the System Care Antivirus guide on bleeping computer, I rebooted into Safe Mode and ran MBAM Chameleon. Following the instructions regarding System Care in the Microsoft Security site, I also ran Microsoft Malware Removal Tool. Things looked pretty good except the System Care Antivirus folder still showed up when I clicked the Start Button and looked at All Programs. Sure enough, when I rebooted out of Safe Mode, the malware did its thing again. I am running Windows 7 Home Edition.

    Here are the requested log files (the attach.txt file is included as an attachement). I have downloaded and run ERUNT, but I was unable to disable TeaTimer. The infected computer is currently running and able to access the Spybot web site under Safe Mode, but I could not find the Resident icon under Advanced Mode. I plan to use my laptop and a flash drive to move files and programs back and forth.

    DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
    Internet Explorer: 10.0.9200.16635
    Run by John at 9:16:25 on 2013-08-04
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12249.11078 [GMT -4:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\mfevtps.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\ctfmon.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Bar = Preserve
    uSearch Page = hxxp://www.google.com
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mWinlogon: Userinit = userinit.exe,
    BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\mcafee\SystemCore\ScriptSn.20121016201311.dll
    BHO: CIESpeechBHO Class: {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
    BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
    EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
    uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
    uRun: [govrgbrk] "C:\Users\John\AppData\Local\dqipvpat.exe"
    uRunOnce: [Application Restart #0] C:\Windows\System32\ctfmon.exe ctfmon.exe
    uRunOnce: [Application Restart #1] C:\Program Files\Internet Explorer\iexplore.exe -restart /WERRESTART
    mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
    mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
    mRun: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
    mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
    mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
    mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
    StartupFolder: C:\Users\John\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\John\AppData\Roaming\Dropbox\bin\Dropbox.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MOZYHO~1.LNK - C:\Program Files\MozyHome\mozystat.exe
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {7815BE26-237D-41A8-A98F-F7BD75F71086} - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 192.168.1.1 209.18.47.61 209.18.47.62
    TCP: Interfaces\{B1521873-611C-4141-AAB1-CC30AFC23073} : DHCPNameServer = 192.168.1.1 209.18.47.61 209.18.47.62
    Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll
    Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    Notify: SDWinLogon - SDWinLogon.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    x64-mSearchAssistant = hxxp://www.google.com/ie
    x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\mcafee\SystemCore\ScriptSn.20121016201311.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
    x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
    x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /MAXX4
    x64-Run: [AtherosBtStack] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe"
    x64-Run: [AthBtTray] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe"
    x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    .
    INFO: x64-HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll
    x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-SSODL: WebCheck - <orphaned>
    x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\aeoam766.default\
    FF - plugin: c:\PROGRA~2\mcafee\msc\npMcSnFFPl.dll
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
    FF - ExtSQL: !HIDDEN! 2013-02-17 21:08; smartwebprinting@hp.com; C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-10-16 16152]
    R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2011-3-13 771536]
    R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2011-3-13 340216]
    R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-27 201304]
    R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2012-10-16 218760]
    R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2012-10-16 182752]
    R3 BTATH_BUS;Atheros Bluetooth Bus;C:\Windows\System32\drivers\btath_bus.sys [2011-12-29 30368]
    R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2011-3-13 70112]
    R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-10-16 356120]
    R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-10-16 787736]
    R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2011-3-13 515968]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-10-16 648808]
    S1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2010-4-16 87600]
    S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-5-14 759048]
    S2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2012-10-16 98208]
    S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-10-16 204288]
    S2 AtherosSvc;AtherosSvc;C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe [2011-12-29 106144]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 DellDigitalDelivery;Dell Digital Delivery Service;C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-10-9 173568]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-10-16 13592]
    S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-1-10 627936]
    S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-18 418376]
    S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-18 701512]
    S2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-27 201304]
    S2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-27 201304]
    S2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2012-10-16 241456]
    S2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
    S2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-8-4 1817560]
    S2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-8-4 1033688]
    S2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-8-4 171928]
    S2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-10-16 1695040]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-10-16 363800]
    S2 ZAtheros Bt&Wlan Coex Agent;ZAtheros Bt&Wlan Coex Agent;C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [2011-12-29 158880]
    S2 ZAtheros Wlan Agent;ZAtheros Wlan Agent;C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [2012-10-16 76960]
    S3 AthBTPort;Atheros Virtual Bluetooth Class;C:\Windows\System32\drivers\btath_flt.sys [2011-12-29 36000]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-10-16 93712]
    S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;C:\Windows\System32\drivers\btath_a2dp.sys [2011-12-29 338592]
    S3 btath_avdt;Atheros Bluetooth AVDT Service;C:\Windows\System32\drivers\btath_avdt.sys [2011-12-29 110752]
    S3 BTATH_HCRP;Bluetooth HCRP Server driver;C:\Windows\System32\drivers\btath_hcrp.sys [2011-12-29 167584]
    S3 BTATH_LWFLT;Bluetooth LWFLT Device;C:\Windows\System32\drivers\btath_lwflt.sys [2011-12-29 68256]
    S3 BTATH_RCP;Bluetooth AVRCP Device;C:\Windows\System32\drivers\btath_rcp.sys [2011-12-29 280992]
    S3 BtFilter;BtFilter;C:\Windows\System32\drivers\btfilter.sys [2011-12-29 548000]
    S3 C771BUS;CASIO C771 USB Composite Device Driver;C:\Windows\System32\drivers\C771BUS.sys [2012-11-8 71752]
    S3 C771VSP;CASIO C771 USB Virtual Serial Port;C:\Windows\System32\drivers\C771VSP.sys [2012-11-8 186056]
    S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2012-10-27 196440]
    S3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-10-16 331264]
    S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-18 25928]
    S3 McAWFwk;McAfee Activation Service;C:\PROGRA~1\mcafee\msc\mcawfwk.exe [2012-10-16 224704]
    S3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2011-3-13 309840]
    S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2011-3-13 106552]
    S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2013-8-3 31800]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-27 1255736]
    S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-27 201304]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2013-08-04 12:23:10 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
    2013-08-04 04:10:22 468480 ----a-w- C:\Users\John\AppData\Local\kxdaaahb.exe
    2013-08-04 01:13:47 468480 ----a-w- C:\Users\John\AppData\Local\fvwkkhxe.exe
    2013-08-04 01:05:41 -------- d-----w- C:\Users\John\AppData\Local\VS Revo Group
    2013-08-04 01:05:38 31800 ----a-w- C:\Windows\System32\drivers\revoflt.sys
    2013-08-04 01:05:38 -------- d-----w- C:\ProgramData\VS Revo Group
    2013-08-04 01:05:37 -------- d-----w- C:\Program Files\VS Revo Group
    2013-08-03 22:38:33 468480 ----a-w- C:\Users\John\AppData\Local\ocbrwvbi.exe
    2013-08-03 22:32:32 45056 ----a-w- C:\Users\John\AppData\Local\dqipvpat.exe
    2013-07-18 02:52:00 737072 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2013-07-18 02:41:43 2876528 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2013-07-18 02:41:26 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2013-07-18 02:41:18 539984 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2013-07-10 02:45:06 9216 ----a-w- C:\Program Files (x86)\Windows Defender\MpAsDesc.dll
    2013-07-10 02:45:06 571904 ----a-w- C:\Program Files\Windows Defender\MpClient.dll
    2013-07-10 02:45:06 54784 ----a-w- C:\Program Files (x86)\Windows Defender\MpOAV.dll
    2013-07-10 02:45:06 4608 ----a-w- C:\Program Files (x86)\Windows Defender\MsMpLics.dll
    2013-07-10 02:45:06 392704 ----a-w- C:\Program Files (x86)\Windows Defender\MpClient.dll
    2013-07-10 02:45:06 314880 ----a-w- C:\Program Files\Windows Defender\MpCommu.dll
    2013-07-10 02:45:06 1011712 ----a-w- C:\Program Files\Windows Defender\MpSvc.dll
    2013-07-10 02:45:05 624128 ----a-w- C:\Windows\System32\qedit.dll
    2013-07-10 02:45:05 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
    2013-07-10 02:45:05 1887744 ----a-w- C:\Windows\System32\WMVDECOD.DLL
    2013-07-10 02:45:05 1620480 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
    2013-07-10 02:44:51 3153920 ----a-w- C:\Windows\System32\win32k.sys
    2013-07-10 02:44:50 1732608 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
    2013-07-10 02:44:50 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
    2013-07-10 02:44:50 1393152 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
    2013-07-10 02:44:50 1367040 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
    2013-07-10 02:44:49 936448 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
    2013-07-10 02:44:34 1643520 ----a-w- C:\Windows\System32\DWrite.dll
    2013-07-10 02:44:34 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll
    .
    ==================== Find3M ====================
    .
    2013-07-13 19:42:14 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-07-13 19:42:14 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2013-06-11 23:43:37 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
    2013-06-11 23:43:00 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2013-06-11 23:42:58 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
    2013-06-11 23:42:58 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
    2013-06-11 23:26:20 2241024 ----a-w- C:\Windows\System32\wininet.dll
    2013-06-11 23:25:16 3958784 ----a-w- C:\Windows\System32\jscript9.dll
    2013-06-11 23:25:13 67072 ----a-w- C:\Windows\System32\iesetup.dll
    2013-06-11 23:25:13 136704 ----a-w- C:\Windows\System32\iesysprep.dll
    2013-06-11 22:51:45 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
    2013-06-11 22:50:58 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
    2013-06-07 03:22:18 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
    2013-06-07 02:37:52 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2013-05-13 05:51:01 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
    2013-05-13 05:51:00 1464320 ----a-w- C:\Windows\System32\crypt32.dll
    2013-05-13 05:51:00 139776 ----a-w- C:\Windows\System32\cryptnet.dll
    2013-05-13 05:50:40 52224 ----a-w- C:\Windows\System32\certenc.dll
    2013-05-13 04:45:55 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
    2013-05-13 04:45:55 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll
    2013-05-13 04:45:55 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
    2013-05-13 03:43:55 1192448 ----a-w- C:\Windows\System32\certutil.exe
    2013-05-13 03:08:10 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
    2013-05-13 03:08:06 43008 ----a-w- C:\Windows\SysWow64\certenc.dll
    2013-05-10 05:49:27 30720 ----a-w- C:\Windows\System32\cryptdlg.dll
    2013-05-10 03:20:54 24576 ----a-w- C:\Windows\SysWow64\cryptdlg.dll
    2013-05-08 06:39:01 1910632 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    .
    ============= FINISH: 9:17:33.56 ===============


    aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
    Run date: 2013-08-04 10:09:13
    -----------------------------
    10:09:13.258 OS Version: Windows x64 6.1.7601 Service Pack 1
    10:09:13.258 Number of processors: 8 586 0x3A09
    10:09:13.258 ComputerName: JOHNDESKTOP UserName: John
    10:09:14.006 Initialize success
    10:20:53.699 AVAST engine defs: 13080400
    12:40:29.634 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    12:40:29.634 Disk 0 Vendor: ST310005 JC4A Size: 953869MB BusType: 3
    12:40:29.728 Disk 0 MBR read successfully
    12:40:29.744 Disk 0 MBR scan
    12:40:29.744 Disk 0 Windows VISTA default MBR code
    12:40:29.744 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
    12:40:29.759 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 12544 MB offset 81920
    12:40:29.759 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 941284 MB offset 25772032
    12:40:29.790 Disk 0 scanning C:\Windows\system32\drivers
    12:40:37.887 Service scanning
    12:40:52.644 Modules scanning
    12:40:52.644 Disk 0 trace - called modules:
    12:40:52.676 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
    12:40:52.676 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800cb25060]
    12:40:52.676 3 CLASSPNP.SYS[fffff88001c5143f] -> nt!IofCallDriver -> [0xfffffa800a508320]
    12:40:52.676 5 ACPI.sys[fffff88000ef97a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800a57e050]
    12:41:05.624 AVAST engine scan C:\Windows
    12:41:09.290 AVAST engine scan C:\Windows\system32
    12:43:47.490 AVAST engine scan C:\Windows\system32\drivers
    12:43:57.271 AVAST engine scan C:\Users\John
    12:44:15.585 File: C:\Users\John\AppData\Local\dqipvpat.exe **INFECTED** Win32:Dropper-gen [Drp]
    12:57:45.679 Disk 0 MBR has been saved successfully to "C:\Users\John\Desktop\MBR.dat"
    12:57:45.679 The log file has been saved successfully to "C:\Users\John\Desktop\aswMBR.txt"
    13:00:02.632 Disk 0 MBR has been saved successfully to "J:\MBR.dat"
    13:00:02.647 The log file has been saved successfully to "J:\aswMBR.txt"
    Attached Files Attached Files

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi GoPhillies,

    Sorry for the delay. If you still need help simply reply back.
    How Can I Reduce My Risk?

  3. #3
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default

    Thank you. Yes, I do still need help.

  4. #4
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default

    BTW, I did run a scan with Spybot. It ran for about 12.574 seconds, "came up without results," and the "Show Scan Results" screen was blank.

  5. #5
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    ok. Some of this scareware is active in safe mode, try this: boot your machine into safe mode. Using explorer navigate to:

    C:\Users\John\AppData\Local\dqipvpat.exe

    Delete the .exe. if you can. If you also see randomly numbered named folders or other .exe, delete them also if possible. Then run Malwarebytes in safe mode. Reboot normally. If it still appears to be present try downloading and running RogueKiller:

    Download RogueKiller.exe on to your desktop
    Before you save it: rename it to winlogon.exe then save it to your desktop.

    Windows Vista/7 users: right click on RogueKiller.exe, click "run as admin"
    A Pre-scan will start. Let it finish.
    Click on SCAN button.
    Wait until the Status box shows Scan Finished
    Click on Delete.
    Wait until the Status box shows Deleting Finished.
    Click on Report and copy/paste the content of the Notepad into your next reply.
    RKreport.txt could also be found on your desktop.

    Can also try running roguekiller in safe mode.

    I wont be back on line for 15 or so hours. If above fails we will try something else. This thing has a active process running that must be killed before you can do anything.
    How Can I Reduce My Risk?

  6. #6
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default

    I was unable to find and manually remove C:\Users\John\AppData\Local\dqipvpat.exe

    I ran Rogue Killer and got this report:

    RogueKiller V8.6.5 [Aug 5 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Safe mode with network support
    User : John [Admin rights]
    Mode : Remove -- Date : 08/07/2013 00:01:28
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 12 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : govrgbrk ("C:\Users\John\AppData\Local\dqipvpat.exe" [-]) -> DELETED
    [RUN][SUSP PATH] HKUS\S-1-5-21-211488708-3525939622-1550682978-1000\[...]\Run : govrgbrk ("C:\Users\John\AppData\Local\dqipvpat.exe" [-]) -> [0x2] The system cannot find the file specified.
    [HJ POL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ POL] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> [0x2] The system cannot find the file specified.
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts




    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST31000524AS +++++
    --- User ---
    [MBR] 6edd5b3f11e67a317d37fdf5a5f76e5e
    [BSP] 6ec92234f880ce4e1ccceaffd1cff209 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 12544 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25772032 | Size: 941284 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: ST31000524AS +++++
    Error reading User MBR!
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[0]_D_08072013_000128.txt >>
    RKreport[0]_S_08072013_000047.txt



    I then ran a Qick Scan with MBAM, which found all kind of junk, including the dqipvpat.exe file. Here is the MBAM report:

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.08.07.02

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 10.0.9200.16635
    John :: JOHNDESKTOP [administrator]

    8/7/2013 12:16:41 AM
    mbam-log-2013-08-07 (00-16-41).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 221502
    Time elapsed: 6 minute(s), 37 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 18
    C:\Users\John\AppData\Local\Temp\SPStub.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
    C:\Users\John\AppData\Local\Temp\UpdUninstall.exe (PUP.Optional.InstallMonetize) -> Quarantined and deleted successfully.
    C:\Users\John\AppData\Local\Temp\ct3279141\chLogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
    C:\Users\John\AppData\Local\Temp\ct3279141\ctbe.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
    C:\Users\John\AppData\Local\Temp\ct3279141\ffLogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
    C:\Users\John\AppData\Local\Temp\ct3279141\ieLogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
    C:\Users\John\AppData\Local\Temp\CT3281024\spch.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
    C:\Users\John\AppData\Local\Temp\CT3281024\spff.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
    C:\Users\John\Local Settings\dqipvpat.exe (Trojan.Downloader.Kuluoz) -> Quarantined and deleted successfully.
    C:\Users\John\Local Settings\fvwkkhxe.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Users\John\Local Settings\kxdaaahb.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Users\John\Local Settings\ocbrwvbi.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Users\John\Local Settings\Application Data\dqipvpat.exe (Trojan.Downloader.Kuluoz) -> Quarantined and deleted successfully.
    C:\Users\John\Local Settings\Application Data\fvwkkhxe.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Users\John\Local Settings\Application Data\kxdaaahb.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Users\John\Local Settings\Application Data\ocbrwvbi.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Windows\Installer\14f644.msi (PUP.Optional.Iminent) -> Quarantined and deleted successfully.
    C:\Users\John\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

    (end)


    So far the machine is working OK, but the System Care Antivirus folder still shows up in my Start>All Programs list.

  7. #7
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    ok. good. You can manually delete that folder. The primary files causing all the problems should be gone. If all looks good you can uninstall adwcleaner by launching it and clicking the uninstall button, also delete its logs. Can also delete the aswmbr icon from your desktop.
    Note the free version of Malwarebytes must be updated manually and a scan started manually.
    So if all is good, some tips to help you remain malware free:

    No software can think for you. Help yourself. In no special order:

    1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited.
    Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software.

    Not sure if you are using the latest version of software? Check their version status and get the updates here.

    Check your browser for vulnerabilities.

    2) Know what you are installing to your computer. A lot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software are installing useless toolbars or other "offers" if not unchecked first. Toolbars can be resource hogs as well as having privacy concerns.
    Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this.

    3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits or lack of habits.*

    4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing tricks.

    5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

    6) Don't click on offers to "scan" your computer. Install ActiveX and Java applets with care. Do you trust the website to install components?

    7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista, Windows 7 and Windows 8 attempts to address.

    Every Microsoft Security Bulletin that describes a potential remote code execution vulnerability has this sentence in its description:

    "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." Fewer rights mean a limited account.

    8) Use Windows native firewall and get a inexpensive hardware router.

    9) Your browser risks. The why and how to secure your browser for safer surfing.

    Consider disabling Java in your browser.
    Check your browser for vulnerabilities.

    10) Warez, cracks, keygens etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Do you really trust the source of the file?

    More info with pictures in link below.
    Happy Safe Surfing
    How Can I Reduce My Risk?

  8. #8
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default

    I have this nagging feeling that that was too easy! I deleted the System Care Antivirus folder after I made sure that the .exe file that it had previously contained was indeed gone, and it looks OK.

    Do I need to worry that MBAM detected kuluoz? From what I read, that is a much nastier bit of malware than System Care, in that it steals passwords and financial data. Should I be concerned about the integrity of my passwords?

    I already run McAfee, MBAM, and Spyware Blaster, so I think my protection is at least decent, but none of that stuff will protect me from my own carelessness, and that is what bit me this time.

  9. #9
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    I think your good. Why dont you run a updated Windows defender also just as another check. Spywareblaster is more for protection from web based (browser) threats. It dosnt remove malware like MBAM or Defender. You can change your passwords as a precaution. The logs dont show anything other than generic downloader .exe's.

    I do see conduit in there so you might want to run adwcleaner, which will remove adware/spyware or PUP's if present.

    Please download Adwcleaner.exe by Xplode onto your desktop.
    Right click on AdwCleaner.exe, and select "run as admin"
    Click on the delete button
    When its done it will reboot your machine
    on restart it will produce a log which you can copy/paste in your reply
    How Can I Reduce My Risk?

  10. #10
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default

    OK. Due to work obligations, I won't be able to get back to this until Thursday evening, though.

    Thanks a lot for your help. This is a great site, and I will send a contribution.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •