after spybot scans my pc is stll infected

the log is definitly different now :)



Volume in drive C is OS
Volume Serial Number is 82D1-5C21

Directory of C:\Users\MariLucy

05/08/2011 12:09 AM <DIR> .
05/08/2011 12:09 AM <DIR> ..
05/30/2007 09:19 AM <DIR> AppData
05/30/2007 09:19 AM <JUNCTION> Application Data [C:\Users\MariLucy\AppData\Roaming]
05/16/2011 05:06 AM <DIR> Contacts
05/30/2007 09:19 AM <JUNCTION> Cookies [C:\Users\MariLucy\AppData\Roaming\Microsoft\Windows\Cookies]
05/20/2011 05:45 PM <DIR> Desktop
05/18/2011 07:20 PM <DIR> Documents
05/17/2011 06:50 AM <DIR> Downloads
12/05/2008 01:01 PM <DIR> Links
05/30/2007 09:19 AM <JUNCTION> Local Settings [C:\Users\MariLucy\AppData\Local]
12/24/2010 10:40 AM <DIR> Music
05/30/2007 09:19 AM <JUNCTION> My Documents [C:\Users\MariLucy\Documents]
05/30/2007 09:19 AM <JUNCTION> NetHood [C:\Users\MariLucy\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
05/21/2011 08:34 AM 7,864,320 ntuser.dat
05/21/2011 08:34 AM 262,144 ntuser.dat.LOG1
05/30/2007 09:19 AM 0 ntuser.dat.LOG2
04/26/2010 01:28 AM 6,029,312 ntuser.dat_previous
05/21/2011 04:08 AM 65,536 NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
05/21/2011 04:08 AM 524,288 NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
05/30/2007 09:19 AM 524,288 NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms
05/30/2007 09:19 AM 20 ntuser.ini
01/19/2010 02:31 AM <DIR> Office Genuine Advantage
05/15/2011 07:23 AM <DIR> Pictures
05/30/2007 09:19 AM <JUNCTION> PrintHood [C:\Users\MariLucy\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
05/30/2007 09:19 AM <JUNCTION> Recent [C:\Users\MariLucy\AppData\Roaming\Microsoft\Windows\Recent]
10/11/2007 06:04 AM <DIR> Searches
05/30/2007 09:19 AM <JUNCTION> SendTo [C:\Users\MariLucy\AppData\Roaming\Microsoft\Windows\SendTo]
05/30/2007 09:19 AM <JUNCTION> Start Menu [C:\Users\MariLucy\AppData\Roaming\Microsoft\Windows\Start Menu]
05/30/2007 09:19 AM <JUNCTION> Templates [C:\Users\MariLucy\AppData\Roaming\Microsoft\Windows\Templates]
04/15/2011 02:10 AM <DIR> Videos
8 File(s) 15,269,908 bytes
23 Dir(s) 20,788,895,744 bytes free
 
Hi,

Click start and type Favorites to text box there and press enter. Did Favorites folder window pop up?
 
Ok. Could you check the path of the folder, please? Earlier findings namely indicate that the folder isn't in the location where it supposed to be.
 
its C:\Users\MariLucy\Music\Favorites

but i cant seem to restore them onto ie and safari's fav's are gone too.

and i have to return the pc on monday
 
Hi,

Does the C:\Users\MariLucy\Music\Favorites folder contain any familiar bookmarks?

Please run the following commands under command prompt (let me know if any of them fails):
Code: 
cd /d %userprofile%
md Favorites
 
the favorites folder in my music has all the bookmarks im trying to restore to ie

none of the lines failed but i dont see anything different

was that supposed to put the favorites folder in the right place?
 
Hi,

Go to C:\Users\MariLucy\Music folder.
Right click Favorites folder there and select copy.
Go to C:\Users\MariLucy folder.
Right click and select paste.
You should have Favorites folder in C:\Users\MariLucy now. If so, see if IE can see the bookmarks.
 
i had assumed that when i put the favorites folder into the main use's folder that ie would auto load the bookmarks but when that didnt work and importing them lke i would , to firefox didnt work on ie thats when i decided to "seek professional help" as it were lol

but no it doesnt seem to be loading the bookmarks no matter what iv done and bookmarks for the other browsers is the same, thats why i asked if i was still infected.

also windows seems a bit slow, like somethings taxing it, but nothing large is running in my process' list.
 
Hi,

Click start->run type regedit.exe

In registry editor:
1. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Shell folders key
2. Right click Shell folders there and select export. Save it to your desktop as regexport1.txt.

3. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\User Shell folders key
4. Right click User Shell folders there and select export. Save it to your desktop as regexport2.txt

5. Navigate to HKEY_USERS\.default\Software\Microsoft\Windows\Current Version\Explorer\Shell folders key.
6. Right click Shell folders there and select export. Save it to your desktop as regexport3.txt

7. Navigate to HKEY_USERS\.default\Software\Microsoft\Windows\Current Version\Explorer\User Shell folders key
8. Right click User Shell folders there and select export. Save it to your desktop as regexport4.txt

9. Archive the regexport text files into a zip file and post back in your reply.
 
Hi,

Click start->run type regedit.exe

In registry editor:
1. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Shell folders key
2. On the right side you should see value Favorites. Double click it and set the value data value as C:\Users\MariLucy\Favorites

3. When done, navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\User Shell folders key
4. On the right side you should see value Favorites. Double click it and set the value data value as %USERPROFILE%\Favorites
 
it wasnt letting me cut and paste the favorites folder from the music folder to the general user folder even after renaming it, so i made another favorites folder in the right place and just copy/pasted each bookmark manually. so i have most bookmarks back on ie.

but other than that, is the pc clean? what do i do as final steps?
 
Were you able to make those two registry modifications in my previous post?
 
Good. If no symptoms left, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.


B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.


Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


  • Download and run Secunia Personal Software Inspector (PSI) and fix its findings.
  • Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
    Antivir
    Avast!
    Good commercial ones are from:
    Kaspersky and
    ESET


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
i have security essentials installed, does it make windows defender obsolete, or it it best to run them both together?

does one or both together make a AV unneccesary ?
 
Hi,

Microsoft Security Essentials takes care of Windows Defender. MSE is antivirus program too so you won't need separate AV.
 
iv returned the pc, and sh's very happy... thankyou soo much and thanks for sharing your time. im sorry i havent replied sooner , works been hectic :( but i wanted to thank you from the botom of my heart, and hope the lord grants you great blessings for helping so many people.

:thanks::thanks:
 
You're welcome

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top