Stubborn Malware

[OCD]

Hi Scribehard,

Malwarebytes found and quarantined this-
PUP.Optional.PCPerformer.A
C:\AdwCleaner\Quarantine\C\Windows\System32\roboot64.exe.vir

I rebooted, deleted it from quarantine and her is the Malwarebytes log-

As you can see by the portion of the file path I've highlighted this file was already contained in the AdwCleaner quarantine folder, so it was of no harm to you.

The remainder of the files listed by the ESET scan are also contained in the AdwCleaner quarantine folder and will be removed when we finish and do our tool clean-up.

Uninstall via Programs and Features

Click Start > Control Panel > Programs and Features. Locate and select the following that are present on the list and click the Remove button:

• Adobe Flash Player 12.0.0.43

=========================

Adobe Flash Player:

Go to http://get.adobe.com/flashplayer/?no_ab=1

• Remove the check mark from the box "Install Google Drive"
• Click the Download button, and follow the onscreen directions to complete the installation.

=========================

Disk Defragmenter in Windows 7

Click on the Start button, and type in "disk defragmenter" in the search window at the bottom.
"Disk Defragmenter" should appear at the top of the search results, click to open.

(a window similar to the one below will open)

Locate your primary hard drive (usually C, and select it.

Next select the Defragment Disk button. Monitor the progress if you choose.

Close when the defrag process has been completed.

= = = = = = = = = =

You can also Schedule the Disk Defragmenter to run on a predetermined schedule.

From the main Disk Defragmenter window

Select the Configure / Schedule button

Select a date and time that best suits your needs.
Close when finished.

=========================

Please re-run MBAM, remove anything it might find and post the log produced. The previous MBAM log you posted is not the correct log.

In your next post please provide the following:

• MBAM log
• Any remaining issues?

 

[Scribehard]

Hi OCD

I uninstalled and re-installed adobe flash player. It didn’t ask me about google drive so I don’t know if that was installed in the background. I haven’t uninstalled google chrome since installing firefox so that may be why. I just uninstalled google chrome. Adobe also installed McAfee Security Scan Plus, which I don’t usually like because I find it behaves like an invasive pest, so I uninstalled it.

I didn’t think the MBAM log was the correct one but I couldn’t find anything else.

Found it
Malwarebytes Anti-Malware (PRO) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.08.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Gary :: GARY-HP [administrator]

Protection: Enabled

9/12/2012 12:20:44 PM
mbam-log-2012-12-09 (12-20-44).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 337691
Time elapsed: 29 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Gary

 

[OCD]

Hi Scribehard,

Security Check

Re-run Security Check by screen317.

• Right click SecurityCheck.exe, select "Run as Administrator" and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=========================

In your next post please provide the following:

• checkup.txt
• How is the computer running, any remaining issues?

 

[Scribehard]

Hi OCD
Everything is running well. Thank you.

I'm not sure how I should protect my computer in general. I'm using Avast as an anti-virus program but I'm not sure what I'm using spybot or malwarebytes for? Or if I have or need a firewall? I see explorer is using an antivirus/firewall but I use firefox.

I now have a myriad of new security programs on my computer and haven't a clue what to do with them: OTL, SecurityCheck, ERUNT, AdwCleaner, ComboFix, Malwarebytes, Spybot and Avast. I don't want these programs slowing myself or my computer down. Obviously I need protection but can you suggest what to keep and what not to and how to use what I keep? Thanks OCD.

Results of screen317's Security Check version 0.99.79
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.75.0.1300
Java 7 Update 51
Adobe Flash Player 12.0.0.44 Flash Player out of Date!
Adobe Reader 10.1.9 Adobe Reader out of Date!
Mozilla Firefox (27.0)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Spybot Teatimer.exe is disabled!
Malwarebytes' Anti-Malware mbamscheduler.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

 

[OCD]

Hi Scribehard,

I'm not sure how I should protect my computer in general. I'm using Avast as an anti-virus program but I'm not sure what I'm using spybot or malwarebytes for? Or if I have or need a firewall? I see explorer is using an antivirus/firewall but I use firefox.

You should always have one (1) Anti-Virus & one (1) Firewall installed and running at all times to get maximum protection. There are many Free versions of both out there, so there is really no need to get a paid subscription to either a Anti-Virus or a Firewall. Both the Anti-Virus and the Firewall are installed on the computer. So regardless of which browser you use, you are protected.

I now have a myriad of new security programs on my computer and haven't a clue what to do with them: OTL, SecurityCheck, ERUNT, AdwCleaner, ComboFix, Malwarebytes, Spybot and Avast. I don't want these programs slowing myself or my computer down. Obviously I need protection but can you suggest what to keep and what not to and how to use what I keep?

Most of these are generally removed during our clean up process. But I will give you a brief rundown on each of the above mentioned programs.

Some of these will be removed due to the fact that they are only recommended to be us with the guidance of a trained helper.

OTL: is a general scan tool that without extensive training will be of little use to you after we are done, so it will be removed.
Security Check: does basically what the name says, check for installed security programs and also flags some out of date programs that are use as a conduit for malware.
ERUNT: Backs up your Registry prior to doing some repairs just in case something goes wrong you have a reliable copy of the Registry to fall back on. It's always good to back up the Registry anytime (prior to) changes being made.
AdwCleaner: targets adware, miscellaneous toolbars that are added unbeknownst to the user.
ComboFix: complex tool for diagnosing and removing a variety of malware. Should never be used by someone not trained in the proper way to use it. A mistake could render your computer and expensive doorstop. This will be removed.
Malwarebytes: a good on demand scanner that is good to keep around and run periodically. Good to keep.
Spybot: scans & blocks spyware & adware. Free version is on-demand.
Avast: is an Anti-Virus program that runs and scans in real-time. You can also schedule complete computer scans ans well as on demand scans. This is a keeper.

So you have a choice on some of these if you would like to keep them on-board. They all have a relatively small footprint so they will not bog down your machine.

Removals:

• OTL
• Security Check
• AdwCleaner
• ComboFix

Optional:

• ERUNT
• Malwarebytes
• Spybot

Not Optional (unless you are changing programs)

• Avast - your anti-virus software
• Keep you Windows Firewall enabled, unless you choose to change to one of the Free ones I'll include in my All Clean speech.

With that out of the way, we have 2 items to address from your Security Check log.

Uninstall via Programs and Features

Click Start > Control Panel > Programs and Features. Locate and select the following that are present on the list and click the Remove button:

• Adobe Flash Player 12.0.0.44
• Adobe Reader 10.1.9

=========================

Adobe Flash Player:

Go to http://get.adobe.com/flashplayer/?no_ab=1

• Remove the check mark from the box "Install Google Drive"
• Click the Download button, and follow the onscreen directions to complete the installation.

Please note, depending on your settings, you may have to temporarily disable your antivirus software for the Adobe Reader update.

=========================



Adobe Reader:

Go to http://get.adobe.com/reader/otherversions/

• Use the drop down menu's to select your operating system
• Select your language > Select The current version of Adobe Reader for your language
• Remove the check mark from the box "Free! McAfee Security Scan Plus"
• Click the Download button, and follow the onscreen directions to complete the installation.

Please note, depending on your settings, you may have to temporarily disable your antivirus software for the Adobe Reader update.

=========================

Let me know which version of Spybot you have and I'll give you directions on how to enable TeaTimer.

Any other questions or issues?

 

[Scribehard]

Hi OCD
All uninstalls and installs done.
Spybot is 2.0.12.0, update 2.0.12.89. What is a tea timer anyway?
Everything else is running well. Can't believe it.
Thanks.
Gary

 

[OCD]

Hi Scribehard,

Spybot is 2.0.12.0, update 2.0.12.89. What is a tea timer anyway?

Spybot – Search & Destroy does not offer a TeaTimer or LiveProtection option. Currently you can use Spybot 2 as on-demand scanner. Maybe later versions of Spybot 2 will include a realtime scanner.

Your log appears to be clean. :bigthumb:
We have a few items to take care of before we get to the All Clean Speech.

=========================

Uninstall Combofix

The following will implement important cleanup procedures as well as reset System Restore points:

Click on the Start button and then in the Search field enter combofix /uninstall, as shown in the image below with the blue arrow.

Please note that there is a space between combofix and /uninstall.



Once you have typed this in, press Enter on your keyboard. A Open File security warning will appear asking if you are sure you want to run ComboFix. Please click on the Run button to start the program.

ComboFix will now uninstall itself from your computer and remove any backups and quarantined files. When it has finished you will be greeted by a dialog box stating that ComboFix has been uninstalled.

=========================

Clean up with OTL:

• Right-click OTL.exe select "Run as Administrator" to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

=========================

Removing/Uninstalling AdwCleaner:

• • Windows XP : Double click on the icon to run it.
  • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
• Click on the Uninstall button.
• Click Yes when asked are you sure you want to uninstall.
• Both AdwCleaner.exe, its folder and all logs will be removed.

=========================

You can now delete any tools and/or logs remaining on your desktop.

=========================

Disable Java in Web Browsers

There is a vulnerability with regards to Java and web browsers. Therefore, we recommend to disable java in web browsers.
More information can be found here: http://www.techsupportforum.com/forums/f50/disable-java-in-browsers-683721.html

• Click on the Start button and then click on the Control Panel option.
• In the Control Panel Search enter Java Control Panel.
• Click on the Java icon to open the Java Control Panel.

Disable Java through the Java Control Panel

• In the Java Control Panel, click on the Security tab.
• Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser.
• Click Apply. When the Windows User Account Control (UAC) dialog appears, allow permissions to make the changes.
• Click OK in the Java Plug-in confirmation window.
• Restart the browser for changes to take effect.

=========================

With the above items taken care of let's move on to the All Clean part of the process.

The following procedures are recommendations for helping to keep your system running smoothly. If you are currently satisfied with how your system is running some or all of these may not pertain to you. Implement what you need.

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Make your Mozilla Firefox more secure - This can be done by adding these add-ons:

• NoScript
• AdBlockPlus

Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

Free Anti-Virus

• Avast Free Antivirus
• Avira Free Antivirus 2013
• PC Tools AntiVirus Free
• Ad-Aware Free Antivirus +

Free Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here.

• Online Armor Free
• Agnitum Outpost Firewall Free
• Comodo Firewall

Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

 

[Scribehard]

Hi OCD
I did all you suggested except the hosts file. It's a bit beyond me. Never mind, I feel a lot safer now than I did before.
Can't thank you enough for all your help.
My computer is running well again and I'm full of confidence with it.
Thanks again.
Kind regards
Gary

 

[OCD]

Hi Scribehard,

You're very welcome. Glad I was able to help. :bigthumb: Have a great day.

Since this issue appears to be resolved ... this Topic will be closed.