negster22

Experts
  • Content count

    1,156
  • Joined

  • Last visited

About negster22

  • Rank
    Elite Member

Contact Methods

  • Website URL
    http://www.secure-computer-solutions.com
  • ICQ
    0

Profile Information

  • Location
    Westchester County, NY
  1. Great outcome and great job, too. Thank you!!
  2. You're welcome & good job! You're infection is removed and you're able to perform a complete scan with MBAM on all drives now with 0 detections found, so our work s just about done now. We have to perform a few "housekeeping" steps to remove the clean-up tools that we used!! To remove Combofix and it's quarantine folder: Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK: combofix /uninstall This will do the following: Uninstall Combofix and all its associated files and folders. Flush your system restore points and create a new restore point. Rehide your system files and folders Reset your system clock Disable autorun to prevent you from contracting USB transferred infections. You can still access all plugged in devices via My Computer (or Computer in Vista & Win7) or by hitting the (Windows key + E) simultaneously to open Windows Explorer. Here are some additional measures you should take to keep your system in good working order and ensure your continued security. 1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are acquired through application not Windows Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to. We've already updated Java and the Adobe Reader. Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs. Note: If your firewall prompts you about access, please allow it. You may also have to approve Java running. 2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes. Updating to the Pro version is recommended. 3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer. You should obtain the most current Operating System updates/patches, and Internet Explorer released versions. The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update. However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month. Finally, The Security Check scan you ran initially suggests that your hard drive is due for a defrag: `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 23% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log`````````````````````` Performing a defrag should make your computer run faster, by improving disk access times. HAPPY SURFING!!
  3. Very good job! Those two logs look fine. You can uninstall the ESET Online Scanner from the Control Panel -> Add/Remove Programs feature. I want you to try to run a complete MBAM scan now in normal mode. If you encounter an Application Hang on mbam.exe again, then I will do something about the DRM drivers. After which, I'll have you try running a complete scan again. One of the drivers shows up in your RogueKiller log here: ¤¤¤ Driver : [LOADED] ¤¤¤ [Address] IRP[iRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED (prosync1.sys @ 0xBA5B26C1) So try that for now, and let me know how it goes.
  4. That worked out well. Good job! ==========================Download TFC (Temporary File Cleaner) to your desktop:http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/ Select the green "Download" Button to download TFC.exeClose any open windows.Double click the TFC icon to run the programTFC will close all open programs itself in order to run,Click the Start button to begin the process.Allow TFC to run uninterrupted.The program should not take long to finish it's jobOnce its finished it should automatically reboot your machine,if it doesn't, manually reboot to ensure a complete clean============================= Download RogueKiller and save it to your desktop.Close all the running processesDouble click RogueKiller icon to run the programVista/Win7 users should right click the icon and select Run as Administrator.Wait for the Prescan to finish. Now click the Scan button. Please copy and paste the report in your next reply.A copy of the RKreport.txt can be found on your desktop. Note:If RogueKiller is blocked, do not hesitate to try running it again. If it still fails to run, right click on the downloaded icon and select 'Rename'.....rename it to winlogon.exe and try again.=============== Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:Download the latest version of Java Runtime Environment (JRE) 7 Update 40 and save it to your desktop.Scroll down to where it says "Java SE 7 Update 40".Click the "Download JRE" button.Accept the license agreement.select 'Windows x86' offline from the list.Save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.Check J2SE Runtime Environment 5.0 Update 10 and any item with Java Runtime Environment (JRE or J2SE) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on downloaded icon to install the newest version. Note: If the Ask Toolbar or any other Toolbar is pre-checked for installation, UNCheck it, if you do not wish it to install (it is NOT required for the Java Update to complete properly) ============== Run updates to Adobe Reader: Close all programs and windows.Open Adobe Reader (click on "Start". Click on "All Programs". Click on "Adobe Reader").When Adobe Reader is loaded, click on "Help".Click on "Check for updates now" (or "Updates").You will see available updates in the left window.Select all updates or critical items in the left window and click the "Add" icon between the windows. click on the "Update" icon at the bottom.The system will start processing the update.If there are more that 2 or more updates, you will probably have to reboot between updates. ==============Please perform a scan with the ESET online virus scanner.You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry: http://www.eset.com/onlinescan/index.php ESET recommends disabling your resident antivirus's active protection component BEFORE scanning Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.Select the "Run ESET Online Scanner" Button.Check the "Yes, I accept the terms of use" box.Click "Start"Approve the installation of the ActiveX control that's required to enable scanningMake sure the box toRemove found threats. is CHECKED!!Click "Start"Allow the definition data base to installClick "Scan" When the scan is complete, If no threats were found:Check in "Uninstall application on close"Close program If threats were found:Select "list of threats found"Select "Export to Text File" & Save the Report to your Desktop as ESETScanLog"Select BackPlace a checkmark in "Uninstall application on close"Select Finish & Exit the programPlease copy/paste the scan report in your next reply. It can be found in this location:Note to Windows 7/8 and Vista users, and anyone with restrictive IE security settings:Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode)============ To sum it up, I need you to post the following in your next reply: 1. The RogueKiller Report: RKreport.txt located on your desktop2. The ESET Scan Report: C:\Program Files\EsetOnlineScanner\log.txt
  5. Star Force Protection is DRM copyright protection software probably installed with one of your games. It has a total of four low level drivers loaded and there is a possibility that it may be the culprit in stalling MBAM. But, I don't want to do anything with it yet because I want to proceed in a stepwise fashion. Right now, I am having you run a fixlist that will delete a Kaspersky antivirus driver. I'm not sure why it's running on your system. Maybe TDSSKIller put it there because it wasn't in your Combofix log, and you ran combofix prior to running TDSSKiller. Open notepad. Select Format and make sure Wordwrap is UNchecked. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (the same folder that FRST.EXE is located in) as fixlist.txt Start C:\Documents and Settings\All Users\Desktop\iMesh.lnk C:\Documents and Settings\Vanessa\Local Settings\temp\lowproc.exe DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [127768 2007-07-19] (Kaspersky Lab) C:\Windows\System32\DRIVERS\klif.sys 2013-10-12 09:13 - 2009-07-12 09:42 - 00786140 ___SH C:\WINDOWS\system32\Drivers\fidbox.idx C:\Documents and Settings\Vanessa\Local Settings\temp\Setup.exe C:\Documents and Settings\Gordon\Local Settings\temp\Quarantine.exe 2013-10-09 21:02 - 2013-10-09 21:03 - 04121952 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Gordon\Desktop\tdsskiller.exe Folder: C:\Program Files\OpenIt End NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST and press the Fix button just once and wait. The tool will create and open a log on your Desktop called Fixlog.txt. Please post it to your reply Run an MBAM Quick Scan in normal mode and see how it goes.
  6. These two items in your MBAM scan are inconsequential as they are only present in your system restore data: I am working on a fix for you based on the items in the FRST tool log. Some questions for you so I know what direction to take: Did you create this text file: C:\Documents and Settings\Gordon\Desktop\aa.txt And this Desktop shortcut to iMesh? C:\Documents and Settings\All Users\Desktop\iMesh.lnk
  7. Please read my reply above first. Due to the inability to reach Bleeping Computer, I'm giving you an alternate download for AdwCleaner (it is the Xplode, the author's website): http://general-changelog-team.fr/fr/downloads/viewdownload/20-outils-de-xplode/2-adwcleaner Just click the green arrow on the right to download. An alternate download for the FRST tool can be found >>HERE<<
  8. You should be able to download AdwCleaner so I'm wondering if you are seeing what I am seeing or if you are being redirected. When you click the download link I provided, you should be taken to the AdwCleaner download page on the Bleeping Computer website. Once there you need only click the top button indicated by the red arrow in the image below, to download Adwcleaner.exe (there is no installer or setup file). Double-clicking AdwCleaner.exe will launch the program. Let me know if you are seeing what I am seeing please. ----------------------------------------------------------------------- I want you to Make files and folders visible: Click Start > Open "My Computer"Select the Tools menu and click "Folder Options."Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.Uncheck: Hide file extensions for known file typesUncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK. Then I want you to open Windows Explorer (Hit the Windows Key + E simultaneously) Navigate to this directories and delete them both: c:\documents and settings\Gordon\Application Data\0D0S1L2Z1P1B Exit Windows Explorer --------------------------------------------- Download Farbar Recovery Scan Tool 32-Bit (FRST.exe) and save it to your desktop. Double-click FRST.EXE run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply----------------------------------------------------------- Please update MBAM and run another Quick Scan. Post the MBAM log in your next reply ------------------------------------------------------------- If you are having trouble downloading the troubleshooting tools I'm directing you to use, then please download them to a USB stick (or CD) on a clean computer and transfer them over to the desktop of the computer we're working on. PS. I have been having trouble reaching Bleeping Computer today (& yesterday) so you should know that if you're experiencing the same issue, it's not due to your computer's infection.
  9. That looks good so far. Normally, a quick scan is adequate. I'll look for your next reply.
  10. Try this COMBOFIX DOWNLOAD:http://download.bleepingcomputer.com/sUBs/ComboFix.exe or for the renamed version which should download very quickly with no interference >>HERE<<. You do have to be careful avoid ads soliciting you to download programs on the computer security help sites. That is often how the sites support themselves but it can get confusing when trying to download anti-malware tools. That's fine. We will continue tomorrow and have a Good night!
  11. Let's concentrate on removing the malware from your C:\ drive for now and you can try scanning your F:\ drive in the background. What MBAM found is called a PUP short for Potentially Unwanted Program. it just started scanning for these type of nuisance programs that often come bundled with free software. FYI: https://helpdesk.malwarebytes.org/entries/23482988-What-are-the-PUP-detections-are-they-threats-and-should-they-be-deleted- I did notice in your Combofix log these recently created (10-8) entries: Did you just install the program OpenIt because c:\documents and settings\Gordon\Application Data\DigitalSite was written to at the same time that OpenIt folder was? Please rescan with MBAM to see if the PUPs were removed. Now we have to run Combofix again with a script: 1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled). 2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt by using the File -> "Save as" function on the Notepad Menu. Killall:: Driver::kbuzyias5zubw File::c:\windows\system32\kolgwvd.exec:\documents and settings\Gordon\Start Menu\Programs\Startup\PowerReg Scheduler.exec:\windows\pss\PowerReg Scheduler.exeStartup DirLook::c:\documents and settings\Gordon\Application Data\0D0S1L2Z1P1B Registry::[-HKLM\~\startupfolder\C:^Documents and Settings^Gordon^Start Menu^Programs^Startup^PowerReg Scheduler.exe][HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]"DisableMonitoring"=dword:00000000 ClearJavaCache:: 3. Disable all anti-malware and antivirus active protection by referring to these directions HERE 4. Close All Open Windows and Browsers, Referring to the picture above, drag CFScript.txt into ComboFix.exe This will cause ComboFix to run again. If the run does not finish or You have problems, please launch Combofix in safe mode following the same directions as above. If ComboFix prompts you to update to a newer version, make sure you allow it to update. Please copy/paste the log (C:\Combofix.txt) that opens when it finishes (Do NOT attach it).
  12. Good news!! Your TDSSKiller log is clean. It will take me a while to review your Combofix log for anything else that needs to be removed. While I'm doing that I'd like you to see if MBAM will complete a quick scan now. Try that and be sure to update it first. Post the MBAM log. The run this Adware Removal Program: Download : ADWCleaner to your desktop. NOTE: If using Internet Explorer and get an alert that stops the program downloading, click on the warning and allow the download to complete. Close all programs and click on the AdwCleaner icon. Click on Scan and follow the prompts. Let it run unhindered. When the scan has finished, look through the scan results and uncheck any entries that you do not wish to remove. When you are satisfied with the selection, simply click on theClean button, which will cause AdwCleaner to reboot your computer and remove the files and registry entries associated with the various adware that you are removing. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply. The report will be saved in the C:\AdwCleaner folder.
  13. I prefer that you copy/paste replies please. TDSSKIller will confirm whether your infection is removed. It looks like Combofix was successful in replacing the patched driver with a legitimate copy so that is good news.
  14. I would be more concerned if it said you were about view pages over an insecure connection. It's probably related to ComboFix resetting a number of Internet Explorer's settings to make it more secure, including making it the default browser. Please post C:\combofix.txt so I can see what is happening on your computer and how Combofix dealt with your infection. Also, if you have the TDSSKIller log already please include that.
  15. This is the whole point. Renaming an anti-malware executable is one of the ways to thwart malware. I could have you rename Combofix.exe as you download it,, but this is a genuine version that is already renamed for that purpose. Knowing this, I hope you feel confident about following my instructions as given. Please proceed.