129 replies to this topic

[jeffce]

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM-x32\...\Run: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe [2852640 2013-05-08] (Conduit)
HKU\Peter Boggs\...\Run: [SearchProtect] C:\Users\Peter Boggs\AppData\Roaming\SearchProtect\bin\cltmng.exe [2852640 2013-05-08] (Conduit)
S2 CltMngSvc; C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [97056 2013-05-08] (Conduit)
2013-05-18 21:26 - 2013-05-18 21:26 - 00000000 ____D C:\Program Files (x86)\SearchProtect
2013-05-18 21:25 - 2013-05-18 21:31 - 00000000 ____D C:\Users\Peter Boggs\Application Data\SearchProtect
2013-05-18 21:25 - 2013-05-18 21:31 - 00000000 ____D C:\Users\Peter Boggs\AppData\Roaming\SearchProtect
2013-05-18 21:25 - 2013-05-18 21:25 - 01315080 ____A (Conduit) C:\Users\Peter Boggs\Downloads\SwagBucks(14).exe
2013-05-18 11:32 - 2013-05-18 11:32 - 01315080 ____A (Conduit) C:\Users\Peter Boggs\Downloads\SwagBucks(13).exe
2013-05-18 00:10 - 2013-05-18 00:10 - 01315080 ____A (Conduit) C:\Users\Peter Boggs\Downloads\SwagBucks(12).exe
2013-05-13 22:15 - 2013-05-13 22:15 - 01315080 ____A (Conduit) C:\Users\Peter Boggs\Downloads\SwagBucks(11).exe
2013-05-13 09:19 - 2013-05-13 09:35 - 00031722 ____A C:\Users\Peter Boggs\Downloads\SwagBucks(11).exe.part
2013-05-18 21:31 - 2013-05-18 21:25 - 00000000 ____D C:\Users\Peter Boggs\Application Data\SearchProtect
2013-05-18 21:31 - 2013-05-18 21:25 - 00000000 ____D C:\Users\Peter Boggs\AppData\Roaming\SearchProtect
2013-05-18 21:26 - 2013-05-18 21:26 - 00000000 ____D C:\Program Files (x86)\SearchProtect
2013-05-18 21:25 - 2013-05-18 21:25 - 01315080 ____A (Conduit) C:\Users\Peter Boggs\Downloads\SwagBucks(14).exe
2013-05-18 11:32 - 2013-05-18 11:32 - 01315080 ____A (Conduit) C:\Users\Peter Boggs\Downloads\SwagBucks(13).exe
2013-05-18 00:10 - 2013-05-18 00:10 - 01315080 ____A (Conduit) C:\Users\Peter Boggs\Downloads\SwagBucks(12).exe
2013-05-13 22:15 - 2013-05-13 22:15 - 01315080 ____A (Conduit) C:\Users\Peter Boggs\Downloads\SwagBucks(11).exe
2013-05-13 09:35 - 2013-05-13 09:19 - 00031722 ____A C:\Users\Peter Boggs\Downloads\SwagBucks(11).exe.part

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
----------

[thinkativeone]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-05-2013 03 Ran by SYSTEM at 2013-05-27 23:46:17 Run:1 Running from E:\ Boot Mode: Recovery ============================================== HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SearchProtectAll => Value deleted successfully. HKEY_USERS\Peter Boggs\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtect => Value deleted successfully. CltMngSvc => Service deleted successfully. C:\Program Files (x86)\SearchProtect => Moved successfully. C:\Users\Peter Boggs\Application Data\SearchProtect => Moved successfully. C:\Users\Peter Boggs\AppData\Roaming\SearchProtect => File/Directory not found. C:\Users\Peter Boggs\Downloads\SwagBucks(14).exe => Moved successfully. C:\Users\Peter Boggs\Downloads\SwagBucks(13).exe => Moved successfully. C:\Users\Peter Boggs\Downloads\SwagBucks(12).exe => Moved successfully. C:\Users\Peter Boggs\Downloads\SwagBucks(11).exe => Moved successfully. C:\Users\Peter Boggs\Downloads\SwagBucks(11).exe.part => Moved successfully. C:\Users\Peter Boggs\Application Data\SearchProtect => File/Directory not found. C:\Users\Peter Boggs\AppData\Roaming\SearchProtect => File/Directory not found. C:\Program Files (x86)\SearchProtect => File/Directory not found. C:\Users\Peter Boggs\Downloads\SwagBucks(14).exe => File/Directory not found. C:\Users\Peter Boggs\Downloads\SwagBucks(13).exe => File/Directory not found. C:\Users\Peter Boggs\Downloads\SwagBucks(12).exe => File/Directory not found. C:\Users\Peter Boggs\Downloads\SwagBucks(11).exe => File/Directory not found. C:\Users\Peter Boggs\Downloads\SwagBucks(11).exe.part => File/Directory not found. ==== End of Fixlog ====

[jeffce]

How exactly is your system behaving right now?

[thinkativeone]

It seems to be running nice and quietly. I had the blue circle on last night after completing your last instructions but today it is not on.

[jeffce]

Ok...let me know how everything is running tomorrow and if all is well we can remove our tools and you should be good to go.

[thinkativeone]

Still have the blue circle over my cursor. It was on last night after a forced shut down (due to freezing up on me) too.

[jeffce]

Ok....are you using an external mouse by chance? If so, please detach the mouse and let me know if the blue circle is still there.

[thinkativeone]

Nope, I never use an external mouse. Just the trackpad built into this laptop. No blue circle on today, it seems to be alternating every other shutdown or every two.

[jeffce]

This seems more like a hardware/software problem now rather than a malware issue. I don't see anything jumping out at me in the logs you are providing as well. If you still have the issue, you might start a new topic in the Windows forum here at What the Tech and see what the techs there have to say. They are really fantastic and you will be in great hands. Be sure to post your problem and also a link to this topic so that they can see what we have done. If they can't find anything come back and we can dig deeper or if you get fixed up, return here and we will remove our tools.

[thinkativeone]

Thanks Jeff. I'll go see what they have to say and then come back here for tool removal.

[jeffce]

[thinkativeone]

I think I am ready to remove the tools now.

[jeffce]

I think I am ready to remove the tools now.

I saw where it got fixed up! Great!!

Providing there are no other malware related problems...

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------

The following will implement some cleanup procedures as well as reset System Restore points:

Press the Windows key + R and this will open the Run text box. Copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)


----------

Clean up with OTL:

• Right-click and Run as Administrator OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop. If you did not have Malwarebytes Antimalware before, I would keep it and run it weekly.
----------

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

2. FireFox If you use Firefox, I recommend installing the following add-ons to help make your Firefox browser more secure:
NoScript
AdBlock Plus

3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. **There are firewalls that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7. Finally, I strongly recommend that you read Miekiemoes' great advice How to prevent malware.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
----------

[thinkativeone]

Sorry about this; step 1 failed miserably. I copy/pasted the Combofix Uninstall and a pop up with a red X came up saying, "Windows cannot find the file "Combofix" Make sure you typed the name correctly, and then try again." It was typed correctly, tried it again several times. Same result.

[jeffce]

Do you still have ComboFix on your Desktop? If not move it there and then try again. Let me know if you still have problems.