Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91521 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

I used a program called roguekill and don't know if I have messed


  • This topic is locked This topic is locked
27 replies to this topic

#16 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 21 May 2014 - 04:15 PM

Hi Adam, I have installed the new version of mbytes on top of the old one..... I have clicked settings but can't find a scan for rootkits option.

 

 

I have now found the option and followed your instructions my apologies.


Edited by Ally, 21 May 2014 - 04:28 PM.

    Advertisements

Register to Remove


#17 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 21 May 2014 - 04:39 PM

Hi Adam,I have done step one and here is the log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 21/05/2014
Scan Time: 23:27:10
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.05.21.10
Rootkit Database: v2014.03.27.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Allybongo

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 333232
Time Elapsed: 8 min, 4 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#18 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 21 May 2014 - 05:24 PM

Hi Adam,I have just finished my eset scan and here are the logs: 

 

 

C:\ProgramData\IObit\ASCDownloader\ASCSetup.exe    a variant of Win32/Toolbar.Widgi.B potentially unwanted application
C:\Users\All Users\IObit\ASCDownloader\ASCSetup.exe    a variant of Win32/Toolbar.Widgi.B potentially unwanted application
 



#19 LiquidTension

LiquidTension

    SuperMember

  • Classroom Teacher
  • 2,566 posts

Posted 21 May 2014 - 07:11 PM

Hello Ally, 
 

I accidentaly posted a farbar log instead of a mbytes  protection log and now that the new version is installed I don't know where to find the protection log.

No problem, don't worry about it.  :) Old protection logs are no longer accessible, but it isn't a big deal. 
 
The IP blocks by Malwarebytes are likely caused by P2P usage (uTorrent, Skype, etc), embedded images hosted on blacklisted domains, ads, etc. This simply indicates Malwarebytes is doing it's job. As long as the blocks do not occur whilst no programmes are open, there should not be any need to worry. Most users that use Malwarebytes Malicious Website Protection will experience IP blocks from time to time. 
 

when I right click on the Allybongo folder it does not come up properties but I noticed it has a create shortcut in the menu.

Feel free to delete the folder. 
 

Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

Your Malwarebytes log indicates several modules are disabled.

  • Click Settings, followed by Detection and Protection. Click Enabled under Malware Protection and Malicious Website Protection.
  • In Settings, click Advanced Settings and place a checkmark next to Enable self-protection module.
     

C:\ProgramData\IObit\ASCDownloader\ASCSetup.exe    a variant of Win32/Toolbar.Widgi.B potentially unwanted application
C:\Users\All Users\IObit\ASCDownloader\ASCSetup.exe    a variant of Win32/Toolbar.Widgi.B potentially unwanted application

These items are nothing to be concerned with. ASCSetup.exe is the setup file for a piece of software installed on your computer. It can be ignored. 
 

Spoiler

 Your logs indicate you have been using MSCONFIG as a startup manager. MSCONFIG is not a startup manager; it is a diagnostic tool. If you are using it as a startup manager you cannot use it as a diagnostic tool.  There is also a known issue where some settings once changed cannot be restored using MSCONFIG. I would suggest reversing the changes made in MSCONFIG. 
 
 
Lets deal with your startup programmes more appropriately. We will also take a look at the folders on your C drive - to confirm, you were referring to folders in the root folder (C:\)? 
 
 
STEP 1
hkxnADR.png StartupLite

  • Please download StartupLite and save the file to your desktop.
  • Double-click the icon to run the programme.
  • The programme will enumerate any unnecessary startup programmes.
  • Disable the programmes you do not wish to run at startup.
  • Follow the prompts and reboot if necessary.
     

STEP 2
MgeHyNE.png Batch File

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    @ECHO OFF
    CD\
    dir > %userprofile%\desktop\rootfolderlist.txt
    exit
  • Click Format. Ensure Wordwrap is unchecked
  • Click FileSave As and name the file batch.bat
  • Select All Files as the Save as type.
  • Save the file to your desktop
     
  • Locate batch.bat iKKSwsh.png (W8/7/Vista) on your desktopRight-click the icon and click Run as Administrator
  • A log (rootfolderlist.txt) will be created on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 3
V5fS8AB.png Windows Explorer

  • Please navigate to the following folder using Windows Explorer:
    • C:\Users\Allybongo\licenses
  • Have a look through the files/folders in this folder. 
  • Do you recognise anything? 
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did StartupLite run successfully?
  • rootfolderlist.txt
  • Do you recognise anything in the licenses folder?

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#20 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 22 May 2014 - 04:04 AM

Hi Adam,thanks for your patience as it took me awhile to get through that last section of instructions.

 

I have deleted the allybongo folder from the desktop.

 

All Malwarebytes protection is enabled now.

there is an enable self-protection(early start) box can I also check this?

 

I ran startup lite but it only showed 1 item which is java auto-updater which I just left enabled.

In the Licenses folder there are two files I opened with notepad and they are for open office Apache Licenses,however there is also a folder called .thumbnails   >normal>empty.

before I paste the rootfolder list I just wanted to let you know I am not sure what MSCONFIG is and how to stop it being a start-up manager could you also let me know how to reverse the changes and stop it managing startup.

 

here is my rootfoldertxt  :

 

 Volume in drive C has no label.
 Volume Serial Number is 3A74-D2B2

 Directory of C:\

28/04/2014  22:25    <DIR>          $RECYCLE.BIN
21/05/2014  00:21    <DIR>          AdwCleaner
24/02/2014  19:19    <DIR>          ClamWinPortable
05/05/2014  16:41    <DIR>          DrvInstall
07/02/2014  13:38    <DIR>          ERDNT
21/05/2014  18:48    <DIR>          FRST
23/02/2014  03:31    <DIR>          Intel
17/05/2014  21:19    <DIR>          MININT
14/07/2009  04:20    <DIR>          PerfLogs
04/03/2014  18:05    <DIR>          Poker
17/05/2014  10:32    <DIR>          Program Files
22/05/2014  10:15    <DIR>          Program Files (x86)
18/05/2014  17:51    <DIR>          ProgramData
03/10/2013  08:40    <DIR>          Recovery
16/02/2014  20:46    <DIR>          RegBackup
05/03/2014  05:26    <DIR>          SUPERDelete
13/02/2014  18:04    <DIR>          Users
21/05/2014  11:16    <DIR>          Windows
               0 File(s)              0 bytes
              18 Dir(s)  191,461,040,128 bytes free
 


Edited by Ally, 22 May 2014 - 04:05 AM.


#21 LiquidTension

LiquidTension

    SuperMember

  • Classroom Teacher
  • 2,566 posts

Posted 22 May 2014 - 10:45 AM

Hello Ally, 
 

there is an enable self-protection(early start) box can I also check this?

Yes. 
 
The folders in your root folder (C:\) are fine. :)

STEP 1
F0hoanr.png MSCONFIG

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type msconfig and click OK.
  • If prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  • In the Startup tab, click Enable All, followed by OK.
  • If prompted, click Restart.
     

STEP 2
mfPiyt0.png HijackThis (HJT) Scan

  • Please download HijackThis and save the file to your desktop.
  • Right-Click HijackThis.exe and select AVOiBNU.jpg Run as administrator to run the installer.
  • Follow the prompts to install the programme. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Once installed, HijackThis will launch.
  • Click on Do a system scan and save a logfile.
  • A log will open. Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • HijackThis log

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#22 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 22 May 2014 - 11:10 AM

Hi Adam,I have followed your instructions.

Hjthis did not install it just popped up a license agreement then came on but I just went ahead with the scan.

Here is my hijack this log:

 

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:07:39, on 22/05/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 7\RealTimeProtector.exe
C:\Users\Allybongo\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/?o...U219DHP&pc=U219
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://g.msn.com/1me10IE11ENGB/MSN_WCP
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ContentBlockerBrowserHelperObject - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
O2 - BHO: VirtualKeyboardBrowserHelperObject - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
O2 - BHO: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll
O2 - BHO: Advanced SystemCare Browser Protection - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\PROGRA~2\IObit\SURFIN~1\BROWER~1\ASCPLU~1.DLL
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe"
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Digit Skinnable Clock V2] C:\Program Files (x86)\Horizon5\Digit\DIGITV2_1.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Amazon Cloud Player] c:\users\allybongo\appdata\local\amazon cloud player\amazon music helper.exe
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ie_banner_deny.htm
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Virtual Keyboard - {0C4CC089-D306-440D-9772-464E226F6539} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
O9 - Extra button: URLs check - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.dell.com
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (Emsisoft Web Malware Scan) - http://ax.emsisoft.c...oft_webscan.cab
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Advanced SystemCare Service 7 (AdvancedSystemCareService7) - IObit - C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe
O23 - Service: BlackBerry Device Manager - BlackBerry Limited - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: Encrypting File System (EFS) (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Fax - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Intel® Integrated Clock Controller Service - Intel® ICCS (ICCS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: CNG Key Isolation (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LiveUpdate (LiveUpdateSvc) - IObit - C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Netlogon - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: O2FLASH - Unknown owner - C:\Windows\system32\o2flash.exe (file missing)
O23 - Service: O2SDIOAssist - Unknown owner - C:\Windows\SysWOW64\srvany.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Software Protection (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\stlang64.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV64.exe
O23 - Service: Interactive Services Detection (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: Credential Manager (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: Block Level Backup Engine Service (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: DW WLAN Tray Service (wltrysvc) - Dell Inc. - C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
O23 - Service: WMI Performance Adapter (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9453 bytes
 



#23 LiquidTension

LiquidTension

    SuperMember

  • Classroom Teacher
  • 2,566 posts

Posted 22 May 2014 - 06:28 PM

Hello Ally, 
 
The fix below will disable unnecessary programmes from starting up when you boot your computer. Each programme can be started manually at any time by clicking on the associated executable (.exe) file. 
 
There may be programmes listed below that you wish to run at startup. If this is the case, simply ensure a checkmark is not placed next to the entry.
 
STEP 1
mfPiyt0.png HijackThis Fix

  • Right-Click HijackThis.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Do a system scan only.
  • Ensure all windows other than HJT are closed.
  • Place a tick next to the following items:
    • O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    • O4 - HKLM\..\Run: [RUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe"
    • O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    • O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    • O4 - HKLM\..\Run: [Digit Skinnable Clock V2] C:\Program Files (x86)\Horizon5\Digit\DIGITV2_1.exe
    • O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    • O4 - HKCU\..\Run: [Amazon Cloud Player] c:\users\allybongo\appdata\local\amazon cloud player\amazon music helper.exe
    • O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
    • O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
  • Once selected, click Fix checked, followed by Yes to confirm that you would like to remove the selected entries.
  • Close the HijackThis window. 
     

STEP 2
CXrghb6.png Update Outdated Software

Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

  • u9DsAVv.png Follow these instructions to check for and download the latest Windows Updates.
     

STEP 3
zANS9oB.png Disable Java in Your Browser
Due to frequent exploits we recommend you disable Java in your browser. For information on Java vulnerabilities, please read the following article (point #7).

  • Click the Windows Start Button 29Fou9c.jpg and type Java Control Panel (or javacpl) in the search bar. 
  • Press the Windows Key pdKOQKY.png on your keyboard at the same time. Type Java Control Panel (or javacpl) in the search bar. 
  • Click on the Java Control Panel. Once opened, click the Security tab.
  • Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser. 
  • Click Apply. When the Windows User Account Control (UAC) AVOiBNU.jpg appears, allow permissions to make the changes. 
  • Click OK in the Java Plug-in confirmation window.
  • Restart your browser(s) for changes to take effect.
  • More information can be found here and here.
     

STEP 4
oxliOQk.png Security Check

  • Please download SecurityCheck and save the file to your desktop.
  • Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
  • A log (checkup.txt) will automatically open on your desktop.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Confirmation you had no issues with the instructions. 
  • checkup.txt
  • Comments on how your computer is performing. 

Note: There are important steps to follow. Please ensure you continue following this topic until I give you the "All Clean".


50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#24 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 22 May 2014 - 07:20 PM

Hi Adam,

I have followed your instructions and had no problems.

My PC is running fine.

Here is my security check log:

 

 

Results of screen317's Security Check version 0.99.83  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
Kaspersky Internet Security   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 MVPS Hosts File  
 SpywareBlaster 5.0    
 Java version out of Date!
 Adobe Flash Player 13.0.0.214  
 Adobe Reader XI  
 Mozilla Firefox (29.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
 Kaspersky Lab Kaspersky Internet Security 14.0.0 avp.exe  
 Kaspersky Lab Kaspersky Internet Security 14.0.0 avpui.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 



#25 LiquidTension

LiquidTension

    SuperMember

  • Classroom Teacher
  • 2,566 posts

Posted 22 May 2014 - 08:40 PM

Hello Ally, 
 

My PC is running fine.

Very good.  :)
 
STEP 1
Z2qgMOy.png OTL

  • Please download OTL and save the file to your desktop.
  • Double-click OTL.exe to run the programme. Ensure all other windows are closed
  • Copy the entire contents of the codebox below and paste into the 1wDyQ2v.png textbox.:OTL
    :Commands
    [emptytemp]
    [emptyjava]
    [clearallrestorepoints]
  • Click the j7yFJut.png button.
  • Let the programme run and reboot your computer if prompted
     

STEP 2
AFZxnZc.jpg DelFix

  • Please download DelFix and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Reset System Settings
  • Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 
--- Malwarebytes Anti-Malware will still be present on your computer. I recommend keeping this programme, updating and scanning with it once a week to maintain security on your computer. If you do not wish to keep this programme on your computer, you can uninstall it by pressing the Windows Key pdKOQKY.png + r on your keyboard at the same time, typing appwiz.cpl, clicking OK and searching for Malwarebytes.

 
======================================================
 
All Clean!
Congratulations, your computer appears clean!   :thumbup:
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. Below I have compiled a list of resources you may find useful. The articles document information on computer security/maintenance, common infection vectors and how you can stay safe on the Internet.

The following security/maintenance programmes come highly recommended in the security community.

  • JEP5iWI.png Web of Trust (WOT) is a browser add-on designed to alert the user before interacting with a potentially malicious website. 
  • 6YRrgUC.png Malwarebytes Anti-Malware Premium incorporates real-time protection and is designed to run alongside your anti-virus. 
  • j1OLIec.png SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • A5RLVbX.png CCleaner (portable) is a handy temp file cleaner. Avoid the built-in registry cleaner => see this article for information. 
  • DgW1XL2.png Secuina PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
  • hkxnADR.png StartupLite will scan your computer for unneccessary startup programmes. Disabling indentified programmes may improve boot-time
  • jv4nhMJ.png NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology. 
  • KsUqI5A.png AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
     

Wary of a particular file/website? Need a second opinion? Scan the file/URL using these free online scanner services:

-- Should you have any questions on the above tools, or comuter security in general, please feel free to ask
 
 
======================================================
 
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
 
Thank you for using WhatTheTech.
 
Safe Surfing.   :thumbup:
Adam (LiquidTension).


50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!

    Advertisements

Register to Remove


#26 Ally

Ally

    Authentic Member

  • Authentic Member
  • PipPip
  • 200 posts

Posted 23 May 2014 - 05:02 AM

Hi Adam,

I have followed your instructions and now it feels like I have a totally new computer!

Many Thanks for giving up your time to sort out my system.

Thank you also for helping me get my start processes back to normal and for all the information you have provided.

I am going to add no-script to my firefox browser and check out some sites I browse against those url site safety scanner links you provided.

All the best.....can't thank you enough :notworthy:

:thumbup:



#27 LiquidTension

LiquidTension

    SuperMember

  • Classroom Teacher
  • 2,566 posts

Posted 23 May 2014 - 06:53 AM

You are more than welcome. :)

Take care.

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#28 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 23 May 2014 - 10:01 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users