Solved 8-steps done - Am I clean now?

[newatthis]

I've been having problems with a CiD adware infection on my comp (loads of pop-ups). I manually tracked down the obvious virus files on C:, and then followed the 8-step recipe.

Can anyone please tell me whether or not the logs look ok now?

Thanks heaps.

 

[Bobbye]

Have you set homepage up to launch as a blank page? If not, please have HJT remove this entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

I'd like you to run the following 2 programs to make sure everything has been found and removed:

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please don't use any other cleaning programs while I'm working with you.
Attach the Combofix report and Eset scan log in next reply.

 

[newatthis]

Bobbye,

Yes, my IE home page is deliberately set to about:blank.

The Combofix and ESAT logs are attached.

I am not concerned about the ESAT alerts relating to my D: drive, becasue this is a file store that is never used.

I can't tell whether ComboFix is saying there are problems, though. What do you think?

Thanks for your help.

 

[Bobbye]

D: drive, becasue this is a file store that is never used.

I cannot ignore this because you tell me you don't use it. It shows that you have 2 pirated programs and 2 P2P programs, all infected with malware. Another, from globalroms, indicates having the ability to download any material when you do not have the legal rights to do so.

D:\Installation-Kits\BearShare-4.0.5-DONT-INSTALL-CRAP.exe a variant of Win32/Adware.WhenUSave application
D:\Installation-Kits\BearShare250.exe multiple threats
D:\Installation-Kits\Adobe Flash CS3 Pro KeyGen and Crack\Step 1 - KeyGen\Adobe Flash CS3 (9.0) Professional KeyGen.exe probably a variant of Win32/Agent trojan
D:\Installation-Kits\Firedaemon\fd009c-fdui10R3 (Fire Daemon 0.09c).exe Win32/FireDaemon application
D:\Mame\ROMs - v0.103 Complete [www.globalroms.com]\LUCKYCASHCASINOS.EXE a variant of Win32/Casino application
D:\Virtual Machines\Shared Folder\Scan2CAD.Pro.v7.6i.Cracked-iNViSiBLE\iNViSiBLE\Scan2CADv7.exe probably a variant of Win32/TrojanDownloader.Obfuscated trojan

One of the infections has this description:

Trojan.Obfuscated
Trojan.Obfuscated is a form of malicious software, which is unique in the fact that it cloaks the presence of files and data to evade detection, while allowing an attacker to take control of the machine without the user's consent or knowledge for that matter. Trojan.Obfuscated is generally used by malware applications including viruses, spyware, Trojans, and backdoors, in order to conceal themselves from the system’s user, as well as from malware detection software such as anti-virus and anti-spyware programs. Trojan.Obfuscated is also known to be used by various adware programs and DRM (Digital Rights Management) to obstruct users from removing the unwanted software. Trojan.Obfuscated puts the user’s system at risks which severely compromise the system and lowers the security settings, whilst it installs 'backdoors,' infects system files, and / or spreads to other networked machines.

 

[newatthis]

Ok - point taken. I can clean up the files in D: easily enough. But is there anything else, e.g.from ComboFix, that is a problem?

 

[Bobbye]

After the files and folders have been removed, rerun Combofix and the Eset scan. Leave new Report and log.

 

[newatthis]

New logs as requested. How's it looking now?

 

[Bobbye]

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KILLALL::
File::
c:\users\farrell\AppData\Roaming\uTorrent
c:\users\farrell\AppData\Local\temp
c:\users\Public\AppData\Local\temp
c:\users\Default\AppData\Local\temp
D:\Installation-Kits\BearShare-4.0.5-DONT-INSTALL-CRAP.exe	
D:\Installation-Kits\BearShare250.exe	
D:\Installation-Kits\Adobe Flash CS3 Pro KeyGen and Crack\Step 1 - KeyGen\Adobe Flash CS3  (9.0)  Professional KeyGen.exe	
D:\Installation-Kits\Firedaemon\fd009c-fdui10R3 (Fire Daemon 0.09c).exe
D:\Mame\ROMs - v0.103 Complete [www.globalroms.com]\LUCKYCASHCASINOS.EXE	
D:\VirtualMachines\SharedFolder\Scan2CAD.Pro.v7.6i.Cracked-iNViSiBLE\iNViSiBLE\Scan2CADv7.exe	

Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

 

[newatthis]

CFScript log as requested. Ok now?

 

[Bobbye]

Okay- rescan with the Eset online scanner once more. If it's clean, I'll have you remove the cleaning tools and old restore points.

 

[newatthis]

ESET scan is clean (log attached).

How do I remove old system restore points?

 

[Bobbye]

Looks good!
Remove all of the tools we used and the files and folders they created
Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Stay safe! Let me know if you need help in the future.

 

[newatthis]

Thanks for your help.

 

[Bobbye]

You're welcome. I'll close this thread now. If you need our help in the future, please let us know.