Solved Completed 8 Steps. Logs attached

[geekydiorgirl]

On my friend's user account she keeps getting a black screen and Vista Internet Security running scans asking to purchase product. Can't get anything but that program and a black screen. This seems to be only on her user account. Using other user account just fine. Attached logs as asked.

 

[Bobbye]

Your friend has MyWebSearch on just about every file on the system. Please stay away from any of the iWin game sites. Sty away from FunWebProducts- all sources of this malware. It also has the Rogue program you mention. you will have to get around that black screen though in order to do anything:

Please download exeHelper by Raktor and save it to your desktop.

• Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
• A black window should pop up, press any key to close once the fix is completed.
• A log file called exehelperlog.txt will be created and should open at the end of the scan)
• A copy of that log will also be saved in the directory where you ran exeHelper.com
• Copy and paste the contents of exehelperlog.txt in your next reply.
  

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

Then Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.

Leave logs from both on next reply.

Additionally, please do the following:
1. Take these Domains out of the Trusted Zone:
Internet Explorer> Tools> Internet Options> Security tab> Trusted Zone> Sites> delete both:
.netzero.com
.netzero.net
Then close.

2. Reset Cookies
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

 

[geekydiorgirl]

The link to ComboFix leads me to a tutorial on how to use it. I don't see an actual download link for the program.

 

[geekydiorgirl]

My bad. I found it.

 

[geekydiorgirl]

I don't know how to rename the file before it downloads. Just asks me to save file. I click it and it downloads.

 

[geekydiorgirl]

Ok had to do it in IE instead of Firefox. Sorry.

 

[Bobbye]

Stop talking to yourself! Use the Edit function instead of making a new reply! Please rake your time and read the directions carefully- one you might overlook is to shut down your security.

 

[geekydiorgirl]

After I did the combofix and try to click on IE or Firefox I get an error message. Tried click on the other icons on my desktop and I get the same message: Illegal operation attempted on a registry key that has been marked for deletion.

I shut off my security.

 

[geekydiorgirl]

combofix and other file attached.

attached both logs

Is there something else I need to do?

 

[geekydiorgirl]

Is there something else that I need to do?

 

[Bobbye]

Combofix didn't mess up the files.

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\users\Katelin4\AppData\Local\675038152.dll
c:\users\Katelin4\AppData\Local\uxlobc
c:\programdata\WildTangent
c:\windows\system32\drivers\vsdatant.win7.sys
c:\program files\LimeWire\LimeWire.exe
c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk
Folder::
c:\programdata\WildTangent\eMachines Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
c:\users\Katelin4\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
Registry::

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]

Driver::
vsdatant7

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

There are entries for McAfee, Avira and ZoneAlarm. Please be sure there is only one antivirus program, running and only one firewall. There can be multiple antimalware programs on the system.

 

[geekydiorgirl]

Combo log attached

combo log attached.

 

[Bobbye]

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  c:\program files\iMesh Applications\MediaBar\DataMngr\IEBHO.dll 
  c:\program files\Blubster\Blubster.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please run the Eset scan once more. If clean, I'll have you remove the cleaning tools.
Has the black screen improved? I doubt that is malware related.

 

[geekydiorgirl]

Log attached.

Logs attached. What is the Eset scan?

I no longer have a black screen.

 

[Bobbye]

Sorry- I usually run the first Eset Online AV scan after Combofix. I forgot I had you run another program. Here is is:

Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[geekydiorgirl]

eset log attached

Eset log attached

 

[Bobbye]

The Eset 'log' that was left only shows you registered and updated. It does not indicate that you ran the scan. Please refer back to the directions for clicking on scan.

 

[geekydiorgirl]

Eset scan

I did indeed run the scan last night. And I ran it again as well. The log still shows the same thing. I reported that I had 3 infections. Would you like me to re-scan and write down what it finds?

 

[geekydiorgirl]

Eset scan log attached.

I scanned it again. I had to save the log myself and I didn't know that. So here ya go.

 

[Bobbye]

Edit to change reply:

Okay, it's still only part of the log. there are two entries to be moved. After you run this program, you WILL have a log for it:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Users\Katelin4\Documents\LimeWire\Saved\filling papers usher new cover version.mp3	 trojan
  C:\Users\Katelin4\Documents\LimeWire\Saved\lil boosie-back in the day.au	
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

The.se infections are both from a a variant of WMA/TrojanDownloader.GetCodec.gen trojan Please do not get any codecs while I am helping with the cleaning.

P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall LimeWire for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

 

[geekydiorgirl]

Eset scan not giving me a log

I have been ran this scan 1 time last night and 3 times today and it is not giving me anything other than what I gave you. I even uninstalled the program and re-installed it. I deleted the log that I gave you the first go round in case that was the problem but its not. I noticed that when i started my last scan the log filed appeared in the eset folder before it was even finished. Considering there isn't much to the scan than doing what you told me which is fairly simple I don't see how I could possibly be messing this up. I hit start and when it says it is done I check to see if there is a log.

 

[Bobbye]

You had the same problem in Combofix which you finally figured out. Slow down, read carefully, follow instructions in order. Path for the logs is given. Search the system for it.

 

[geekydiorgirl]

eset log and combofix log attached

Finally, here is a complete eset log. and the combofix log you asked for earlier.

 

[Bobbye]

One of the file from the Eset scan didn't get moved: Try this again:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Users\Katelin4\Documents\LimeWire\Saved\filling papers usher new cover version.mp3
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

The other log you left is not from Combofix- it's from the OTMoveIT in my reply #20.

Please tell me what malware problems remain.

 

[geekydiorgirl]

Logs attached.

I didn't know if you wanted me to do the eset scanner or just run my malware program. I ran the malware. Let me know if I should run the eset.