Solved Computer acting very strange, suspect infection :(

[Bobbye]

Please run TFC again:

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
===============================

Seems like a click of the mouse all of a sudden registers as two clicks, which would account for not being able to place a cursor within a text, without highlighting it, and other assorted ills.

Go to the Control Panel> Folder Options> General tab> 'Click items' section> do you have 'one click to open' checked? If not, check it> Apply> OK.

For thumbs.db: Did you use the Edit> Select All> File> Delete? A note: any time you want to work on multiple items on a screen, you must first click somewhere on that screen. It doesn't matter where you click, it just lets the system know where to 'select all.' Sometimes user don't realize that a function or feature needs to know where to work.

Did you take Chkdsk off of Startup> Belarc? Did you review the long list of games you have allowed through the firewall?

See if the Recovery Console will install this way: http://support.microsoft.com/kb/307654

I think the main problem is the system settings rather than malware. But I may have you check the status of boot.ini.

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[tm5rto]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=35056b408e7afd4b851a4033d25d6849
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-29 09:08:59
# local_time=2010-08-29 05:08:59 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 11100327 11100327 0 0
# compatibility_mode=1024 16777175 100 0 24055375 24055375 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 0 4 4695765 4695765 0 0
# scanned=354357
# found=0
# cleaned=0
# scan_time=17842
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=35056b408e7afd4b851a4033d25d6849
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-03 04:44:02
# local_time=2010-09-03 12:44:02 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 11526699 11526699 0 0
# compatibility_mode=1024 16777191 100 0 24481747 24481747 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 0 4 5122137 5122137 0 0
# scanned=348855
# found=0
# cleaned=0
# scan_time=7571

 

[tm5rto]

[I]Go to the Control Panel> Folder Options> General tab> 'Click items' section> do you have 'one click to open' checked? If not, check it> Apply> OK.

The main problem is that the double-click (which I prefer) happens too fast all of a sudden. I already adjusted the mouse speed, no joy.



For thumbs.db: Did you use the Edit> Select All> File> Delete?

Yes, I did. Everything is so messed up, that I was sure my machine was hijacked by someone having fun.


note: any time you want to work on multiple items on a screen, you must first click somewhere on that screen. It doesn't matter where you click, it just lets the system know where to 'select all.' Sometimes user don't realize that a function or feature needs to know where to work.


Did you rake Chkdsk off of Startup> Belarc? Did you review the long list of games you have allowed through the firewall?

I am not sure how to disallow those programs, I tried but saw no options

See if the Recovery Console will install this way: http://support.microsoft.com/kb/307654

I'll give it a try

I think the main problem is the system settings rather than malware. But I may have you check the status of boot.ini. [/I]

 

[Bobbye]

For what it's worth, I went to the single click because I had a problem with the timing of the double click.

I can write script to run in Combofix that will stop Chkdsk from running on boot and Belarc from loading and running n the background. As for the games you've allow through the firewall, I can stop that also. Normally you wouldn't be putting each of the games separately to pass through firewall. How do you launch the games? Do you open the browser, use a shortcut, Favorite?

As for Skype that you mentioned your daughter had installed, did you realize that there are 3 Skype accounts?
One for all users:
2008-04-22 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
For Olga:
2010-08-03 15:15: c:\documents and settings\Olga\Local Settings\Application Data\Skype
2010-08-03 03:44: c:\documents and settings\Olga\Application Data\skypePM
2010-08-03 03:37: c:\documents and settings\Olga\Application Data\Skype
For Pyotr:
2008-05-02 22:00: c:\documents and settings\Pyotr\Application Data\Skype
2009-11-16 15:38: c:\documents and settings\Pyotr\Application Data\skypePM
For Sasha:
2008-04-22 20:09: c:\documents and settings\Sasha\Application Data\Skype
2008-04-22 20:12: c:\documents and settings\Sasha\Application Data\skypePM

 

[tm5rto]

I guess Skype was installed a while back, but we haven't used it until my daughter started using it recently. I guess that's not the problem, huh?

I don't think ckdsk or belarc are running anymore.

BObbye, thanks again for taking all this time to help! You're great!

 

[tm5rto]

I followed your advice for getting the recovery console. Worked just great!

 

[tm5rto]

So, I replaced the mouse. The extensive clicking stopped. Simple enough solution to that particular problem.

Machine is still somewhat slow. I tried to do System Restore, going back a month or so. System Restore wouldn't work, tried several times, different days

 

[Bobbye]

Machine is still somewhat slow. I tried to do System Restore, going back a month or so. System Restore wouldn't work, tried several times, different days

Why did you think doing a System Restore would speed up your system. You have now undone all the work we have done.

Consider me pulling my hair out, jumping up and down with occasional screaming!

 

[tm5rto]

The System Restore didn't work. You've said it yourself that it was probably the settings, so I was trying to get to the point where the settings were fine.
I didn't realize that SR is so evil.

 

[Bobbye]

System Restore isn't evil- it's a very useful tool. But think about it> it restores your system to a previous time. So you you're being help with cleaning, doing a System Restore while that is being done is not appropriate.

I don't know that you have any malware. you have a great number of programs installed and running. everything that starts on boot runs in the background. Eventually, during a surfing session, the system is going to slow down. You have a great number of process passing through the firewall while you're running to do things like::
1. Instantly connect multiple computers in a VPN from LogMeIn Inc
2. Supervise internet access by disabling the modem, protects against dialers accessing dial-up connections, etc
3. Microsoft DirectPlay Voice Test.
4. Multiple processes running for each game including updaters.

You mentioned the only new thing you did was your daughter installed Skype. The logs showed3 Skype accounts, all with data, so I pointed that out to you. You said you have fixed the mouse problem which wasn't malware.

Please tell me exactly what problem you're having. If it's just "slow", we don't need to be checking for malware. Mbam is clean. The Eset scan was clean.

 

[tm5rto]

I ran the system restore because I thought we were done, and couldn't find any malware. So, I was trying to get it back to the time when you helped me with some nasties. The machine was running great then, and I created a checkpoint.

I thought that somehow we got infected again, but you're saying we're clean. My settings are messed up somehow, and I was trying to get the settings back via SR, since there doesn't seem anything else to do.

 

[Bobbye]

You're putting words in my fingers. I didn't say you were clean- I said that 2 of the logs were clean. I didn't say you were through. But you are compounding any problem by doing the SR. You have cleaning programs that will need to be removed

I don't know that you had any malware at all in the first place, but we were in the middle of checking that out and I had moved some files.

Please tell me exactly what problem you're having.

 

[tm5rto]

OK, so which programs need to be removed? What should my next step be?

The SR did not work, so we're OK, right? And that, conversely, is a problem in itself? Something's preventing it from working it?

 

[Bobbye]

System Restore is one of the sections missing in the Attach.txt log. I don't know what you have. Apparently you're seeing something because you attempted a restore.

 

[tm5rto]

The System Restore is right where it always is, started out fine, showed checkpoints back to July, and that's it. It went through its motions, then displayed that the previous ckpnt could not be restored.

Maybe it's just one of those things that fouled up my settings...

 

[Bobbye]

Use Add/Remove Programs in the Control Panel to uninstall any programs you are no longer using.

Use the msconfig utility to take any program off of startup that doesn't need to start on boot and run in the background.

If your system continues to be slow, please start a new thread in the Windows OS forum. Give your system information as well as notice you have already been on the forum.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

 

[tm5rto]

Sorry I didn't respond sooner, some unexpected health problems.

Bobbye, I can't thank you enough for all of your help and time! You're an awesome, knowledgeable person!

Pete K.

 

[Bobbye]

You're very welcome! Glad to help. Here are some tips for you:

Tips for added security and safer browsing:

1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
   This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
   
2. Have layered Security:
   • Antivirus Software(only one):Both of the following programs are free and known to be good:
     [o]Avira Free
     [o]Avast Home
   • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
     [o]Comodo
     [o]Zone Alarm
   • Antispyware: I recommend all of the following:
     [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
   [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
   [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
   [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
   
3. Stay current on updates:
   [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
   [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
   [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
   
4. Reset Cookies to prevent Tracking Cookies:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   
5. Do regular Maintenance
   Remove Temporary Internet Files regularly:
   [o]ATF Cleaner by Atribune
   OR
   [o]TFC
   Disable and Enable System Restore:
   [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
   
6. Practice Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Note: Some of these programs might not work on Widows 7.