Solved Infected computer, have scan logs, need best next step(s)

[matfox]

Hi there, super-duper tech dudes,

Enjoy your posts and guides, and followed your 8-step on an infected computer, signed up for some help with next step(s)

My mother-in-law came yesterday and plopped her laptop down and asked for help. Seems it's been infected by some nasty buggers.

Main symptoms, still persisting after some antivirus work, are 1) inability to access windows update online, most/all microsoft websites either blocked or immediately redirected to trashware advert sites, 2) Google Chrome, which I installed to get away from IE, won't open websites at all, just crashes. First time I've ever seen this, and I've reinstalled Chrome 3x, still happens. 3) Also, from the beginning all the usual tray items were missing, most notably, volume and power meter. These have now returned in my latest boot (a good sign, I think?).

She was only using IE (that's part of the problem, I'm sure), so at first I installed firefox. That site was being blocked too, but I copied installer from my computer, got it going. Web symptoms above are happening still on Firefox, though other websites browsing normally now. (I haven't opened IE again for awhile).

What I've done so far:

1) Removed McAfee Security Suite. Viruses had disabled and messed with it. And it was just slowing down everything (as usual).

2) Installed and ran IObit Security 360. It found 20 security threats and removed them, including a win32 agent (piratepoppers), a couple adware keys in registry, a backdoor trojan and a "misleading.extremesecurity". Things started running more smoothly. But main symptoms persisted.

3) I happened upon your forum and started moving more systematically. I installed Avast and ran a full boot scan. It found and removed some more things. Then I ran TFC, cleaned out the Temps and rebooted. Then installed MBAM, ran scan, but nothing new found. I have the log. Then I did the GMER thing. (The log looked pretty ugly.) Then DDS. Logs attached below. I've also installed Hijackthis and run it; inspected results. Removed some obviously useless, possibly harmful, items.

4) Contrary to what I should have done, which is join the forum immediately and ask for help, I've continued to tinker with the computer. I've installed Comodo AV suite, running alongside Avast. Stealthed the ports. Started in Safe Mode, tried to run more scans, but programs were having a hard time running in safe mode. That's about it. Oh, and I uninstalled a program (Qwest QuickCare) which, from Comodo alerts, seemed to be controlling / running the web redirects when I tried to access windows update. (Though that problem still persists).

The latest windows update (a .NET update) failed (on 7-10). It was at that point, from what my mother-in-law says, that the computer started going buggy. It would appear to me that the virus has completely taken over Windows Automatic Updates. That's not good, I know....

My next steps? Thanks!

LOGS ATTACHED

 

[Bobbye]

I've installed Comodo AV suite, running alongside Avast.

Yes, you did go too far! In addition, the McAfee security shows running in the logs. Please uninstalled the security programs so that you get down to only one antivirus program and one firewall. Multiple AV programs actually make the system more As for the updates, there are failed updates. New ones won't installed until those are cleared.

Get these security programs handled first and reboot the computer when through.
=============================================
It appears that there is a Rootkit on the system, so here are your next steps:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
=================================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
   i8042prt.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[matfox]

thanks!

Thanks for the help! I know about the McAfee. I uninstalled with windows uninstaller, but I noticed that mcafee services were still in there. I killed one in msconfig at first, but hadn't noticed that it was still in there. All McAfee items are remnants, no programs are installed. Will I need to kill those somehow somewhere first?

I'll get the AVs down to one (AVAST ?), and proceed with your other steps, then post back. Thanks again.

 

[Bobbye]

You shouldn't use the Windows Installer Cleanup Utility for the full install- only for left over files that weren't removed. Try using this to remove McAfee: Uninstall:
McAfee Removal
If there are any processes left, I can remove them in the Combofix script. Please make the decision which you want to keep, make sure it's running and updating, remove the duplicate AV and FW.

 

[matfox]

in progress - thanks

I had to go to work, then had trouble connecting the bad machine to internet. Working through combofix now, will get back to you soon - or tonight. I REALLY appreciate your help!

 

[matfox]

combofix and systemlook logs

Okay, Combofix seems to have been a big success so far, and I've got its log and the systemlook log.

The system restarted great, automatic updates turned back on, but I haven't done the updates yet (some important .NET 2.0 and 3.5 updates, the ones that crashed before).

Shall I go ahead and install those? (Also, I haven't checked if the other browser symptoms are there--shall I take the plunge?)

Thanks again!

Logs attached:

 

[matfox]

an update

While I was waiting I decided to let avast take a go at it (Sorry if this was the wrong thing to do!). It found a win32:Alureon-FZ within a system restore file and moved it to chest

Since it was in a restore file, that's probably not an immediate threat to current setup, right? (just a ticking time bomb in an older restore point?)

 

[Bobbye]

Please don't run any cleaning programs or scans unless I direct you to. I will have you do an online scan and I ill address the System Restore file them. Please do not do a system restore in the meantime- all those old restore points will be dropped.

Impatience can be a mischief maker! While you were 'waiting' - all of 3 hours, I was helping others. Now I have spent time needlessly explaining this to you. I will address your logs later this evening.

 

[matfox]

sorry bout that

I didn't mean any criticism by saying waiting! (Though impatience I'm always guilty of, true.) I was just being honest about what I'd done and updating you on it. I didn't do anything else yet -- the automatic updates are sitting there, but I left them (a bit of patience on my part, right?).

But to repeat, things are looking good. I haven't really opened anything, for fear of letting any ghosts out of any closets. Just sitting very patiently -- and appreciatively...

Take your time. (How you spend so much time helping so many yahoos like me so calmly I do not know.) [I was going to say it must be pure Buddhist compassion, but now I realize it's probably the super-powers of the Pooh-bear.]

 

[matfox]

From all the activity here I can tell you're probably super busy. No problem at all. Anyone else care to take a look at my last logs posted (combofix, systemlook)?

Status: combofix seems to have done it's magic. Win Updates turned back on, also Google Chrome now loads, and no more redirects on MS websites in Firefox (or at least the couple I tried opened fine). Only suspicious sign left perhaps is the strangely empty system tray (volume still didn't load).

From the log it looks like it didn't find any hidden files. But I'm not smart enough to know what else I should be seeing or looking for on it.

I haven't installed the updates or rebooted again since the combofix couple days ago. Bobbye mentioned an online scan and removing old restore points. Should I do that? Anything else before / after? At what stage should I install MS updates, before the online scan?

Thanks and double thanks for all your help. It's a real godsend.

[btw, I'm also happy to be told to hold horses and wait in line ]

 

[Bobbye]

Please run the following:

Security Check

Download Security Check and save it to your Desktop.

• Double-click SecurityCheck.exe to run.
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post this log in your next reply.
  ================================
  Choose v2.0.4
  Download the HijackThis Installer HERE and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.
  
  NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  
  Please paste both of the logs in your next reply.

 

[matfox]

got it

Bobbye!
You are a zen master, really (I've been watching you work a bit, you really keep it rolling like a well oiled machine.)

Here's the requested logs:

Systemcheck

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 20
Java 2 Runtime Environment, SE v1.4.2
Adobe Flash Player
Adobe Reader 9.3.3
Mozilla Firefox (3.6.6)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:16 PM, on 7/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qwest.live.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {B81CB2D0-0ED1-42D1-B77C-2E1B3DF09A87} - http://qwest.live.com (file missing) (HKCU)
O16 - DPF: {FB1C9BD4-54A9-4996-9FAA-579DCC4204DF} (ParentWatchLive_3_01 Class) - http://www.parentwatch.com/centers/video/push-3-01-00.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21871C27-F15E-4088-916D-FC5DABAA5F77}: Domain = rutgers.edu
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 7883 bytes

 

[Bobbye]

There is a deletion in Combofix that may indicate an infected flash drive. IF you have been using one during this time, it will need to be disinfected.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

• [/list
  

  File::
  Folder::
  
  Registry::
  Driver::
  
  FCopy::
  C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

  Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
  Referring to the picture above, drag CFScript into ComboFix.exe
  
  When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
  ====================
  Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  ==================================
  Please leave these 2 logs in your next reply.
  
  I notice that you have IObit Security 360 running. Here is a short review:
  

  They said it "detects, removes the deepest infections, and protects users' PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers." Unfortunately, it totally bombed in testing.

  Source: PCMag. Full review http://www.pcmag.com/article2/0,2817,2355888,00.asp
  
  There is also indication of system problems and that will be reviewed separately. Please tell me what problems remain.
  
  I suggest you remove this program as it would lend a false security.

 

[matfox]

Thanks as usual for your generous help. I was using a flash drive to copy files (downloads, etc) from good computer to bad computer early on. Possibility/probability of infection occurred to me, but I didn't know an alternative, given that the browsers were awry on that machine and I didn't want it to go online anymore until things were better.

Wasn't totally sure if your Combofix script was meant to disinfect the flash drive or not. I supposed it wasn't and did not have the flash drive attached. If this is wrong, I can repeat with flash drive attached.

(Should I just run scans on that flash drive? delete everything and wipe it clean?)

1) I've uninstalled iobit (after running combofix). Didn't want it anymore anyway and was going to remove it at the end when clearing out cleaning tools. (The schleps at cnet gave it a 5-star review, which is what I trusted when I downloaded it. I had never used it before myself.)

2) Just a reminder: I haven't yet installed the MS Updates.

3) The only symptom I notice now is the strange lack of system tray items, especially a power-meter icon and the volume control icon. These actually did load up the very first time the computer rebooted after the first time round with Combofix, but subsequently they have not appeared again. Would that be connected to the "system problems" you mention?
---------------------
Here are the two new scan logs, Combofix is long, so it's attached.


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a10542ab2798964f9ce1e027734ed375
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-20 03:33:41
# local_time=2010-07-20 11:33:41 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 11121772 11121772 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=70137
# found=0
# cleaned=0
# scan_time=2413

[NOTE: By the way, I ran it once, scanning archives also, but then accidentally deleted the log by letting ESET uninstall the program on exit. But it did not find any risks to report. So the second time--logged above--I omitted the archives search to speed things up.]

 

[Bobbye]

lack of system tray items, especially a power-meter icon and the volume control icon

Do a right click on the Taskbar> Properties: in Notification Area, Check 'Hide inactive icons'> then Customize> Highlight Power Meter> set Dialog to Always Show> do the same for the Volume Control and any other icon you want to see all the time.

When finished> Click on OK> Apply> OK.
A Note: These icons do not always 'listen' to you and have been known to hide again with no cause. The icons in this area that you need to worry about are the ones you 'can't get rid of!
============================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll:
File::

Folder::
c:\documents and settings\All Users\Application Data\IObit
c:\program files\IObit
c:\documents and settings\All Users\Application Data\McAfee

Registry::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . You do not need to leave this log.
====================
You should use Windows Explorer to delete the program files you removed:
Windows key + E: Click on My Computer> Double click on Local Drive (C)> Programs> look for each of these and do a Right click> Delete:
Iobit programs
McAfee
Exit Windows Explorer when through.
Let me know about system problems. If resolved, I'll have you remove the cleaning tools.

 

[matfox]

Super, thanks. I don't have the computer with me today, so I'll run the scripts and other things you suggest later tonight and post back.

Thanks again--and keep up the hard fight (I don't know how you do it! Without folks like you I bet our tech-civilization would just fall to pieces in a minute.)

 

[Bobbye]

Let me know how you make out. You're welcome for the help. Got to admit though that some days I don't know how I do it either!

 

[matfox]

okay, volume and power meters are back.

ran combofix special script and got rid of all traces of mcafee and iobit.

machine is running quite well. Probably ready for next step. Still holding off on big .NET MS updates....

 

[Bobbye]

Great! You should be able to get the updates now. Keep in mind that many have intermittent problems accessing the Windows Update site, so if you do, try later.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Please follow these simple steps to keep your computer clean and secure:


Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

Do regular Maintenance

• Remove Temporary Internet Files regularly:
  [o]ATF Cleaner by Atribune
  OR
  [o]TFC
• Disable and Enable System Restore:
  [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Have layered Security:

• Antivirus Software(only one): Both of the following programs are free and known to be good:
  [o]Avira Free
  [o]Avast Home
• Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
  [o]Comodo
  [o] Zone Alarm
• Antispyware: I recommend all of the following:
  [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  [o]Google Toolbar Get the free google toolbar to help stop pop up windows.

Let me know if you need more help.

 

[matfox]

Grrr, I really wish I didn't have to bother you with this, but here goes: MS Updates are still failing. Luckily not all of them; the XP security updates have installed fine, but all the .NET framework updates still fail to install. I've tried via the online update several times. Goes along and just says "failed" at the end. (No error code.)

I rooted around on MS support and found a couple pages:
http://support.microsoft.com/kb/906602
http://support.microsoft.com/kb/822798

But wasn't totally sure where to begin. I did install Windows Installer logging and have the log (attached -- it's a real mess, going back to July 9). [sorry, I guess original file I tried to attach was 1.5 mb, a huge log, too big for the forum upload. So I'm attaching the last 200kb of the log instead, just part of today's activities.]

I can see from the Event Viewer that these .NET updates have been failing at least since 6/18. So this is probably connected to the onset of the virus?

I can follow Microsoft's recommendations--clear temp files, rename this or that file, etc--first if you think that's best.

(My mother-in-law uses Quickbooks for work, which from recurring errors in Event Viewer I'm suspecting is implicated in the problems....Not sure if that requires the latest .NET framework or not.)

Just let me know if this particular problem goes beyond what you do in this particular forum space. Most importantly, though, can I / should I go through with the rest of the finish-up steps BEFORE resolving this issue? Or should I stick to this first, then go on to removing av tools, restore point, etc.?

Thanks for everything, and very sorry for the continued hassling! (I'm looking forward to not expecting you to waste time/attention on my problems anymore, I really am! )

 

[Bobbye]

Okay, we have handled the malware. The Windows updates can cause problems for many reasons- other than what we do in the forum.

You aren't wasting my time- I simply don't have the time to chase down these failures. But I did list what you can post in the Windows OS forum in a thread you may want to title 'Trouble with updates.'
1. Featured notifications is disabled.
2. Update {0917A2BA-CD52-4C01-9F23-2A15464523C4}.100 is pruned out due to potential supersedence
3. WARNING: Failed to evaluate Installable rule, updateId
4. WARNING: Exit code = 0x00000000; Call error code = 0x80240022
5. ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
6. Update is not allowed to download due to regulation.
7. WARNING: Command line install completed. Return code = 0x80070643, Result = Failed, Reboot required = false

Please make a note there that I sent you to get specific help with the updates. All of the above are from the same date and time. There are members who are more aware if some update are known for causing problems.