Is my computer infected by malware?

Solved
By NCISabbyfan
Aug 2, 2013
  1. An accumulation of strange situations have occurred today, as found by HitmanPro.

    I've found several "Trojan-downloader.zlob and Radio Search - Tech Support Forum" listings under NetVideoHunter, even though I’d never heard of Trojan Zlob before today.

    I’ve found several strange web site addresses by copying but not opening any of them including this one:

    http://idg-f.akamaihd.net/hd/820709...1.0&fp=WIN 11,8,800,94&r=SGXFJ&g=BIUGJPYHPWBN

    Having a quick skim through some of the other links, they all start with the formation "http://idg-f.akamaihd.net/hd/82070943001/82070943001_"

    ""http://idg-f.akamaihd.net/hd/82070943001" links to just one site:

    http://www.feedage.com/feeds/1926336/network-world-video-library

    Upon going through all but RtHDVCplx.exe (as "C:\Windows\" only makes it difficult to locate it and likewise to PrintDisp.exe, as I couldn't find System32 when trying to upload this file from it for an online scan, I can only find System32 from the Run menu. I checked "Recently Changed Items" and found Settings.xml gave "ERROR: Failed to find flength file!" (from Windows Calendar, which I hadn't opened at that time)

    “installer_raw.xsl - File not found. Check the file name and try again.”

    Very strange again, as I’d never heard of nor opened this file, which Virscan.org says maybe a virus

    For AdobeARM.exe, Virustotal.com’s Antiy-AVL says this is a trojan.

    For Radiodownloader.exe, Virscan.org’s Sophos lists it as malware. http://www.softpedia.com/progClean/ESFSoft-Radio-Downloader-Clean-227820.html rates Radiodownloader as 100% clean.

    However, at the bottom of Virscan's page it states "NOTICE: Results are not 100% accurate and can be reported as a false positive by some scannerswhen and if malware is found. Please judge these results for yourself."

    Due to conflicting information and sources differing on finding one separate malware file from each other, I'm unsure if these and/or any others are actually dangerous.

    I’ve also read that Bleepingcomputer.com is a dangerous site.

    Hitmanpro has been reported to have given many false positives in the past, but I have the Free Trial of HitmanPro 3.7.7, which reports say is very accurate.

    Should I delete the entire contents of the HitmanPro's findings? - Identified Threats: 55 (Traces: 217); 8 Items

    Since writing this, a new tab opened by itself to Flickr.com, which I have since closed but I feel my computer is being infiltrated.

    I’ve tested with SuperAntiSpyware, Malwarebytes’ Anti-Malware and Spybot and no malware found on all scans. Only HitmanPro has detected several pieces of malware.

    Also, when downloading links that would normally take up to about 5 minutes at most, I’ve found them lately taking about 25 minutes. Is this malware related?
  2. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Thanks for your reply Broni.

    Before I follow these instructions, I need to determine with you first if I should delete the list of Trojan items found by HitmanPro 3.7.7. I've kept the tab open until I know what to do, as while quite sure their results are accurate, which state "Malicious software was detected", it also says "During removal, certain programs may terminate unexpectedly". If I close it without deleting anything, the same list may resume upon a new search tomorrow or may not. As I'll need to break away from my computer soon, as it's late, I'll leave it on overnight unless I hear from you first before acting upon this first thing tomorrow, as I daren't close the HitmanPro results until I know what to do first. It sounds like I do have malware, but I don't meet the criteria of using it for Online Banking, Business purposes, storing sensitive or very personal information, etc.

    According to this link, HitmanPro 3.7.7's accuracy prevents false positives, so maybe their findings are accurate:

    http://www.techspot.com/downloads/1278-hitman-pro.html

    Also, I see that Bleepingcomputer is part of the malware removal process. I'm reluctant to use this, as Scamadviser lists that it "may be a Risky site".

    PS: As the forum upload wouldn't allow a Doc file in original quality, I've had to scan a copy of HitmanPro's findings which is in lower quality but still legible to demonstrate what it found earlier.
  4. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    I'm not very fond of Hitman so leave those findings alone.

    I strongly suggest you uninstall Spamadviser as it has very poor ratings: http://www.mywot.com/en/scorecard/scamadviser.com?utm_source=addon&utm_content=popup-donuts
    As a matter of fact BleepingComputer is one of the best if not the best computer help site.
    Spamadviser people apparently have no idea what they're talking about.
  5. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Good grief. :O Spamadviser seemed so convincing. Thanks for warning me. Thankfully I've not installed anything from them, just viewed results, but I shall avoid that site from now on. This is the problem with some web sites - they appear so convincing but turn out to be the opposite and give up to several visitors misleading information that they're giving out accurate information.

    Although HitmanPro removed a small amount of junk during its first scan on the first day of my 30 day Free Trial, in this case their results were accurate, but what made me puzzled was when several pieces of malware were found by them, but not by Malwarebytes' Anti-Malware or Spybot. I am currently doing a full scan with Comodo free anti-virus, which tend to take around 1.5 hours. I don't know if their scan will match or differ from Hitman, but I'll update you tomorrow when I resume.

    It sounds like Hitman's accuracy varies, so I'll keep the free trial running and closely observe their findings if/when they find anything else. If I have any doubts, I'll not delete anything. As regards their current findings, since attached, I'll close the window and not remove anything.

    It looks like I have some malware on my computer, but as it's late, I'll resume tomorrow and take it from there. Thanks for your help.
  6. Broni

    Broni Malware Annihilator Posts: 46,179   +251

  7. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    I already have Comodo Antivirus and Malwarebytes' Anti-Malware free versions installed.

    As to Malwarebytes, I can't find a checkmark option, which must be in the Pro version.

    However, I have performed a quick scan, which gives the all clear:

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.08.03.03

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    David :: DAVID-PC [administrator]

    03/08/2013 14:06:48
    mbam-log-2013-08-03 (14-06-48).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 226530
    Time elapsed: 8 minute(s), 9 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  8. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Due to being new to posting on forums for Malware checks, I initially forgot to disable my Firewall.

    I downloaded DDS.com, turned off the Internet then temporarily disabled my anti-virus, firewall, Spybot and Superantispyware.

    I then did a DDS scan with the DDS.txt and Attach.txt results.

    I have retained these, in case you still wish to read them, but after realizing I’d left my Firewall enabled, with the Internet still switched off, I re-clicked on DDS (this time with all relevant programs switched off) and did a replacement DDS scan of DDS.txt and Attach.txt. Here are the results of the second surveys:


    DDS.txt

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16496
    Run by David at 14:59:46 on 2013-08-03
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1251 [GMT 1:00]
    .
    AV: COMODO Antivirus *Disabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: COMODO Antivirus *Disabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}
    FW: COMODO Firewall *Disabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\Windows\system32\SLsvc.exe
    C:\Program Files\Thomson\ST330\service\st330service.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    c:\program files\acesoft\tracks eraser pro\te.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\PrintDisp.exe
    C:\Program Files\Comodo\COMODO Internet Security\cistray.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Radio Downloader\Radio Downloader.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Comodo\IceDragon\icedragon_updater.exe
    C:\Windows\system32\IoctlSvc.exe
    C:\Windows\system32\PrintCtrl.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\Comodo\COMODO Internet Security\cis.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HitmanPro\hmpsched.exe
    C:\Windows\system32\conime.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://uk.yahoo.com?fr=fp-comodo
    uSearch Bar = Preserve
    dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Radio Downloader] "c:\program files\radio downloader\Radio Downloader.exe" /hidemainwindow
    mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [Skytel] Skytel.exe
    mRun: [diagnostics] "c:\program files\thomson\st330\diagnostics\diagnostics.exe" /icon -l:en
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [NBAgent] "c:\program files\nero\nero backitup & burn\nero backitup\NBAgent.exe" /WinStart
    mRun: [PrintDisp] c:\windows\system32\PrintDisp.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [COMODO Internet Security] c:\program files\comodo\comodo internet security\cistray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    TCP: NameServer = 192.168.0.1
    TCP: Interfaces\{A4BCBEB3-1FF3-4CB6-878B-E568516CAE41} : NameServer = 156.154.70.22,156.154.71.22
    TCP: Interfaces\{A4BCBEB3-1FF3-4CB6-878B-E568516CAE41} : DHCPNameServer = 192.168.0.1
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
    Notify: igfxcui - igfxdev.dll
    SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2013-6-18 20072]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2013-6-18 583448]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2013-6-18 43216]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2013-7-23 106280]
    R2 IceDragonUpdater;COMODO IceDragon Update Service;c:\program files\comodo\icedragon\icedragon_updater.exe [2013-7-14 1821384]
    R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2011-5-24 77824]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 cmdvirth;COMODO Virtual Service Manager;c:\program files\comodo\comodo internet security\cmdvirth.exe [2013-6-18 127192]
    S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2008-7-29 30464]
    S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2008-7-29 12672]
    S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [2008-7-29 35328]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
    .
    =============== Created Last 30 ================
    .
    2013-07-29 16:42:58 -------- d-s---w- c:\programdata\Shared Space
    2013-07-29 00:15:03 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
    2013-07-28 22:13:58 -------- d-----w- c:\programdata\Innovative Solutions
    2013-07-28 22:13:56 -------- d-----w- c:\users\david\appdata\local\Innovative Solutions
    2013-07-28 22:13:55 -------- d-----w- c:\program files\common files\Innovative Solutions
    2013-07-28 22:13:53 42496 ----a-w- c:\windows\system32\AdvUninstCPL.cpl
    2013-07-28 22:13:50 -------- d-----w- c:\program files\Innovative Solutions
    2013-07-27 17:21:58 -------- d-----w- c:\programdata\VS Revo Group
    2013-07-23 18:57:58 -------- d-----w- c:\users\david\appdata\local\VS Revo Group
    2013-07-23 16:34:38 -------- d-----w- c:\program files\HitmanPro
    2013-07-23 16:09:10 -------- d-----w- c:\programdata\HitmanPro
    2013-07-20 08:38:14 -------- d-----w- c:\windows\pss
    2013-07-10 22:28:21 2049024 ----a-w- c:\windows\system32\win32k.sys
    .
    ==================== Find3M ====================
    .
    2013-07-23 22:07:00 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-07-23 22:07:00 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-07-08 20:59:45 583448 ----a-w- c:\windows\system32\drivers\cmdguard.sys
    2013-06-18 15:15:58 43216 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2013-06-18 15:15:56 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2013-06-18 15:15:50 35488 ----a-w- c:\windows\system32\cmdcsr.dll
    2013-06-18 15:15:48 348584 ----a-w- c:\windows\system32\guard32.dll
    2013-06-18 15:15:36 40664 ----a-w- c:\windows\system32\cmdkbd32.dll
    2013-06-18 15:15:36 278232 ----a-w- c:\windows\system32\cmdvrt32.dll
    2013-06-01 04:06:08 505344 ----a-w- c:\windows\system32\qedit.dll
    2013-05-29 01:50:14 1800704 ----a-w- c:\windows\system32\jscript9.dll
    2013-05-29 01:41:52 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-05-29 01:41:08 1129472 ----a-w- c:\windows\system32\wininet.dll
    2013-05-29 01:37:15 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2013-05-29 01:36:09 420864 ----a-w- c:\windows\system32\vbscript.dll
    2013-05-29 01:33:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2013-05-08 04:37:21 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2013-05-08 04:04:52 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
    .
    ============= FINISH: 15:00:01.19 ===============
  9. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 18/09/2007 00:21:32
    System Uptime: 03/08/2013 13:15:33 (2 hours ago)
    .
    Motherboard: FOXCONN | | G33M03
    Processor: Intel(R) Pentium(R) Dual CPU E2220 @ 2.40GHz | SOCKET775 M/B | 2400/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 123.598 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
    Description: Standard PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&11AE2885&0
    Manufacturer: (Standard keyboards)
    Name: Standard PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&11AE2885&0
    Service: i8042prt
    .
    Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
    Description: Microsoft PS/2 Mouse
    Device ID: ACPI\PNP0F03\4&11AE2885&0
    Manufacturer: Microsoft
    Name: Microsoft PS/2 Mouse
    PNP Device ID: ACPI\PNP0F03\4&11AE2885&0
    Service: i8042prt
    .
    Class GUID: {4d36e968-e325-11ce-bfc1-08002be10318}
    Description: LogMeIn Mirror Driver
    Device ID: ROOT\DISPLAY\0000
    Manufacturer: LogMeIn, Inc.
    Name: LogMeIn Mirror Driver
    PNP Device ID: ROOT\DISPLAY\0000
    Service: lmimirr
    .
    ==== System Restore Points ===================
    .
    RP1970: 02/08/2013 21:12:25 - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    "Nero SoundTrax Help
    32 Bit HP CIO Components Installer
    5600
    5600_Help
    5600Trb
    Acrobat.com
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.7)
    Advanced Uninstaller PRO - Version 11
    Advertising Center
    AIO_CDB_ProductContext
    AIO_CDB_Software
    AIO_Scan
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Audacity 1.2.6
    Bonjour
    BufferChm
    CCleaner
    Comodo IceDragon
    COMODO Internet Security Premium
    Copy
    Defraggler
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    DolbyFiles
    eSupportQFolder
    Fax
    Glary Utilities 2.53.0.1726
    HitmanPro 3.7
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Imaging Device Functions 8.0
    HP OCR Software 8.0
    HP Photosmart Essential
    HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
    HP Print Diagnostic Utility
    HP Product Assistant
    HP Solution Center 8.0
    HP Update
    HPProductAssistant
    ImagXpress
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Malwarebytes Anti-Malware version 1.75.0.1300
    Menu Templates - Starter Kit
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Primary Interoperability Assemblies 2005
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Works 4.5
    Movie Templates - Starter Kit
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero 9
    Nero BackItUp
    Nero BackItUp and Burn
    Nero Burning ROM Help
    Nero BurnRights
    Nero BurnRights Help
    Nero ControlCenter
    Nero CoverDesigner
    Nero CoverDesigner Help
    Nero Disc Copy Gadget
    Nero Disc Copy Gadget Help
    Nero DiscSpeed
    Nero DiscSpeed Help
    Nero DriveSpeed
    Nero DriveSpeed Help
    Nero Express
    Nero Express Help
    Nero InfoTool
    Nero InfoTool Help
    Nero Installer
    Nero Live
    Nero Live Help
    Nero PhotoSnap
    Nero PhotoSnap Help
    Nero Recode
    Nero Recode Help
    Nero Rescue Agent
    Nero RescueAgent
    Nero RescueAgent Help
    Nero ShowTime
    Nero StartSmart
    Nero StartSmart Help
    Nero Vision
    Nero Vision Help
    Nero WaveEditor
    NeroBurningROM
    NeroExpress
    NeroLiveGadget
    NeroLiveGadget Help
    neroxml
    OGA Notifier 2.0.0048.0
    PowerAdapter
    QuickTime
    Radio Downloader
    Realtek High Definition Audio Driver
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
    Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
    SolutionCenter
    SoundTrax
    Speccy
    SpeedTouch 330
    Spybot - Search & Destroy
    SpywareBlaster 5.0
    Status
    SUPERAntiSpyware
    Toolbox
    Tracks Eraser Pro v8.0 build 1000
    TrayApp
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB2836940)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817563) 32-Bit Edition
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebReg
    Windows 7 Upgrade Advisor
    .
    ==== End Of File ===========================
  10. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Please feel free to move this section to a different thread if this is easier, but I'm very eager to completely uninstall the remaining remnants of Logmein from my computer asap. I am aware that there are some .dll files remaining of this plus the "LogMeInRemoteUser" folder, but like if any malware is found from my main query of yesterday, as I'm a novice, I won't delete anything until or unless you give me the go ahead, to ensure I keep my computer intact. Thanks for your plain English instructions :), as I'm not very technical on Advanced level issues and want to be sure I know exactly what I'm doing depending on if or when any malware removal is required.

    Some sites have said it's safe to delete the "LogMeInRemoteUser" folder, but I've exercised caution, especially as it lists several identically named files that I created in the existing "Documents" area of my computer which are for some reason also in the LogMeIn folder. If it's safe to delete the folder "LogMeInRemoteUser", I want to be sure that my original "Documents" based files are not then also deleted or made unusable.

    I don't know if "DriverGenius", located under my Documents folder has any relation to LogMeIn, but I'm covering all possible avenues in case there is a connection.

    Is it safe or should I postpone until after the malware removal process is complete (if any malware exists upon your inspection of the results) downloading anything and/or installing other programs?

    Combofix - If I am required to install this, depending on the outcome of the results of my scans, are there are any other free programs I have installed besides these: Comodo anti-virus, Spybot, Superantispyware and Malwarebytes cover all programs that need to be disabled until Combofix completes its scans?

    AdvancedUninstaller PRO11 is also free, but I can only uninstall this, if required, as I can't find a Disable option. As far as I know, only the above three would be required to be disabled, unless you say otherwise, as if I have any script-blockers, they're integrated within one or more of the above programs.

    Please ignore my Combofix programs if it turns out I have no malware, despite yesterday's strange happenings. I felt it best to check though so nothing irreversible occurs.

    Current Update: Nothing adverse happening today, so there's no malware or it's hiding. Intriguingly, HitmanPro hasn't reiterated its findings, despite me not removing them.

    Thanks again for your help.
  11. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Leave dlls alone. You can remove "LogMeInRemoteUser" folder.

    [​IMG] Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
     
  12. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Would it be best for me to uninstall the "LogMeInRemoteUser" folder in Safe Mode?

    From my limited knowledge of the more technical aspects of computing, I gather that some programs work better or only when removed in Safe Mode. It will be a huge relief to be finally shut of that program.

    As the above folder is less urgent, I'll come back to that later, but meanwhile, I'll work my way through your remaining instructions in just a mo and come back to you asap. :)
  13. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    You can do it in normal mode. It doesn't seem to be active.
  14. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Ah, thanks. :)

    I'll keep a note of your various advice for future reference. I've learnt so much in such a short time from your invaluable information. :)


    Do you know the logistics of Rogue Killer’s privacy over customers' data? It’s just that it suggests for users to quit if they don’t want the contents of its scanned findings to be sent to its developers. Normally, customers are given an option.

    Here are the results:

    RogueKiller V8.6.4 [Jul 29 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
    Started in : Normal mode
    User : David [Admin rights]
    Mode : Remove -- Date : 08/03/2013 16:48:05
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Scheduled tasks : 1 ¤¤¤
    [V1][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\Windows\TEMP\{BDC07B01-F55E-4AB3-BC29-FAE22380A5C8}.exe - --uninstall=1 [x] -> DELETED

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost
    ::1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST3250410AS ATA Device +++++
    --- User ---
    [MBR] 6d4017b63e8881db5b1cb75e8d7d7cd0
    [BSP] 6624d789313a09ea88f34d53a019a1c4 : Windows Vista MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_D_08032013_164805.txt >>
    RKreport[0]_S_08032013_164703.txt




    RogueKiller V8.6.4 [Jul 29 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
    Started in : Normal mode
    User : David [Admin rights]
    Mode : Scan -- Date : 08/03/2013 16:47:03
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Scheduled tasks : 1 ¤¤¤
    [V1][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\Windows\TEMP\{BDC07B01-F55E-4AB3-BC29-FAE22380A5C8}.exe - --uninstall=1 [x] -> FOUND

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost
    ::1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST3250410AS ATA Device +++++
    --- User ---
    [MBR] 6d4017b63e8881db5b1cb75e8d7d7cd0
    [BSP] 6624d789313a09ea88f34d53a019a1c4 : Windows Vista MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_S_08032013_164703.txt >>
  15. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    I realized, unfortunately a bit late, hoping there are no repercussions that I’d not turned off the Spybot Tea Timer, but upon trying to do so, I get this error message:

    You are missing administrator rights to perform this action.

    However, I have noticed that, after I exited out of Spybot earlier, while forgetting about the Tea Timer initially, Spybot was quickly removed from the list of mini taskbar icons, so maybe there have been no adverse effects and that any real-timer of that program was disabled.

    If not, as I don’t know why my admin rights are being blocked, shall I temporarily uninstall Spybot before installing Malwarebytes’ Anti-Rootkit?
  16. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Don't worry about it. Go ahead and run MBAR.
  17. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    What is the verdict?

    I was slightly cautious when discovering this is in Beta mode, as some of these can cause computer problems, but not in this case. :)

    Along the way, intriguingly, Malwarebytes Chameleon popped up, as I hadn't literally installed it. I clicked on "Chameleon #1". Please excuse me doing this, as I recognized the name and wanted to see what it was about. If this has marred the results, I'll redo the surveys or carry on from the following two surveys, depending on the outcome of if my computer is infected, but otherwise, here is the first survey:

    Malwarebytes Anti-Rootkit BETA 1.06.0.1004
    www.malwarebytes.org

    Database version: v2013.08.03.05

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    David :: DAVID-PC [administrator]

    03/08/2013 17:58:13
    mbar-log-2013-08-03 (17-58-13).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
    Scan options disabled: PUP
    Objects scanned: 229148
    Time elapsed: 8 minute(s), 58 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)
  18. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Malwarebytes Anti-Rootkit BETA 1.06.0.1004
    www.malwarebytes.org

    Database version: v2013.08.03.05

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    David :: DAVID-PC [administrator]

    03/08/2013 18:17:18
    mbar-log-2013-08-03 (18-17-18).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
    Scan options disabled: PUP
    Objects scanned: 210442
    Time elapsed: 8 minute(s), 57 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)
  19. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    When I checked Malwarebytes’ Readme.rtf file, it asked me if I'd like to install something called a DDA driver. I don't know what that is, but there was no option to install it.

    If required, how do I install this driver? I'm not sure what it does.

    The message stated:

    DDA driver was not installed which may be caused by rootkit activity.
    Do you want to reboot the computer to install DDA driver (Scan will continue after reboot) (Y/N)?

    PS: After deleting the "LogMeInRemoteUser" folder, I've found an "Attach.txt" file relating to LogMeIn as there's a reference to "LogMeIn Mirror Driver", but it seems most, if not all of the components of the software including the mirror driver are now thankfully gone.
  20. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Update: Not sure if restarting my computer has reinstalled the DDA driver, but since I deleted the "LogMeInRemoteUser" folder, it has now been replaced by a folder in my name on my Desktop which contains the same contents as my Documents folder, from App Data through to Videos, with the addition of outdated 2007 NTuser.dat files which belonged to LogMeIn.

    Would it be safe to delete this unexpected new folder, without losing the contents of the same documents in the Documents folder?

    This new folder is cluttering up my Desktop and has been created automatically as a replacement to the now deleted LMI folde.

    This is a similar situation to before whereby there are two sets of identical documents, one in the standard "Documents" location, the other under "LogMeInRemoteUser", but this time LMI has been replaced by a folder in my name, as I vividly recall those NTuser.dat files were dated 2007. I had long since removed LMI, but as always, various parts of uninstalled programs remain scattered around, and I'd thought that the LMI Remote User folder was the end of LMI on my computer.

    Please advise me where I go from here with this and if my computer is now clear of malware.
  21. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    You can delete that new folder.

    [​IMG] Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    [​IMG] Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  22. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    OK. :) I don't know how that folder ended up replacing the original LogMeIn one or why LMI files have ended up still there, but I'll delete that in a mo.

    It sounds like something still isn't right with my computer, from your latest update to do further checks, as on the surface, it's been working fine today.

    I'll work on your instructions tomorrow.

    Meanwhile, so that I don't put my computer in jeopardy with ComboFix, which programs have script blockers in them? or do you mean specific ones that are devoted to script-blocking?

    Also, as there is clearly a bug in Spybot preventing me from unchecking the Tea Timer, shall I temporarily uninstall Spybot before reinstalling it after I've completed the ComboFix scan? and

    Are there are any other programs/types of programs that I need to temporarily disable before installing ComboFix?

    I can't find a way to temporarily disable Advanced Uninstaller PRO 11 (there is no "Exit" option, only a complete uninstall, which may be the only option, as I'm assuming ComboFix could destroy my computer if I leave something on accidentally) but other programs that come to mind that I presume will need disabling (if possible) or uninstalling (if there's a bug or no "Exit" option) are (some with Real Time, others not):

    Comodo Anti-Virus
    Comodo Firewall
    Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Rootkit
    Malwarebytes' Chameleon (no Real Time on Malwarebytes' free products)
    Spybot
    Spyware Blaster
    Super Anti Spyware (no Real Time on this free product)

    As far as I know, the Comodo, Spybot and Spyware Blaster programs are all in real-time, but I'm unsure. While it wouldn't matter if I turned some programs off that are not real time, it's determining which ones Are in real time that's the difficulty, as I don't know where to start.

    Off the top of my head, I can't think of any other programs that would conflict with ComboFix, but if there's a quicker way for me to just turn off these and any other running process off simultaneously so that I guarantee I've disabled/temporarily uninstalled the relevant programs, I will have peace of mind, as my computer is fully intact, and as I'm a novice and have never used ComboFix before, I am very anxious that nothing goes wrong. If there is such a facility, I could then reactive everything in one go after completing my usage of ComboFix.

    When all tests have concluded with ComboFix or beyond, depending on how many steps remain to confirm if my computer is infected or not, would you recommend me to keep the extra programs I've installed/ComboFix to install tomorrow on standby for future reference. I want to limit how much I have on my computer (as LogMeIn was a heavy resource program) but will happily keep them beyond if you think they'd come in handy for the future.
  23. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    New Update:

    Although I'm very keen to complete the process of checking and finalizing that or when my computer is malware-free, depending on if further tests find any junk on my computer, would tests be complicated if I downloaded anything (known to be safe) from reputable sites and/or installing programs from disks, etc?

    I've just found that it's unsafe for me to delete the new folder that incorporates the contents of LogMeIn under my own name. When I tried to do this, my Desktop removed all but three icons, so I had to quickly restore them from the Recycle Bin. Among them, all my Documents would have been gone forever. LogMeIn is a very stubborn program to remove, which I will be glad to see the back of asap, having thought it was finally gone until I restarted my computer which puzzlingly replaced it with a folder in my name housing all my programs under it.

    For some reason when I try to delete the new folder, I get the error message "Are you sure you want to delete the icon from your desktop? The contents of this folder will not be deleted. You can restore this icon to the desktop by right-clicking on its icon in the start menu".

    Upon seeing this, I tried deleting just the files in one sweep then planned to delete what would have been an empty folder afterwards.

    Please advise me of an alternative way to be shut of LogMeIn altogether once for all, without any of my existing folders and files being compromised. This program is very persistent.
  24. Broni

    Broni Malware Annihilator Posts: 46,179   +251

  25. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Assuming that you mean disable Comodo AV only out of the Comodo products but to disable anti-spyware and anti-malware programs, I'll do this, as I've never used any aggressive but rewarding programs like ComboFix before, which is why I don't want anything to become irreversible, as I have several Documents on my computer which I don't want to lose.

    OK, I'll re-read the above and previous instructions relating to ComboFix and safeguards to ensure it runs properly. As soon as I feel sure I've covered everything, hoping nothing goes drastically wrong, I'll proceed sometime later today and let you know the outcome.

    As ensuring my computer is free from malware takes priority, I'll come back to you on the LogMeIn issue in after whenever the final test takes place. At present, my original Desktop folder is in the Recycle Bin, while the other is active in the usual place. When I tried to Restore, it offered to merge the two, but when I tried to do this, it said "Are you sure you want to move the system file system.ini?". I cancelled to play safe. Anyway, I'll come back to you on that and will postpone downloading/installing anything other than the test programs until after they're complete, as otherwise it would mean more programs to disable and I want to keep everything as simple as possible so that as much time is taken as needed but that the outcome is finalized as soon as possible. :)

    OK, I'll come back to you later on.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.