Solved System Check removal

[Andrew1234]

ESETscan.txt

C:\Users\Mary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AK5O2PCG\spotlightpath[2].htm HTML/Iframe.B.Gen virus deleted - quarantined
C:\Users\Mary\AppData\Local\Mozilla\Firefox\Profiles\axfc2q7p.default\Cache\B4430EDBd01 a variant of Win32/Adware.RegistryEasy application deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\532f4a01-3a887867 Java/Agent.CK trojan deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\4b3c5ed7-75da6b8c multiple threats deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\3e90c6dc-5ac5f13d multiple threats deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\25ac915d-62584183 a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\530d44e1-491fd196 a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\473a5bc4-300256b8 Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\30616a69-31707cca a variant of Java/TrojanDownloader.OpenStream.NBF trojan deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\316f34ee-54f00047 probably a variant of Java/Agent.BR trojan deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\109d682f-328235ef a variant of Java/TrojanDownloader.OpenStream.NBF trojan deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\35d60d30-3b122421 Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\cb65eb0-7a7bbbac multiple threats deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\37c40ef5-7f1883e0 a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\2499d179-514f276e a variant of Java/Exploit.CVE-2011-3544.AA trojan deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\4db49439-139ef1b5 a variant of Java/TrojanDownloader.OpenStream.NBF trojan deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\67839b7b-28fd6638 multiple threats deleted - quarantined
C:\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\f6aebc6-1904d227 a variant of Java/Agent.BR trojan deleted - quarantined

 

[Broni]

Update Adobe Flash Player
Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

What about?

Make sure Windows firewall is ON.

You have one registry key missing.
Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Click Advanced.
Under Owner tab select the entry starting with you user name, example: Farbar(Farbar-PC\Farbar)
Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.
Download Vista.zip file from here: http://www.smartestcomputing.us.com/...-network-keys/
Unzip downloaded file.
You'll find several files inside.
Double-click legacy_sdrsvc.reg and confirm the prompt.
Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
Restart computer.
Post new FSS log.

 

[Andrew1234]

Under Owner tab select the entry starting with you user name, example: Farbar(Farbar-PC\Farbar)
Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.

Once I clicked "Apply" an alert came up saying "Registry Editor could not set owner on the key currently selected, or some of its subkeys."

 

[Broni]

Let's leave that alone.
It's not crucial.

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[Andrew1234]

How long should the 1) take?

 

[Broni]

It shouldn't take long.
If stuck run it from safe mode.

 

[Andrew1234]

Ok... I'm not quite understanding what the windows logo on the desktop items is? Is it anything to do with "system check" somehow? You said to delete shortcuts and make new ones but its on Malwarebytes, AVG, Java, and Flash which I all directly downloaded to the desktop. When I checked the Malwarebytes folder it showed a windows logo on that too.

 

[Broni]

Reinstall all programs which are affected.

 

[Andrew1234]

Ok, so this is something to do with "system check"? I'll reinstall but briefly, for my own knowledge, what harm can come from leaving the programs with the logo alone?

 

[Broni]

At this point your computer is clean so no harm done.

 

[Andrew1234]

Ok. How do I get that logo not to appear on everything I download from here on out?

 

[Broni]

Does it appear on any new downloads?

 

[Andrew1234]

Yeah the Flash I just downloaded about half an hour ago had it on it.

 

[Broni]

Something is not right....

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=========================================================

Download Bootkit Remover to your Desktop.

• Unzip downloaded file to your Desktop.
• Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[Andrew1234]

Just to let you know the logo isn't on any items in Safe Mode.

 

[Broni]

I wonder if it has anything to do with AVG but we better check so go on with my previous reply.

 

[Andrew1234]

During the aswMBR scan just now, my monitor went to a blue screen telling me that "if this is the first time you've seen this screen, restart your computer"

 

[Broni]

Go ahead with Bootkit Remover

 

[Andrew1234]

Ok will do. Also your first step in post #54, the OTL "run fix", never seem done nor produced any log. I even ran it in Safe Mode.

 

[Broni]

Don't worry about it now.

 

[Andrew1234]

bootkit remover log

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`40100000
Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

 

[Broni]

Please download and run ListParts by Farbar (for 32-bit system)

Please download and run ListParts64 by Farbar (for 64-bit system)

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

 

[Andrew1234]

Result.txt

ListParts by Farbar
Ran by Mary on 02-02-2012 at 00:24:10
Windows Vista (X64)
Running From: C:\Users\Mary\Desktop
************************************************************

========================= Memory info ======================

Percentage of memory in use: 37%
Total physical RAM: 4060.26 MB
Available physical RAM: 2533.16 MB
Total Pagefile: 8333.8 MB
Available Pagefile: 6637.9 MB
Total Virtual: 4095.88 MB
Available Virtual: 4006.65 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:583.17 GB) (Free:409.9 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (AVG 2011 - b1120) (CDROM) (Total:2.3 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 13 GB 1024 KB
Partition 2 Primary 583 GB 13 GB

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OS NTFS Partition 583 GB Healthy System (partition with boot components)



****** End Of Log ******

 

[Andrew1234]

Result.txt (64)

duplicate......

 

[Broni]

All looks good.

Delete your Combofix file, download fresh copy and post new log.