TechSpot - PC Technology News and Analysis

This computer has been reformatted.

For new problem, Please scroll down to 5th post

Hi yarrrheal and welcome to TechSpot

You will need to follow the following recommendations first

Viruses/Spyware/Malware, preliminary removal instructions
http://www.techspot.com/vb/topic58138.html

With files like B.exe in you Windows folder, you are most certainly infected !

I have already followed all of those instructions (over the past 3 days (has done nothing else)) These logs are from after all the steps in that topic.

Someone will help you shortly

This time may vary, TechSpot members are helping others voluntarily so hang in there. Also I'll check back later. If no response.

So now that my laptop has been cleaned up, now my main pc is having the same issues.
Followed your directions in the preliminary removal guide and have the logs posted.
Thank you for your time.
also, Panda antiroot found 0 issues

Attached Files

	SUPERAntiSpyware Scan Log - 05-07-2008 - 13-54-25.log (18.9 KB, 2 views)
	ComboFix.txt (12.9 KB, 0 views)
	hijackthis.log (9.6 KB, 2 views)

Need to tighten up security, but first - do you still use Norton AV?

Also I need to see
Generate Uninstall List

• 1. Start HijackThis
  2. Click on the Config button
  3. Click on the Misc Tools button
  4. Click on the Open Uninstall Manager button.
  5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.

Norton AV is still used on this comp due to me not being able to convince my parents otherwise.

Uninstall list attached

Attached Files

uninstall_list.txt (8.3 KB, 1 views)

• Click the following link
  Java Runtime Environment 6 Update 6
• The 5th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

Uninstall these from control panel -> Add/remove programs
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Messenger Plus! Live & Sponsor (CiD)

After uninstalling messenger plus sponsor'

1)Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

2)The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

3)If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

4)Reboot your computer

5)Run another scan with Hijackthis and attach a new log

The 'setup' screen in question never actually appeared, nor did the sponser screen.
New HJT log attached.

Attached Files

hijackthis.log (9.5 KB, 1 views)

That should help, but you still have infections on there

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Remove Viewpoint
Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :

1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
   
   How to prevent it from being recreated every time you run the AOL software:
   • Open AOL
   • Go to Help on the toolbar
   • Select About AOL
   • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.

Followed instructions and have the next log posted.

Attached Files

mbam-log-5-12-2008 (12-38-03).txt (2.0 KB, 1 views)

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

Also attach a fresh Hijackthis afterwards.

Ran the scanner, and wow it found a lot.
Scan log and fresh hjt log attached.

Attached Files

	hijackthis.log (9.4 KB, 1 views)
	Kaspersky-scan.txt (66.9 KB, 2 views)

Upload a File to Virustotal
Please visit Virustotal found HERE

• Click the Browse... button
• Navigate to the file C:\Windows\System32\NeroCheck.exe
• Click the Open button
• Click the Send button
• Copy and paste the results back here please.

--------------------------------------------------------------------------------------

Launch Spybot -> click on the Recovery Icon -> Highlight everything and select the red X that says purge.

------------------------------------------------------------------------------------------------

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users\Application Data\great coal love default\Platform bows.exe
O4 - HKCU\..\Run: [CakeTest] C:\Document~1\Owner\APPLIC~1\GRIMEQ~1\Store Vc.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Documents and Settings\All Users\Application Data\great coal love default
C:\Documents and Settings\Owner\Application Data\GRIMEQ~1 <- check this one, it will have a longer name

-----------------------------------------------

FileASSASSIN

• Launch Malwarebytes' Anti-Malware
• Select the More Tools Tab
• Under FileASSASSIN select Run Tool
• Navigate to C:\Program Files\DAEMON Tools Lite\SRSAI.exe
• Press Open

------------------------------------------------

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------

Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

-----------------------------------------------------

clear system restore points

• This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

---------------------------------------------------------------------

After all of this run another Kaspersky and attach the log along with the result from VirusTotal

I really appreciate your help for all of this.
Virustotal said the file was completely clean and Kaspersky didn't find anything.

Attached Files

Kaspersky_5-17-08.txt (22.5 KB, 1 views)

Good deal. You now have a nice clean restore point set also.

Let me know if anything else comes up.

Regards,

BD