Solved AVG secure search virus or clone mailer problem.

I gave up on the wireless. As windows has tried to make their program more "user friendly", it has become more difficult to track down the problem. The strange "drive Q" still shows, and when I tried to delete the program yahoo toolbar and the LG drivers, I was unable to.

when I looked at the wireless network tree, it kept showing a "public network", and I tried to turn the public network off. I removed the Norton and want to go back and to the Combofix part. Is it OK to do that?

I connected it to the wired network and can get to the internet.

The reason I want to go to combofix is Combofix kept giving me the notice about the antivirus program, even though I had manually stopped all of the services in the program, and in the services section.

So, shall I go on to eset.
 
The rogue killer run is different that it was yesterday.

Here is the log:

,RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Randy [Admin rights]
Mode : Shortcuts HJfix -- Date : 02/23/2013 17:27:13
| ARK || FAK || MBR |
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] Au_.exe -- C:\Users\Randy\AppData\Local\Temp\~nsu.tmp\Au_.exe [-] -> KILLED [TermProc]
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 0 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 1 / Fail 0
Backup: [NOT FOUND]
Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[Q:] \Device\SftVol -- 0x3 --> Restored
Finished : << RKreport[5]_SC_02232013_02d1727.txt >>
RKreport[1]_S_02212013_02d1636.txt ; RKreport[2]_D_02212013_02d1648.txt ; RKreport[3]_S_02232013_02d1709.txt ; RKreport[4]_SC_02232013_02d1711.txt ; RKreport[5]_SC_02232013_02d1727.txt
 
The reason I want to go to combofix is Combofix kept giving me the notice about the antivirus program, even though I had manually stopped all of the services in the program, and in the services section.
Combofix will do this sometimes. Nothing to worry about.
I still need Eset scan log.
 
The rogues killer report I just ran is much different than the one I ran last night. this one found something au.exe, then was about to check each of the drives, including the Q, and restored it to something.
 
Yesterday I was unable to receive the properties of the Q drive. after this rogue killer I can read some of the properties, and under the owner of the drive, the label is "unable to display current owner" with the box to change owner. shall I change it to me (administrator)?
it is not the administrator, or the System (as is the recovery drive).

I think this is wrong.
 
It is also a [Q:] \Device\SftVol -- 0x3 --> Restored,

in order to see the permissions, I have to change the "owner".
 
Eset found no threats, but eset spend 2 hours reviewing program files\wildtangent, and again in the users shortcut to it. it was also installed about the time the problems started.
 
Wild Tangent games usually come preinstalled. Nothing to worry about.

What are the current issues?

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.
 
I can't uninstall the "yahoo toolbar", this shows in Control Panel/Program and Features. It shows it was installed about the time the problems started, and does not show a size or version. It also does not show in the IE "manage add-ins" .

when I try to uninstall it, I get nothing, but I cannot uninstall anything else.

Also, The Q drive was created when the problem started. It is not a "system" file, has unknown owner, and using the "properties" box, I am unable to change the "owner". All other drives, show "SYSTEM" as the owner.
I want to delete this. Can I do this through hijack this (although I think that OTL is almost the same.
 
I can't uninstall the "yahoo toolbar", this shows in Control Panel/Program and Features. It shows it was installed about the time the problems started, and does not show a size or version. It also does not show in the IE "manage add-ins" .
Most likely it's just dead entry. If it doesn't show in any browser leave it alone.
I you insist on removing that entry open "regedit", navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
and delete "Yahoo! Companion"entry.

Where exactly do you see Q drive?

For x86 (x32) bit systems please download Listparts
For x64 bit systems please download Listparts64

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.
 
I'm frustrated,, On the RK report posted above, is shows:
Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[Q:] \Device\SftVol -- 0x3 --> Restored
Finished : << RKreport[5]_SC_02232013_02d1727.txt >>

Q: SFTVol.

In windows explorer, it shows Q, named Bad Drive.

but in the List64 report, I'm not sure it is there.

ListParts by Farbar Version: 16-01-2013
Ran by Randy (administrator) on 24-02-2013 at 13:49:41
Windows 7 (X64)
Running From: F:\RRR Virus 2-19-2013
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 40%
Total physical RAM: 3561.37 MB
Available physical RAM: 2109.09 MB
Total Pagefile: 7120.92 MB
Available Pagefile: 5487.66 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:445.3 GB) (Free:397.71 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (Recovery) (Fixed) (Total:20.16 GB) (Free:2.19 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (USB20FD) (Removable) (Total:14.95 GB) (Free:14.89 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Disk ID: 915B52F3

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 445 GB 200 MB
Partition 3 Primary 20 GB 445 GB
Partition 4 Primary 103 MB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 199 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 445 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Recovery NTFS Partition 20 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 HP_TOOLS FAT32 Partition 103 MB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: C3072E18

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 8104 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 F USB20FD FAT32 Removable 14 GB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {globalsettings}
extendedinput Yes
default {current}
resumeobject {cd0acc27-dcc8-11e1-b953-ddd0e9dd35cd}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30
customactions 0x1000085000001
0x5400000f
custom:5400000f {96f102d4-2f75-11e2-b4dc-74e543244a4e}

Windows Boot Loader
-------------------
identifier {96f102d4-2f75-11e2-b4dc-74e543244a4e}
device ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{96f102d5-2f75-11e2-b4dc-74e543244a4e}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{96f102d5-2f75-11e2-b4dc-74e543244a4e}
systemroot \windows
nx OptIn
winpe Yes

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {96f102d4-2f75-11e2-b4dc-74e543244a4e}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {cd0acc27-dcc8-11e1-b953-ddd0e9dd35cd}
nx OptIn

Resume from Hibernate
---------------------
identifier {cd0acc27-dcc8-11e1-b953-ddd0e9dd35cd}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=\Device\HarddiskVolume1
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {96f102d5-2f75-11e2-b4dc-74e543244a4e}
description Ramdisk Options
ramdisksdidevice partition=D:
ramdisksdipath \Recovery\WindowsRE\boot.sdi


****** End Of Log ******

I think the virus is off of this machine,, but want to make sure it cannot hurt our network again.

I'll try to get it on the wireless network. (I think that drive was created by someone outside of the network.
 
Broni,

It's clean. I wasn't able to delete the Q drive yet, but the link will help.

I have to work tomorrow, but will try a couple of scans on the server tomorrow.

Are there any of the scans you think will work on that old 2003 server?
 
Start with our preliminary steps and see what works.

Here...
redtarget.gif
I assume your Norton Internet Security includes a firewall?
If so make sure Windows firewall is off (Security Check log says "Windows Firewall Enabled!")

redtarget.gif
Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

========================================

redtarget.gif
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. (Windows XP only) Run defrag at your convenience.

12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

13. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

14. Please, let me know, how your computer is doing.
 
Back