Solved Is my computer infected by malware?

N

NCISabbyfan

Posts: 95   +0
An accumulation of strange situations have occurred today, as found by HitmanPro.

I've found several "Trojan-downloader.zlob and Radio Search - Tech Support Forum" listings under NetVideoHunter, even though I’d never heard of Trojan Zlob before today.

I’ve found several strange web site addresses by copying but not opening any of them including this one:

http://idg-f.akamaihd.net/hd/820709...1.0&fp=WIN 11,8,800,94&r=SGXFJ&g=BIUGJPYHPWBN

Having a quick skim through some of the other links, they all start with the formation "http://idg-f.akamaihd.net/hd/82070943001/82070943001_"

""http://idg-f.akamaihd.net/hd/82070943001" links to just one site:

http://www.feedage.com/feeds/1926336/network-world-video-library

Upon going through all but RtHDVCplx.exe (as "C:\Windows\" only makes it difficult to locate it and likewise to PrintDisp.exe, as I couldn't find System32 when trying to upload this file from it for an online scan, I can only find System32 from the Run menu. I checked "Recently Changed Items" and found Settings.xml gave "ERROR: Failed to find flength file!" (from Windows Calendar, which I hadn't opened at that time)

“installer_raw.xsl - File not found. Check the file name and try again.”

Very strange again, as I’d never heard of nor opened this file, which Virscan.org says maybe a virus

For AdobeARM.exe, Virustotal.com’s Antiy-AVL says this is a trojan.

For Radiodownloader.exe, Virscan.org’s Sophos lists it as malware. http://www.softpedia.com/progClean/ESFSoft-Radio-Downloader-Clean-227820.html rates Radiodownloader as 100% clean.

However, at the bottom of Virscan's page it states "NOTICE: Results are not 100% accurate and can be reported as a false positive by some scannerswhen and if malware is found. Please judge these results for yourself."

Due to conflicting information and sources differing on finding one separate malware file from each other, I'm unsure if these and/or any others are actually dangerous.

I’ve also read that Bleepingcomputer.com is a dangerous site.

Hitmanpro has been reported to have given many false positives in the past, but I have the Free Trial of HitmanPro 3.7.7, which reports say is very accurate.

Should I delete the entire contents of the HitmanPro's findings? - Identified Threats: 55 (Traces: 217); 8 Items

Since writing this, a new tab opened by itself to Flickr.com, which I have since closed but I feel my computer is being infiltrated.

I’ve tested with SuperAntiSpyware, Malwarebytes’ Anti-Malware and Spybot and no malware found on all scans. Only HitmanPro has detected several pieces of malware.

Also, when downloading links that would normally take up to about 5 minutes at most, I’ve found them lately taking about 25 minutes. Is this malware related?
 
Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Thanks for your reply Broni.

Before I follow these instructions, I need to determine with you first if I should delete the list of Trojan items found by HitmanPro 3.7.7. I've kept the tab open until I know what to do, as while quite sure their results are accurate, which state "Malicious software was detected", it also says "During removal, certain programs may terminate unexpectedly". If I close it without deleting anything, the same list may resume upon a new search tomorrow or may not. As I'll need to break away from my computer soon, as it's late, I'll leave it on overnight unless I hear from you first before acting upon this first thing tomorrow, as I daren't close the HitmanPro results until I know what to do first. It sounds like I do have malware, but I don't meet the criteria of using it for Online Banking, Business purposes, storing sensitive or very personal information, etc.

According to this link, HitmanPro 3.7.7's accuracy prevents false positives, so maybe their findings are accurate:

https://www.techspot.com/downloads/1278-hitman-pro.html

Also, I see that Bleepingcomputer is part of the malware removal process. I'm reluctant to use this, as Scamadviser lists that it "may be a Risky site".

PS: As the forum upload wouldn't allow a Doc file in original quality, I've had to scan a copy of HitmanPro's findings which is in lower quality but still legible to demonstrate what it found earlier.
 
Good grief. :O Spamadviser seemed so convincing. Thanks for warning me. Thankfully I've not installed anything from them, just viewed results, but I shall avoid that site from now on. This is the problem with some web sites - they appear so convincing but turn out to be the opposite and give up to several visitors misleading information that they're giving out accurate information.

Although HitmanPro removed a small amount of junk during its first scan on the first day of my 30 day Free Trial, in this case their results were accurate, but what made me puzzled was when several pieces of malware were found by them, but not by Malwarebytes' Anti-Malware or Spybot. I am currently doing a full scan with Comodo free anti-virus, which tend to take around 1.5 hours. I don't know if their scan will match or differ from Hitman, but I'll update you tomorrow when I resume.

It sounds like Hitman's accuracy varies, so I'll keep the free trial running and closely observe their findings if/when they find anything else. If I have any doubts, I'll not delete anything. As regards their current findings, since attached, I'll close the window and not remove anything.

It looks like I have some malware on my computer, but as it's late, I'll resume tomorrow and take it from there. Thanks for your help.
 
I already have Comodo Antivirus and Malwarebytes' Anti-Malware free versions installed.

As to Malwarebytes, I can't find a checkmark option, which must be in the Pro version.

However, I have performed a quick scan, which gives the all clear:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.03.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
David :: DAVID-PC [administrator]

03/08/2013 14:06:48
mbam-log-2013-08-03 (14-06-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 226530
Time elapsed: 8 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
Due to being new to posting on forums for Malware checks, I initially forgot to disable my Firewall.

I downloaded DDS.com, turned off the Internet then temporarily disabled my anti-virus, firewall, Spybot and Superantispyware.

I then did a DDS scan with the DDS.txt and Attach.txt results.

I have retained these, in case you still wish to read them, but after realizing I’d left my Firewall enabled, with the Internet still switched off, I re-clicked on DDS (this time with all relevant programs switched off) and did a replacement DDS scan of DDS.txt and Attach.txt. Here are the results of the second surveys:


DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16496
Run by David at 14:59:46 on 2013-08-03
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1251 [GMT 1:00]
.
AV: COMODO Antivirus *Disabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Antivirus *Disabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}
FW: COMODO Firewall *Disabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\Thomson\ST330\service\st330service.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
c:\program files\acesoft\tracks eraser pro\te.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\PrintDisp.exe
C:\Program Files\Comodo\COMODO Internet Security\cistray.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Radio Downloader\Radio Downloader.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\IceDragon\icedragon_updater.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\PrintCtrl.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Comodo\COMODO Internet Security\cis.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HitmanPro\hmpsched.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uk.yahoo.com?fr=fp-comodo
uSearch Bar = Preserve
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Radio Downloader] "c:\program files\radio downloader\Radio Downloader.exe" /hidemainwindow
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [diagnostics] "c:\program files\thomson\st330\diagnostics\diagnostics.exe" /icon -l:en
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NBAgent] "c:\program files\nero\nero backitup & burn\nero backitup\NBAgent.exe" /WinStart
mRun: [PrintDisp] c:\windows\system32\PrintDisp.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [COMODO Internet Security] c:\program files\comodo\comodo internet security\cistray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{A4BCBEB3-1FF3-4CB6-878B-E568516CAE41} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{A4BCBEB3-1FF3-4CB6-878B-E568516CAE41} : DHCPNameServer = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2013-6-18 20072]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2013-6-18 583448]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2013-6-18 43216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2013-7-23 106280]
R2 IceDragonUpdater;COMODO IceDragon Update Service;c:\program files\comodo\icedragon\icedragon_updater.exe [2013-7-14 1821384]
R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2011-5-24 77824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cmdvirth;COMODO Virtual Service Manager;c:\program files\comodo\comodo internet security\cmdvirth.exe [2013-6-18 127192]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2008-7-29 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2008-7-29 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [2008-7-29 35328]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
.
=============== Created Last 30 ================
.
2013-07-29 16:42:58 -------- d-s---w- c:\programdata\Shared Space
2013-07-29 00:15:03 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2013-07-28 22:13:58 -------- d-----w- c:\programdata\Innovative Solutions
2013-07-28 22:13:56 -------- d-----w- c:\users\david\appdata\local\Innovative Solutions
2013-07-28 22:13:55 -------- d-----w- c:\program files\common files\Innovative Solutions
2013-07-28 22:13:53 42496 ----a-w- c:\windows\system32\AdvUninstCPL.cpl
2013-07-28 22:13:50 -------- d-----w- c:\program files\Innovative Solutions
2013-07-27 17:21:58 -------- d-----w- c:\programdata\VS Revo Group
2013-07-23 18:57:58 -------- d-----w- c:\users\david\appdata\local\VS Revo Group
2013-07-23 16:34:38 -------- d-----w- c:\program files\HitmanPro
2013-07-23 16:09:10 -------- d-----w- c:\programdata\HitmanPro
2013-07-20 08:38:14 -------- d-----w- c:\windows\pss
2013-07-10 22:28:21 2049024 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2013-07-23 22:07:00 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-23 22:07:00 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-08 20:59:45 583448 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2013-06-18 15:15:58 43216 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-06-18 15:15:56 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
2013-06-18 15:15:50 35488 ----a-w- c:\windows\system32\cmdcsr.dll
2013-06-18 15:15:48 348584 ----a-w- c:\windows\system32\guard32.dll
2013-06-18 15:15:36 40664 ----a-w- c:\windows\system32\cmdkbd32.dll
2013-06-18 15:15:36 278232 ----a-w- c:\windows\system32\cmdvrt32.dll
2013-06-01 04:06:08 505344 ----a-w- c:\windows\system32\qedit.dll
2013-05-29 01:50:14 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-05-29 01:41:52 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-29 01:41:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-05-29 01:37:15 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-29 01:36:09 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-05-29 01:33:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-08 04:37:21 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-05-08 04:04:52 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
.
============= FINISH: 15:00:01.19 ===============
 
Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 18/09/2007 00:21:32
System Uptime: 03/08/2013 13:15:33 (2 hours ago)
.
Motherboard: FOXCONN | | G33M03
Processor: Intel(R) Pentium(R) Dual CPU E2220 @ 2.40GHz | SOCKET775 M/B | 2400/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 123.598 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Standard PS/2 Keyboard
Device ID: ACPI\PNP0303\4&11AE2885&0
Manufacturer: (Standard keyboards)
Name: Standard PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&11AE2885&0
Service: i8042prt
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&11AE2885&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&11AE2885&0
Service: i8042prt
.
Class GUID: {4d36e968-e325-11ce-bfc1-08002be10318}
Description: LogMeIn Mirror Driver
Device ID: ROOT\DISPLAY\0000
Manufacturer: LogMeIn, Inc.
Name: LogMeIn Mirror Driver
PNP Device ID: ROOT\DISPLAY\0000
Service: lmimirr
.
==== System Restore Points ===================
.
RP1970: 02/08/2013 21:12:25 - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
"Nero SoundTrax Help
32 Bit HP CIO Components Installer
5600
5600_Help
5600Trb
Acrobat.com
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.7)
Advanced Uninstaller PRO - Version 11
Advertising Center
AIO_CDB_ProductContext
AIO_CDB_Software
AIO_Scan
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Bonjour
BufferChm
CCleaner
Comodo IceDragon
COMODO Internet Security Premium
Copy
Defraggler
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocProc
DocProcQFolder
DolbyFiles
eSupportQFolder
Fax
Glary Utilities 2.53.0.1726
HitmanPro 3.7
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Photosmart Essential
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
HP Print Diagnostic Utility
HP Product Assistant
HP Solution Center 8.0
HP Update
HPProductAssistant
ImagXpress
Intel(R) Graphics Media Accelerator Driver
iTunes
Malwarebytes Anti-Malware version 1.75.0.1300
Menu Templates - Starter Kit
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Primary Interoperability Assemblies 2005
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Works 4.5
Movie Templates - Starter Kit
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9
Nero BackItUp
Nero BackItUp and Burn
Nero Burning ROM Help
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Live
Nero Live Help
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero RescueAgent
Nero RescueAgent Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero Vision Help
Nero WaveEditor
NeroBurningROM
NeroExpress
NeroLiveGadget
NeroLiveGadget Help
neroxml
OGA Notifier 2.0.0048.0
PowerAdapter
QuickTime
Radio Downloader
Realtek High Definition Audio Driver
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
SolutionCenter
SoundTrax
Speccy
SpeedTouch 330
Spybot - Search & Destroy
SpywareBlaster 5.0
Status
SUPERAntiSpyware
Toolbox
Tracks Eraser Pro v8.0 build 1000
TrayApp
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB2836940)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817563) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebReg
Windows 7 Upgrade Advisor
.
==== End Of File ===========================
 
Please feel free to move this section to a different thread if this is easier, but I'm very eager to completely uninstall the remaining remnants of Logmein from my computer asap. I am aware that there are some .dll files remaining of this plus the "LogMeInRemoteUser" folder, but like if any malware is found from my main query of yesterday, as I'm a novice, I won't delete anything until or unless you give me the go ahead, to ensure I keep my computer intact. Thanks for your plain English instructions :), as I'm not very technical on Advanced level issues and want to be sure I know exactly what I'm doing depending on if or when any malware removal is required.

Some sites have said it's safe to delete the "LogMeInRemoteUser" folder, but I've exercised caution, especially as it lists several identically named files that I created in the existing "Documents" area of my computer which are for some reason also in the LogMeIn folder. If it's safe to delete the folder "LogMeInRemoteUser", I want to be sure that my original "Documents" based files are not then also deleted or made unusable.

I don't know if "DriverGenius", located under my Documents folder has any relation to LogMeIn, but I'm covering all possible avenues in case there is a connection.

Is it safe or should I postpone until after the malware removal process is complete (if any malware exists upon your inspection of the results) downloading anything and/or installing other programs?

Combofix - If I am required to install this, depending on the outcome of the results of my scans, are there are any other free programs I have installed besides these: Comodo anti-virus, Spybot, Superantispyware and Malwarebytes cover all programs that need to be disabled until Combofix completes its scans?

AdvancedUninstaller PRO11 is also free, but I can only uninstall this, if required, as I can't find a Disable option. As far as I know, only the above three would be required to be disabled, unless you say otherwise, as if I have any script-blockers, they're integrated within one or more of the above programs.

Please ignore my Combofix programs if it turns out I have no malware, despite yesterday's strange happenings. I felt it best to check though so nothing irreversible occurs.

Current Update: Nothing adverse happening today, so there's no malware or it's hiding. Intriguingly, HitmanPro hasn't reiterated its findings, despite me not removing them.

Thanks again for your help.
 
I am aware that there are some .dll files remaining of this plus the "LogMeInRemoteUser" folder
Click to expand...
Leave dlls alone. You can remove "LogMeInRemoteUser" folder.

redtarget.gif
Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

redtarget.gif
Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

Download Malwarebytes Anti-Rootkit (MBAR) from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
 
Would it be best for me to uninstall the "LogMeInRemoteUser" folder in Safe Mode?

From my limited knowledge of the more technical aspects of computing, I gather that some programs work better or only when removed in Safe Mode. It will be a huge relief to be finally shut of that program.

As the above folder is less urgent, I'll come back to that later, but meanwhile, I'll work my way through your remaining instructions in just a mo and come back to you asap. :)
 
Ah, thanks. :)

I'll keep a note of your various advice for future reference. I've learnt so much in such a short time from your invaluable information. :)


Do you know the logistics of Rogue Killer’s privacy over customers' data? It’s just that it suggests for users to quit if they don’t want the contents of its scanned findings to be sent to its developers. Normally, customers are given an option.

Here are the results:

RogueKiller V8.6.4 [Jul 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : David [Admin rights]
Mode : Remove -- Date : 08/03/2013 16:48:05
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\Windows\TEMP\{BDC07B01-F55E-4AB3-BC29-FAE22380A5C8}.exe - --uninstall=1 [x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3250410AS ATA Device +++++
--- User ---
[MBR] 6d4017b63e8881db5b1cb75e8d7d7cd0
[BSP] 6624d789313a09ea88f34d53a019a1c4 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_08032013_164805.txt >>
RKreport[0]_S_08032013_164703.txt




RogueKiller V8.6.4 [Jul 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : David [Admin rights]
Mode : Scan -- Date : 08/03/2013 16:47:03
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\Windows\TEMP\{BDC07B01-F55E-4AB3-BC29-FAE22380A5C8}.exe - --uninstall=1 [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3250410AS ATA Device +++++
--- User ---
[MBR] 6d4017b63e8881db5b1cb75e8d7d7cd0
[BSP] 6624d789313a09ea88f34d53a019a1c4 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08032013_164703.txt >>
 
I realized, unfortunately a bit late, hoping there are no repercussions that I’d not turned off the Spybot Tea Timer, but upon trying to do so, I get this error message:

You are missing administrator rights to perform this action.

However, I have noticed that, after I exited out of Spybot earlier, while forgetting about the Tea Timer initially, Spybot was quickly removed from the list of mini taskbar icons, so maybe there have been no adverse effects and that any real-timer of that program was disabled.

If not, as I don’t know why my admin rights are being blocked, shall I temporarily uninstall Spybot before installing Malwarebytes’ Anti-Rootkit?
 
What is the verdict?

I was slightly cautious when discovering this is in Beta mode, as some of these can cause computer problems, but not in this case. :)

Along the way, intriguingly, Malwarebytes Chameleon popped up, as I hadn't literally installed it. I clicked on "Chameleon #1". Please excuse me doing this, as I recognized the name and wanted to see what it was about. If this has marred the results, I'll redo the surveys or carry on from the following two surveys, depending on the outcome of if my computer is infected, but otherwise, here is the first survey:

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.08.03.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
David :: DAVID-PC [administrator]

03/08/2013 17:58:13
mbar-log-2013-08-03 (17-58-13).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 229148
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 
Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.08.03.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
David :: DAVID-PC [administrator]

03/08/2013 18:17:18
mbar-log-2013-08-03 (18-17-18).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 210442
Time elapsed: 8 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 
When I checked Malwarebytes’ Readme.rtf file, it asked me if I'd like to install something called a DDA driver. I don't know what that is, but there was no option to install it.

If required, how do I install this driver? I'm not sure what it does.

The message stated:

DDA driver was not installed which may be caused by rootkit activity.
Do you want to reboot the computer to install DDA driver (Scan will continue after reboot) (Y/N)?

PS: After deleting the "LogMeInRemoteUser" folder, I've found an "Attach.txt" file relating to LogMeIn as there's a reference to "LogMeIn Mirror Driver", but it seems most, if not all of the components of the software including the mirror driver are now thankfully gone.
 
Update: Not sure if restarting my computer has reinstalled the DDA driver, but since I deleted the "LogMeInRemoteUser" folder, it has now been replaced by a folder in my name on my Desktop which contains the same contents as my Documents folder, from App Data through to Videos, with the addition of outdated 2007 NTuser.dat files which belonged to LogMeIn.

Would it be safe to delete this unexpected new folder, without losing the contents of the same documents in the Documents folder?

This new folder is cluttering up my Desktop and has been created automatically as a replacement to the now deleted LMI folde.

This is a similar situation to before whereby there are two sets of identical documents, one in the standard "Documents" location, the other under "LogMeInRemoteUser", but this time LMI has been replaced by a folder in my name, as I vividly recall those NTuser.dat files were dated 2007. I had long since removed LMI, but as always, various parts of uninstalled programs remain scattered around, and I'd thought that the LMI Remote User folder was the end of LMI on my computer.

Please advise me where I go from here with this and if my computer is now clear of malware.
 
You can delete that new folder.

redtarget.gif
Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

redtarget.gif
Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
OK. :) I don't know how that folder ended up replacing the original LogMeIn one or why LMI files have ended up still there, but I'll delete that in a mo.

It sounds like something still isn't right with my computer, from your latest update to do further checks, as on the surface, it's been working fine today.

I'll work on your instructions tomorrow.

Meanwhile, so that I don't put my computer in jeopardy with ComboFix, which programs have script blockers in them? or do you mean specific ones that are devoted to script-blocking?

Also, as there is clearly a bug in Spybot preventing me from unchecking the Tea Timer, shall I temporarily uninstall Spybot before reinstalling it after I've completed the ComboFix scan? and

Are there are any other programs/types of programs that I need to temporarily disable before installing ComboFix?

I can't find a way to temporarily disable Advanced Uninstaller PRO 11 (there is no "Exit" option, only a complete uninstall, which may be the only option, as I'm assuming ComboFix could destroy my computer if I leave something on accidentally) but other programs that come to mind that I presume will need disabling (if possible) or uninstalling (if there's a bug or no "Exit" option) are (some with Real Time, others not):

Comodo Anti-Virus
Comodo Firewall
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Rootkit
Malwarebytes' Chameleon (no Real Time on Malwarebytes' free products)
Spybot
Spyware Blaster
Super Anti Spyware (no Real Time on this free product)

As far as I know, the Comodo, Spybot and Spyware Blaster programs are all in real-time, but I'm unsure. While it wouldn't matter if I turned some programs off that are not real time, it's determining which ones Are in real time that's the difficulty, as I don't know where to start.

Off the top of my head, I can't think of any other programs that would conflict with ComboFix, but if there's a quicker way for me to just turn off these and any other running process off simultaneously so that I guarantee I've disabled/temporarily uninstalled the relevant programs, I will have peace of mind, as my computer is fully intact, and as I'm a novice and have never used ComboFix before, I am very anxious that nothing goes wrong. If there is such a facility, I could then reactive everything in one go after completing my usage of ComboFix.

When all tests have concluded with ComboFix or beyond, depending on how many steps remain to confirm if my computer is infected or not, would you recommend me to keep the extra programs I've installed/ComboFix to install tomorrow on standby for future reference. I want to limit how much I have on my computer (as LogMeIn was a heavy resource program) but will happily keep them beyond if you think they'd come in handy for the future.
 
New Update:

Although I'm very keen to complete the process of checking and finalizing that or when my computer is malware-free, depending on if further tests find any junk on my computer, would tests be complicated if I downloaded anything (known to be safe) from reputable sites and/or installing programs from disks, etc?

I've just found that it's unsafe for me to delete the new folder that incorporates the contents of LogMeIn under my own name. When I tried to do this, my Desktop removed all but three icons, so I had to quickly restore them from the Recycle Bin. Among them, all my Documents would have been gone forever. LogMeIn is a very stubborn program to remove, which I will be glad to see the back of asap, having thought it was finally gone until I restarted my computer which puzzlingly replaced it with a folder in my name housing all my programs under it.

For some reason when I try to delete the new folder, I get the error message "Are you sure you want to delete the icon from your desktop? The contents of this folder will not be deleted. You can restore this icon to the desktop by right-clicking on its icon in the start menu".

Upon seeing this, I tried deleting just the files in one sweep then planned to delete what would have been an empty folder afterwards.

Please advise me of an alternative way to be shut of LogMeIn altogether once for all, without any of my existing folders and files being compromised. This program is very persistent.
 
Assuming that you mean disable Comodo AV only out of the Comodo products but to disable anti-spyware and anti-malware programs, I'll do this, as I've never used any aggressive but rewarding programs like ComboFix before, which is why I don't want anything to become irreversible, as I have several Documents on my computer which I don't want to lose.

OK, I'll re-read the above and previous instructions relating to ComboFix and safeguards to ensure it runs properly. As soon as I feel sure I've covered everything, hoping nothing goes drastically wrong, I'll proceed sometime later today and let you know the outcome.

As ensuring my computer is free from malware takes priority, I'll come back to you on the LogMeIn issue in after whenever the final test takes place. At present, my original Desktop folder is in the Recycle Bin, while the other is active in the usual place. When I tried to Restore, it offered to merge the two, but when I tried to do this, it said "Are you sure you want to move the system file system.ini?". I cancelled to play safe. Anyway, I'll come back to you on that and will postpone downloading/installing anything other than the test programs until after they're complete, as otherwise it would mean more programs to disable and I want to keep everything as simple as possible so that as much time is taken as needed but that the outcome is finalized as soon as possible. :)

OK, I'll come back to you later on.
 
You must log in or register to reply here.

Similar threads

midian182
Google's AI-powered search can recommend malicious sites, including scams and malware
Replies
6
Views
138
James Ryan
J
N
Several popular Minecraft mods are infected with Fracturiser malware
Replies
0
Views
615
nanoguy
N
midian182
Massive data dump containing millions of passwords sparks security alert: Is your data...
Replies
8
Views
284
p51d007
p51d007

Latest posts

Back