System Security help

Status
Not open for further replies.

teachband0512

Posts: 6   +0
Greetings!

I am fighting the System Security malware right now. A quick list of things I've done, based on previous knowledge and about 2 hours of research:

1) msconfig - disabled a file with a random number, 15435934.exe
2) regedit - deleted a folder named HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\systemsecurity2009
3) rebooted in safe mode, downloaded SpyHunter 3 (which through use and research I promptly uninstalled as it didn't seem as stable or helpful as I thought)
4) in safe mode, installed Malwarebytes' Anti-Malware and have run it, finding 27 instances of malware. I haven't removed anything yet, as I wanted to post this first.

I've read a lot about Combofix and a host of other programs, but I've read that I should be asking first before running a program such as that. Am I on the right track?
 
It also seems to have disabled my Windows Firewall, which I just re-enabled... unless that was the reason it got me in the first place!

Edit: Currently doing the 8-step process.
 
We'll review the three logs after you run the scans.

If you can't run Malwarebytes or Superantispyware in Normal Mode, okay to run in Safe Mode. We can repeat when Normal Mode is available.

Malwarebytes' Anti-Malware and have run it, finding 27 instances of malware. I haven't removed anything yet, as I wanted to post this first.
Okay to check the lines in Mbam and SAS to remove malware it finds. It will quarantine and/or delete on reboot. But don't delete - as in right click> delete any of the files before I see the log.
Please be sure to check the lines in these two program to remove the malware it finds. It will then either quarantine or remove when rebooted. Do not delete any of the quarantined files yet.

Don't remove anything in HijackThis. We will instruct you on this.

Do NOT run Combofix unless your helper instructs you to. Follow the steps HERE.
 
8-Step Process done - Update

I ran the entire process... it seems to have cleared up a lot of the issues. I am no longer getting the ugly shield in my system tray, nor am I getting the random pop-ups via internet explorer. Of course, I want to make sure everything is cleaned so that I can properly use my computer again. Here are the log files from MABM, SAS, and HJT. Thanks for the help, let me know what I can do next!
 
You have entries for both Symantec/Norton and Avast. One of them need to be uninstalled. Check each process for removal, take off of Startup, Disable the Service, uninstall

You now need to have Malwarebytes remove what it found. UPDATE the program and CHECK the line that says: "* Make sure that everything is checked, and click Remove Selected." Rescan.

Mbam has only found the malware- it shows "No Action Taken"

There is a similar line in SAS: " * Make sure everything found has a checkmark next to it,then press 'Next'"
Please update and check that line.

Loos like you don't do cleanup on the system. There are a gazillion Tracking Cookies! Remove them in SAS, then:

Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865
Easy List: http://easylist.adblockplus.org/

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)

Please reopen HijackThis to 'do system scan only'.
Check each of the processes below. Note: don't click on 'Fix Checked until you complete the list:
Note 2: I have Avast processes listed for removal. If you decide to keep Avast, do NOT check them for removal.
J:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
J:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
J:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - J:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [MSConfig] J:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avast!] J:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Acrobat Assistant.lnk = J:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = J:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

If you put the following restriction in place, leave it. If you did not or are not aware of it, check for removal:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab


Close all Windows except HijackThis and click on 'Fix Checked.'

The following Services are for the 2 AV programs you have. Do this for the Service of the AV that you are NOT going to keep:
Boot into Safe Mode:
Start> Run> type in msconfig> Selective Startup> Startup tab> UNCHECK all processes for the AV you are NOT going to keep.

Disable each Service for the AV you are NOT going to keep. Stop the Service
Start> Run> type in services.msc> right click on the Service> change Startup type to Disabled> Stop the Service.
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - J:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - J:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - J:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - J:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe


Reboot into Normal Mode: NOTEL ignore the nag message and close after checking 'don't show this message again.' Stay in Selective Startup.

You will need to run the Norton Removal Tool if you decide NOT to keep the program:

When you have finished the above:
Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Run Combo-Fix.exe and follow the prompts.
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
  • Wait for the scan to be completed.
  • If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HijackThis. Please include log for Mbam, new log for HJT and Combofix report in next reply.

You will need to update Adobe when we're through. It's way out of date and presents a vulnerability.
 
Thanks for the help so far, Bobbye!

I deleted the Quarantines for both MBAM and SAS. Can you suggest something to clean out my tracking cookies, or can I do this manually via Firefox or something?

I also ran all programs like you asked - hopefully I'm closer to having a healthy, functioning computer! Here are the files you asked for:
 
Cleaning out the Tracking Cookies:
Post #5:
There is a similar line in SAS: " * Make sure everything found has a checkmark next to it,then press 'Next'" Please update and check that line.

Follow my directions for resetting the Cookies and seriously consider the 2 add-ons I recommended for Firefox- all in Post #5.

I see you have Viewpoint.Viewpoint is considered foistware. If you want to remove Viewpoint, you can download Viewpoint Killer:

Download Viewpoint Killer.zip HERE:
Use this mirror: Softpedia Mirror (RO) [ZIP]
  • Save it to your Desktop
  • Create a new folder in your desktop by right clicking on the background > New > Folder > name the folder Viewpoint Killer
  • Unzip the contents of the zip file to the newly created folder.
  • Open the Viewpoint Killer folder then run ViewpointKiller, and select File > Do All Killings.
  • Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with.
  • Reboot.
Viewpoint Killer does exactly what it's name says: Kills Viewpoint Media Player. Viewpoint Media Player is an adware that displays bandwidth eating pop up ads in IE and on your desktop. It comes silently with an install of AIM and will be reinstalled by AIM if uninstalled.Viewpoint Killer fixes all of that. It takes off Viewpoint Media Player once and for all.

warning.gif
NOTE: If you have problems downloading ViewpointKiller, please try to stop using your download manager and avoid right clicking on files. Also, check your firewall settings, because some mirrors may require that you do not block the HTTP referers.

I'd like to see a log from a full system scan with the AV. Can you do that?

Regarding the accumulating of the Cookies- Tracking or otherwise: they can be included when you do a disc cleanup or use CCleaner. But with the setting I gave you, you will find far less Cookies- should be for the site itself which you can keep if it includes registering and password.

Give me an AV log and one more HJ log. If clean, we'll remove the cleaning tools.
 
Last full scan I did is included. I did actually download and install those two addons. Hopefully I've done everything I needed. Thanks again!
 
Looks good. Did you decide to keep Viewpoint? I redid the tags for it.

If you missed it and want to remove it:

Reopen HJT to 'do system scan only'. Check these entries:
J:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
J:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - J:\Program Files\Viewpoint\Common\ViewpointService.exe


Close all but HJT. Click 'Fix Checked'.
Follow the Viewpoint Killer.

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTCleanIt by OldTimer:
Save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Let me know if you need more help.
 
You're welcome. Glad to help.

I forgot to tell you to empty the Recycle Bin, so please do that.
 
Status
Not open for further replies.
Back