Jump to content

Adware? 1st System Check then Internet Security


Recommended Posts

  • Replies 127
  • Created
  • Last Reply

Top Posters In This Topic

At this point there's no automated way of restoring the "population" in your list of programs from the Start button.

Yes, indeed you should know Windows Explorer. From the Start button (or press Windows-key + R key on keyboard) and then type in

Explorer.exe
& press Enter.
Link to post
Share on other sites

No, don't uninstall/re-install.

Yes, I believe your system is now rid of the malware & bootkit-malware.

Delete the copy you have of RogueKiller.exe

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Click on Scan.
  • Click on Report and copy/paste the content of the notepad into your next reply.

Link to post
Share on other sites

Hi,

Ran the scan. Here's the log. Thanks. CAE

RogueKiller V7.2.1 [02/29/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Ekenbarger's [Admin rights]

Mode: Scan -- Date: 03/05/2012 19:46:58

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 9 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : Bomgar Support Reconnect [1297805904] ("C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4D5AF24F\bomgar-scc.exe" -nomulti) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-1946173170-350803515-410004273-1006[...]\Run : Bomgar Support Reconnect [1297805904] ("C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4D5AF24F\bomgar-scc.exe" -nomulti) -> FOUND

[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Maxtor 6Y160M0 +++++

--- User ---

[MBR] e8c4ef311439380bf8161fe3e04c23d1

[bSP] b72667633f4c7c2babf1970635a88ab8 : MBR Code unknown

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 149071 Mo

2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 305411715 | Size: 3459 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD5000AADS-00S9B0 +++++

--- User ---

[MBR] 9ff5de6a7f5bd44494e6713738cfaa5e

[bSP] 766475e27f711b63811094046f843551 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476937 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Link to post
Share on other sites

Ok.

Tell me, How do things look now?

Link to post
Share on other sites

Let's have you delete the RogueKiller & get a new download & then run as per guide below.

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Click on Scan.
  • Click on Report and copy/paste the content of the notepad into your next reply.

Link to post
Share on other sites

Ok. Deleted it and ran the scan. Here's the report should I leave the program open? Thanks. CAE

RogueKiller V7.2.1 [02/29/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Ekenbarger's [Admin rights]

Mode: Scan -- Date: 03/05/2012 19:46:58

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 9 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : Bomgar Support Reconnect [1297805904] ("C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4D5AF24F\bomgar-scc.exe" -nomulti) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-1946173170-350803515-410004273-1006[...]\Run : Bomgar Support Reconnect [1297805904] ("C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4D5AF24F\bomgar-scc.exe" -nomulti) -> FOUND

[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Maxtor 6Y160M0 +++++

--- User ---

[MBR] e8c4ef311439380bf8161fe3e04c23d1

[bSP] b72667633f4c7c2babf1970635a88ab8 : MBR Code unknown

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 149071 Mo

2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 305411715 | Size: 3459 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD5000AADS-00S9B0 +++++

--- User ---

[MBR] 9ff5de6a7f5bd44494e6713738cfaa5e

[bSP] 766475e27f711b63811094046f843551 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476937 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Link to post
Share on other sites

Link to post
Share on other sites

The next chance you have, do a Full scan with an Updated MBAM. It may take an hour or so. And then we'll have a current log to review.

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Post that log and also advise me as to the general situation on your system.

Link to post
Share on other sites

Hi,

I ran the scan. Nothing detected. Here is the log. Thanks. CAE

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.08.07

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Ekenbarger's :: JAM1 [administrator]

3/8/2012 7:06:03 PM

mbam-log-2012-03-08 (19-06-03).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 312608

Time elapsed: 45 minute(s), 39 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

I haven't used the pc to do anything. Can I surf a bit and see what (if anything) happens? Also how should I go about reinstalling or creating access to the missing programs? Can I install the Avira anti-virus now? Can I delete the logs and .exe files I downloaded?

Please know that I am very appreicative of your time and guidance. CAE

Link to post
Share on other sites

First, install the Avira a-v. Make sure to do an Update run for current definitions. Once all that is done, you may use internet.

I'll help you (a bit later, after your antivirus is in place & once after I hear from you on internet experience) to remove the tools we use.

Don't try to do it now or by yourself. (The tools aren't active & not in the way).

On "reinstalling or creating access to the missing programs" :

I would think that, if and only if, you can't see an application listed under the folder Program Files that then you can attempt a re-install of the program.

Just simply do only 1 at a time and check the result. Be careful that you reinstall to the same location as before.

Link to post
Share on other sites

Hi,

I installed Avira and updated. Then did a bit of surfing and everything seemed fine. I wasn't redirected and the speed was fine. I know my family is champing at the bit to get on Facebook but I think that Facebook is probably how this all started. I told them not to click on any links but is there a better way to protect the computer? Thanks. CAE

Link to post
Share on other sites

To better protect your system, I'd suggest you follow some additional protection measures (listed below) and also educate the others in your family about safer practices. Be much more juidicious and a bit more careful 'before' clicking internet links & in the videos (if any) that you click to view.

If you do not have the MBAM PRO, I'd suggest you do so to give you an added filter and real-time protection. The license is a one-time only (1 license per system) and the license is good forever' and there's NO yearly renewal fee. And if you upgrade to new computer, the license is moveable to that, as long as it is removed from old system.

I do not know when you got Spybot search and destroy, you may keep it as an on-demand scanner (just be sure to keep Spybot updated). Do not activate the Spybot Tea Timer if you are not familiar with it and also if you have MBAM real-time protection.

You have updated Java runtime before this point. Now, we need to cover Adobe Flash Player, Adobe Reader, and Firefox browser.

Older versions of Adobe Reader & Flash Player pose a potential security risk (due to vulnerabilities).

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader.

Also un-install Adobe Flash Player.

Exit Control Panel.

Get latest Adobe Reader version. Download and Save first. Then run.

http://get.adobe.com/reader/

Be sure to un-check the box for McAfee Security Scan Plus or any "toolbar"

Get the latest Adobe Flash Player: download & Save first. Then run.

http://get.adobe.com/flashplayer/

Be sure to un-check the box for McAfee Security Scan Plus or any "toolbar"

Firefox update: Start Firefox. Select from main menu: Help & then About. When it indicates a newer version, select Apply (allow update).

Out-of-date & insecure applications (like those 3) are a frequent avenue that allow malware an easier way to infect your system. So keep those always updated & use Secunia PSI to check for updates (see below).

Cleanup of tools used

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix icon_exclaim.gif), put that name in the RUN box stated just below.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the text box that opens, type or copy/paste Combo-Fix /uninstall and then click OK.

IF in the case Combofix un-install has an issue, skip that step.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Delete these tools if still present:

aswMBR.exe

TDSSKILLER.exe

GMER.exe

Stinger.exe

RogueKiller.exe

To free up space, you may use Control Panel's Add-or-Remove Programs to un-install

BitDefender online scan

ESET Online scan

ERUNT you should keep, and use on a regular basis to do backup of the Windows registry.

Security and malware prevention

Link to post
Share on other sites

Hi,

I uninstalled Spybot yesterday. Finding this list a bit daunting but will tackle it this week. Will let you know if I run into trouble. Thanks. CAE

Hi again,

I also have Adobe Air and Adobe Download Manager. Should I uninstall these as well?

Edited by caewe12
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.