diddlydudette Posted January 28, 2013 ID:640297 Share Posted January 28, 2013 Hi,First off, thanks for any help. I'm at a loss of what to do as I'm not a techy...but moreso than my sister, but that's not saying much. :-)My sister has a Trojan.Win32.Generic!BT on her computer.She has Vipre anti-virus on her computer which was installed from her realtor office. I ran a scan using that and virus was put in quarantine. I removed infections from computer.The thing is no matter how many times I remove it pops back up the next day or whenever and she calls me back.I then ran Malwarebytes and several threats popped up and again I removed. Spybot caught 1 low risk threat but I removed that also.Right when I think she is good to go and all threats removed via the anti-virus software, she calls me back up that virus has popped up again. I again go through the whole process and remove again.How can I permanently remove these threats? I am by any means a computer geek or guru. I did save her logs thinking it might help and I took screenshots of her scanned results. Maybe those might help.Any suggestions would be greatly appreciated. I've been working on her computer remotely as she lives in a different city than I do.Logs from Spybot and Malwarebytes:Malwarebytes Anti-Malware (Trial) 1.70.0.1100www.malwarebytes.orgDatabase version: v2013.01.27.08Windows XP Service Pack 2 x64 NTFSInternet Explorer 9.0.8112.16421Anne-Main :: MANAL01131001AB [administrator]Protection: Disabled1/27/2013 4:57:10 PMmbam-log-2013-01-27 (16-57-10).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 322437Time elapsed: 14 minute(s), 42 second(s)Memory Processes Detected: 1C:\Windows\Temp\temp42.exe (Trojan.Lameshield.ET) -> 4736 -> Delete on reboot.Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 2HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\ANNE-M~1\LOCALS~1\Temp\mswoloxpz.pif -> Delete on reboot.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SonyAgent (Trojan.Lameshield.ET) -> Data: C:\windows\Temp\temp42.exe -> Quarantined and deleted successfully.Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 5C:\Users\Anne-Main\AppData\Local\Temp\tmp6594a7b5\sev198.exe (Malware.Packer.DLR1) -> Delete on reboot.C:\Documents and Settings\Anne-Main\AppData\Local\Temp\tmp6594a7b5\sev198.exe (Malware.Packer.DLR1) -> Delete on reboot.C:\Documents and Settings\Anne-Main\Local Settings\Temp\tmp6594a7b5\sev198.exe (Malware.Packer.DLR1) -> Delete on reboot.C:\Users\Anne-Main\Local Settings\Temp\tmp6594a7b5\sev198.exe (Malware.Packer.DLR1) -> Delete on reboot.C:\Windows\Temp\temp42.exe (Trojan.Lameshield.ET) -> Delete on reboot.(end)Spybot log:Search results from Spybot - Search & Destroy1/27/2013 6:03:27 PMScan took 00:31:38.80 items found.Macromedia.FlashPlayer.Cookies: [sBI $6AA61750] Text file (File, nothing done) C:\Users\Anne-Main\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\UKK5783B\cfiles.5min.com\Storage5minCookie.sol Properties.size=0 Properties.md5=D41D8CD98F00B204E9800998ECF8427EMacromedia.FlashPlayer.Cookies: [sBI $6AA61750] Text file (File, nothing done) C:\Users\Anne-Main\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\UKK5783B\s.ytimg.com\videostats.sol Properties.size=0 Properties.md5=D41D8CD98F00B204E9800998ECF8427ECasaleMedia: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)MediaPlex: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)MediaPlex: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)Right Media: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)FastClick: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)BurstMedia: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)DoubleClick: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)Zedo: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)MediaPlex: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)DoubleClick: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)MediaPlex: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)FastClick: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)MediaPlex: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)MediaPlex: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)CasaleMedia: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)CasaleMedia: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)CasaleMedia: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)CasaleMedia: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)Statcounter: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)WebTrends live: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)BurstMedia: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)Zedo: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)Zedo: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)Zedo: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)Zedo: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)MediaPlex: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)DoubleClick: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)Log: [sBI $8E73A7FB] Install: Directx.log (File, nothing done) C:\Windows\Directx.log Properties.size=0 Properties.md5=D41D8CD98F00B204E9800998ECF8427ELog: [sBI $8E73A7FB] Install: setupact.log (File, nothing done) C:\Windows\setupact.log Properties.size=0 Properties.md5=D41D8CD98F00B204E9800998ECF8427ELog: [sBI $8E73A7FB] Install: DtcInstall.log (File, nothing done) C:\Windows\DtcInstall.log Properties.size=0 Properties.md5=D41D8CD98F00B204E9800998ECF8427EInternet Explorer: [sBI $FF589D0C] Download directory (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Internet Explorer\Download DirectoryInternet Explorer: [sBI $0BC7B918] User agent (Registry Change, nothing done) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User AgentInternet Explorer: [sBI $0BC7B918] User agent (Registry Change, nothing done) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User AgentInternet Explorer: [sBI $0BC7B918] User agent (Registry Change, nothing done) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User AgentInternet Explorer: [sBI $0BC7B918] User agent (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User AgentInternet Explorer: [sBI $0BC7B918] User agent (Registry Change, nothing done) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User AgentMS Management Console: [sBI $ECD50EAD] Recent command list (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Microsoft Management Console\Recent File ListMS Media Player: [sBI $5C51E349] Client ID (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\MediaPlayer\Player\Settings\Client IDMS Direct3D: [sBI $C2A44980] Most recent application (Registry Change, nothing done) HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\NameMS Direct3D: [sBI $C2A44980] Most recent application (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Direct3D\MostRecentApplication\NameMS Direct3D: [sBI $C2A44980] Most recent application (Registry Change, nothing done) HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\NameMS DirectDraw: [sBI $EB49D5AF] Most recent application (Registry Change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\NameMS DirectDraw: [sBI $EB49D5AF] Most recent application (Registry Change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\NameMS DirectInput: [sBI $9A063C91] Most recent application (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\DirectInput\MostRecentApplication\NameMS DirectInput: [sBI $7B184199] Most recent application ID (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\DirectInput\MostRecentApplication\IdMS Office 11.0: [sBI $53EEAC4B] Last opened-from-web file (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Common\Internet\UseRWHlinkNavigationMS Office 11.0 (Access): [sBI $7F916EA4] Recent database #1 (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU1MS Office 11.0 (Access): [sBI $806BF7B4] Recent database #2 (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU2MS Office 11.0 (Access): [sBI $63ED7D7B] Recent database #3 (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU3MS Office 11.0 (Access): [sBI $A4EFC3D5] Recent database #4 (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU4MS Office 11.0 (Access): [sBI $4769491A] Recent database #5 (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU5MS Office 11.0 (Access): [sBI $B893D00A] Recent database #6 (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU6MS Office 11.0 (Access): [sBI $5B155AC5] Recent database #7 (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU7MS Office 11.0 (Access): [sBI $EDE7AB17] Recent database #8 (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU8MS Office 11.0 (Access): [sBI $0E6121D8] Recent database #9 (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU9MS Office 11.0 (Cliparts): [sBI $D2A56AFD] Last search made (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Clip Organizer\Search\Last QueryMS Office 11.0 (Excel): [sBI $8DAB8D88] Recent file list (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Excel\Recent FilesMS Office 11.0 (Outlook): [sBI $51367364] Typed search term history (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Outlook\Office FinderMS Office 11.0 (Picture Manager): [sBI $2379928F] Last selected folder (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\OIS\Options\LastTreeSelectionMS Office 11.0 (PowerPoint): [sBI $C10CED61] Recent file list (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\PowerPoint\Recent File ListMS Office 11.0 (Publisher): [sBI $52D0C0B4] Recent file list (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Publisher\Recent File ListMS Office 11.0 (Word): [sBI $15AC27CE] Recent file list (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Word\Data\SettingsMS Paint: [sBI $07867C39] Recent file list (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File ListMS Regedit: [sBI $C3B62FC1] Recent open key (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKeyWindows.OpenWith: [sBI $48691F6C] Open with list - .ASD extension (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASD\OpenWithListWindows.OpenWith: [sBI $F7204896] Open with list - .AVI extension (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithListWindows.OpenWith: [sBI $A1C94E79] Open with list - .BMP extension (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithListWindows.OpenWith: [sBI $F1129B32] Open with list - .CPL extension (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CPL\OpenWithListWindows.OpenWith: [sBI $ECC28BDF] Open with list - .CSV extension (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithListWindows Explorer: [sBI $7308A845] Run history (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRUWindows Explorer: [sBI $AA0766B5] Stream history (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRUWindows Media SDK: [sBI $37AAEDE6] Computer name (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows Media\WMSDK\General\ComputerNameWindows Media SDK: [sBI $CAA58B6E] Unique ID (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows Media\WMSDK\General\UniqueIDWindows Media SDK: [sBI $BACCD0DA] Volume serial number (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumberCookie: [sBI $49804B54] Browser: Cookie (255) (Browser: Cookie, nothing done)Cache: [sBI $49804B54] Browser: Cache (237) (Browser: Cache, nothing done)History: [sBI $49804B54] Browser: History (3) (Browser: History, nothing done)Cookie: [sBI $49804B54] Browser: Cookie (769) (Browser: Cookie, nothing done)--- Spybot - Search & Destroy version: 2.0.12.131 DLL (build: 20121113) ---2012-11-13 blindman.exe (2.0.12.151)2012-11-13 explorer.exe (2.0.12.173)2012-11-13 SDBootCD.exe (2.0.12.109)2012-11-13 SDCleaner.exe (2.0.12.110)2012-11-13 SDDelFile.exe (2.0.12.94)2012-11-13 SDFiles.exe (2.0.12.135)2012-11-13 SDFileScanHelper.exe (2.0.12.1)2012-11-13 SDFSSvc.exe (2.0.12.205)2012-11-13 SDImmunize.exe (2.0.12.130)2012-11-13 SDLogReport.exe (2.0.12.107)2012-11-13 SDPESetup.exe (2.0.12.3)2012-11-13 SDPEStart.exe (2.0.12.86)2012-11-13 SDPhoneScan.exe (2.0.12.27)2012-11-13 SDPRE.exe (2.0.12.13)2012-11-13 SDPrepPos.exe (2.0.12.10)2012-11-13 SDQuarantine.exe (2.0.12.103)2012-11-13 SDRootAlyzer.exe (2.0.12.116)2012-11-13 SDSBIEdit.exe (2.0.12.39)2012-11-13 SDScan.exe (2.0.12.173)2012-11-13 SDScript.exe (2.0.12.53)2012-11-13 SDSettings.exe (2.0.12.130)2012-11-13 SDShred.exe (2.0.12.105)2012-11-13 SDSysRepair.exe (2.0.12.101)2012-11-13 SDTools.exe (2.0.12.150)2012-11-13 SDTray.exe (2.0.12.127)2012-11-13 SDUpdate.exe (2.0.12.89)2012-11-13 SDUpdSvc.exe (2.0.12.76)2012-11-13 SDWelcome.exe (2.0.12.126)2012-11-13 SDWSCSvc.exe (2.0.12.2)2013-01-27 unins000.exe (51.1052.0.0)1999-12-02 xcacls.exe2012-08-23 borlndmm.dll (10.0.2288.42451)2012-09-05 DelZip190.dll (1.9.0.107)2012-09-10 libeay32.dll (1.0.0.4)2012-09-10 libssl32.dll (1.0.0.4)2012-11-13 SDAdvancedCheckLibrary.dll (2.0.12.98)2012-11-13 SDECon32.dll (2.0.12.113)2012-11-13 SDECon64.dll (2.0.12.113)2012-11-13 SDEvents.dll (2.0.12.2)2012-11-13 SDFileScanLibrary.dll (2.0.12.9)2012-11-13 SDHelper.dll (2.0.12.88)2012-11-13 SDImmunizeLibrary.dll (2.0.12.2)2012-11-13 SDLists.dll (2.0.12.4)2012-11-13 SDResources.dll (2.0.12.7)2012-11-13 SDScanLibrary.dll (2.0.12.131)2012-11-13 SDTasks.dll (2.0.12.15)2012-11-13 SDWinLogon.dll (2.0.12.0)2012-08-23 sqlite3.dll2012-09-10 ssleay32.dll (1.0.0.4)2012-11-13 Tools.dll (2.0.12.36)2012-11-13 UninsSrv.dll (2.0.12.52)2012-11-14 Includes\Adware.sbi (*)2012-11-14 Includes\AdwareC.sbi (*)2010-08-13 Includes\Cookies.sbi (*)2012-11-14 Includes\Dialer.sbi (*)2012-11-14 Includes\DialerC.sbi (*)2012-11-14 Includes\HeavyDuty.sbi (*)2012-11-14 Includes\Hijackers.sbi (*)2012-11-14 Includes\HijackersC.sbi (*)2012-11-14 Includes\iPhone.sbi (*)2012-11-14 Includes\Keyloggers.sbi (*)2012-11-14 Includes\KeyloggersC.sbi (*)2012-11-14 Includes\Malware.sbi (*)2012-11-14 Includes\MalwareC.sbi (*)2012-11-14 Includes\PUPS.sbi (*)2012-11-14 Includes\PUPSC.sbi (*)2012-11-14 Includes\Security.sbi (*)2012-11-14 Includes\SecurityC.sbi (*)2008-06-03 Includes\Spybots.sbi (*)2008-06-03 Includes\SpybotsC.sbi (*)2012-11-14 Includes\Spyware.sbi (*)2012-11-14 Includes\SpywareC.sbi (*)2011-06-07 Includes\Tracks.sbi (*)2005-02-17 Includes\Tracks.uti (*)2012-11-14 Includes\Trojans.sbi (*)2012-11-14 Includes\TrojansC-02.sbi (*)2012-11-14 Includes\TrojansC-03.sbi (*)2012-11-14 Includes\TrojansC-04.sbi (*)2012-11-14 Includes\TrojansC-05.sbi (*)2012-11-14 Includes\TrojansC.sbi (*)I also went in a deleted all temp files. Link to post Share on other sites More sharing options...
TheDarkKnight Posted January 28, 2013 ID:640464 Share Posted January 28, 2013 I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:http://www.bleepingcomputer.com/combofix/how-to-use-combofix* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).Please go here to see a list of programs that need to be disabled.**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.****Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**Please include the C:\ComboFix.txt in your next reply for further review. Link to post Share on other sites More sharing options...
diddlydudette Posted January 28, 2013 Author ID:640570 Share Posted January 28, 2013 Thanks so much for the response. I appreciate it.I will have to wait until tonight when my sister gets home from work to do this by remotely logging into her computer.One things that concerns me though is the Recovery Console. She doesn't have any recovery CDs and what if there isn't recovery preinstalled on her computer? Plus since I can't log in unless she is booted up, she can't do this type of thing herself. She is really very 'not-techy' AT ALL.I don't want to mess up her computer as this is her laptop and her desktop just died not too long ago and she really relies on this laptop. Do you feel she'll be ok by running this program. If so, I'll go ahead with it and hope for the best.Thanks again. Link to post Share on other sites More sharing options...
TheDarkKnight Posted January 28, 2013 ID:640624 Share Posted January 28, 2013 Good morning diddlydudette,ComboFix won't try to remove the more serious infections without the console installed, so everything should be fine. Link to post Share on other sites More sharing options...
diddlydudette Posted January 29, 2013 Author ID:640684 Share Posted January 29, 2013 Hi Dark Knight!I just logged onto her computer and scanned with Vipre and Malwarebytes.Vipre, her anit-virus software resulted in a low risk cookie and I deleted that.Malwarebytes resulted in PUM.UserWLoad category is Registry Value.So looks like we'll need to do as you say. We are both tired tonight but she gets off work tomorrow (Tuesday) at 6:30pm, so we'll work on it then. We'll be running the combofix. It's just hard doing it remotely but thanks so much for your help and patience.The Trojan.Win32.Generic!BT trojan didn't show back up in Malwarebytes. Could that mean it's gone and now she just has the ohter? Link to post Share on other sites More sharing options...
diddlydudette Posted January 29, 2013 Author ID:640691 Share Posted January 29, 2013 One more thing....should she stay off her computer until this gets fixed? Link to post Share on other sites More sharing options...
TheDarkKnight Posted January 29, 2013 ID:640750 Share Posted January 29, 2013 Hey diddlydudette,If you can use another computer in the meantime that would be best. Link to post Share on other sites More sharing options...
diddlydudette Posted January 30, 2013 Author ID:641014 Share Posted January 30, 2013 Hi Dark Knight. I am on my sister's computer and was going to run the combofix. The link I went for the download says it is not available. Is there somewhere else to download it? Thanks. Link to post Share on other sites More sharing options...
diddlydudette Posted January 30, 2013 Author ID:641025 Share Posted January 30, 2013 I don't see anyway to edit a post or else I'd just edit the one above.Anyway, since I didn't get a change to run the scan tonight, hopefully the combofix download will be back up on the bleepingcomputer.com site tomorrow and I'll try again. I was going to download it from another site.....perhaps CNet or softpedia but I saw somewhere that it was recommended to only trust the bleepingcomputer site so I didn't. Should I?Since I was on her computer anyway, I went ahead and ran scans again with Malwarebytes and Vipre. Malwarebytes again showd Backdoor.Bot and PUM0UserWLoad trojans. I then ran Vipre and it came back clean but only after I deleted the files from Malwarebytes. I'm sure they'll pop back on when logging back into the computer.I told her to stay off of it until we clean up these trojans.Thanks for your continued help. Let me know how to proceed now. Link to post Share on other sites More sharing options...
TheDarkKnight Posted January 30, 2013 ID:641100 Share Posted January 30, 2013 Hey diddlydudette,ComboFix has been compromised so please do not download any copies for the interim.Please read all these directions before proceeding.When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.Be sure to read these:Download Kaspersky Rescue Disk 10How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?Please go to a clean computerDownload the .iso image file.Create a CD (or flash drive if you prefer).On the infected computer: put the disk in the drive and reboot.Follow the directions here, but you will find some differences. Familiarise yourself with How to create a report file in Kaspersky Rescue Disk 10?Then, please print the following directions:Boot from Kaspersky Rescue Disk 10:Restart your computer and put the disk in the drive while booting.Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.Select the required interface language using the arrow-keys on your keyboard.Press the Enter key on the keyboard.In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic ModeClick Enter.Click 'A' to accept the agreement.Select operating system from dropdown menu (select Windows whatever).Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:Click My Update Center and update.Back to other tab and click Start Object Scan.When scan has completed save a report:On the upper part of the Kaspersky Rescue Disk window, click on the Report link.On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.On the upper right hand corner of the Detailed report window, click on the Save button.After clicking Detailed Report and 'SAVE', a browse window opens.Double-click on the \Click 'disks'.All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.Click on the Save button.The report has been saved to the file.Remove the disk from the drive (or disconnect USB) and reboot normally. Link to post Share on other sites More sharing options...
diddlydudette Posted February 1, 2013 Author ID:642210 Share Posted February 1, 2013 Hi Dark Knight.Sorry I had to go away a couple of days and didn't respond.I see where Combofix is back up. Can I use that instead of the above? Combofix just sounds easier. Ther other sounds awfully complicated....remember I'm helping my sister remotely and neither of us are techy so the easier steps the better. Thanks again!! Link to post Share on other sites More sharing options...
diddlydudette Posted February 1, 2013 Author ID:642224 Share Posted February 1, 2013 I may just chance that running combofix will be ok since it's back up. I'll either run later tonight or in the a.m. I sure hope it's ok that I do that. Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 1, 2013 ID:642267 Share Posted February 1, 2013 Hello diddlydudette,You may use ComboFix. It has been restored. Link to post Share on other sites More sharing options...
diddlydudette Posted February 2, 2013 Author ID:642314 Share Posted February 2, 2013 Great! I'll run it in the morning. Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 2, 2013 ID:642713 Share Posted February 2, 2013 OK sounds like a plan. Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 9, 2013 ID:645216 Share Posted February 9, 2013 Are you still with us? This topic will be closed in a few days if we do not hear back from you. Link to post Share on other sites More sharing options...
diddlydudette Posted February 9, 2013 Author ID:645347 Share Posted February 9, 2013 Thanks so much for your help Dark Knight! My sister decided to get help elsewhere. Go ahead and close the topic. Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 9, 2013 ID:645503 Share Posted February 9, 2013 Hello diddlydudette,Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.Please consider installing and running the following program (there is a free version available):SpywareBlasterA tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them. Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:http://www.spywarewarrior.com/rogue_anti-spyware.htmA similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.Please also read Tony Klein's excellent article: How did I get infected in the first place.Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. Link to post Share on other sites More sharing options...
LDTate Posted February 15, 2013 ID:647366 Share Posted February 15, 2013 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts