I can't enable Malicious Website Blocking

[Shingles]

Recently, my wife and I had our email hacked into and emails were sent from our accounts as a result of our infected laptop. I purchased Maleware Bytes (because we use the software at our office and love it) and was able to remove 13 threats!!!! After threat removal I rescanned the computer and got clean results, however, I can't enable malicious website blocking.

I searched the forums it looks like I may still have an issue. I'm smart enough to know that I need some assistance, so I have followed the instructions in the "pinned" thread heading this section of the forum and have attached the two dds text files.

DDS

dds.txt

Attach

attach.txt

Thanks in advance for all of your help.

~Jim

[MrCharlie]

Welcome to the forum.

Please uninstall Wajam from your add/remove programs.

http://www.systemlookup.com/CLSID/74615-wajam_dll_priam_bho_dll.html

----------------------------

Next......................

Please download and run RogueKiller to your desktop.

RogueKiller<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop. (please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

MrC

<+>

Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>

Please stick with me until I give you the "all clear".

<+>The removal of malware isn't instantaneous, please be patient.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[Shingles]

Mr. Charlie,

Thanks for responding so quickly.

As requested I have uninstalled Wajam (whatever that is) and run RougeKiller.

RougeKiller Report

RKreport1_S_02262013_02d2251.txt

~Jim

[MrCharlie]

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

[Shingles]

Mr. C,

I ran the antir-rootkit program and it didn't find any maleware.

Attached are the two logs that you requested.

System Log

system-log.txt

Mbar-Log

mbar-log-2013-02-27 (07-18-34).txt

~Jim

[MrCharlie]

I ran the antir-rootkit program and it didn't find any maleware.

Yes it did:

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...

Done!

Performing system, memory and registry scan...

Infected: c:\$RECYCLE.BIN\S-1-5-18\$679f163104bc87f612e2e903a5b90c5b\@ --> [Trojan.Siredef.C]

Infected: c:\$RECYCLE.BIN\S-1-5-21-396264333-428887367-617391505-1003\$679f163104bc87f612e2e903a5b90c5b\@ --> [Trojan.Siredef.C]

Infected: HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Hijack.Trojan.Siredef.C]

Infected: c:\$RECYCLE.BIN\S-1-5-18\$679f163104bc87f612e2e903a5b90c5b\U --> [Trojan.Siredef.C]

Infected: c:\$RECYCLE.BIN\S-1-5-21-396264333-428887367-617391505-1003\$679f163104bc87f612e2e903a5b90c5b\U --> [Trojan.Siredef.C]

Infected: c:\$RECYCLE.BIN\S-1-5-18\$679f163104bc87f612e2e903a5b90c5b\L --> [Trojan.Siredef.C]

Infected: c:\$RECYCLE.BIN\S-1-5-21-396264333-428887367-617391505-1003\$679f163104bc87f612e2e903a5b90c5b\L --> [Trojan.Siredef.C]

Infected: c:\$RECYCLE.BIN\S-1-5-18\$679f163104bc87f612e2e903a5b90c5b --> [Trojan.Siredef.C]

Infected: c:\$RECYCLE.BIN\S-1-5-21-396264333-428887367-617391505-1003\$679f163104bc87f612e2e903a5b90c5b --> [Trojan.Siredef.C]

Infected: HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| --> [Trojan.0Access]

Infected: HKLM\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32| --> [Trojan.0Access]

Infected: HKLM\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32| --> [Hijack.Trojan.Siredef.C]

Done!

--------------------------------------------------

You should read this about the infection you have:

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

--------------------------------------------------------

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[Shingles]

Mr. Charlie,

Sorry it took me so long to get back to you.

I decided to install and run Combofix. I don't have operating system recovery discs for this computer and if need be I'll look into getting one somehow.

Anyways, here is the combofix log file.

log.txt

Thanks again for your continuing help.

[MrCharlie]

No we don't need any disks right now.

------------------

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

[Shingles]

Mr. Charlie

I finished running the anti-rootkit program. Similar to the last time I ran the program it cleamed that no malicious software was found. However, I couldn't resist taking a peak at the attached system log (just trying to learn what to look at, I hope you don't mind) and it again identified infected files (12 by my count, but only 8 of them had a file path).

Just below that section it says that several files were removed (8 by my count). A quick compairrisson of one of the removed file names and one of the infected file names and they look the same to my untrained eye.

Mbar Log

mbar-log-2013-02-27 (21-11-49).txt

System Log

system-log.txt

Thanks again for such quick assisstance and I hope you don't mind my curiosity in peaking at the log files.

~Jim

[MrCharlie]

That's strange.......

Delete your copy of RogueKiller and download and run a fresh copy, post the new log. MrC

[Shingles]

Mr. Charlie,

As you requested I deleted rogue killer and downloaded anew. This time when I closed the program it gave me a prompt that I had not fixed the two problems it found. I did not let rogue killer fix it.

Attached is the new log file.

RKreport1_S_02272013_02d2231.txt

[MrCharlie]

Those are OK

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[Shingles]

According to the quick scan pop-up box no malicious items were detected.

Attached it the log file.

mbam-log-2013-02-27 (22-46-42).txt

~Jim

[Shingles]

Mr. Charlie,

I forgot to update the computer's operation in my last post.

The computer seems to be running fine, though I still cannot enable malicious website blocking.

~Jim

[Shingles]

Mr. Charlie,

I am so sorry. I just went over to the MalewareBytes program and the malicious website blocking was enabled.

I swear it wasn't just two minutes ago.

~Jim

[MrCharlie]

Tomorrow, I'll be back in the AM...MrC

[MrCharlie]

OK, it doesn't come on instantaneously, it does take a couple of seconds to enable.

Is it still on now??

---------------------------------------------

Please do this:

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
• Put a checkmark beside loaded modules.
  
  
• A reboot will be needed to apply the changes. Do it.
  
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  
• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
  
  
• Click the Start Scan button.
  
  
• The scan should take no longer than 2 minutes.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  If in doubt about an entry....please ask or choose Skip
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  
• Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.
  

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

New window that comes up.

MrC

[Shingles]

Mr. Charlie,

The malicious website blocking is still enabled.

As directed I ran TDSSKiller and it found two threats. Since "Cure" was not an available option on either of the files I let the program skip them. Attached are the two logs that the program created.

TDSSKiller.2.8.16.0_28.02.2013_21.52.06_log.txt

TDSSKiller.2.8.16.0_28.02.2013_21.54.44_log.txt

~Jim

[MrCharlie]

Those files are OK.

So everything is OK now??

---------------------------

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion methode. It can be easily uninstalled using the "Uninstall" mode.

1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
   
2. Now click on the Search tab.
   
3. Please post the contents of the log-file created in your next post.
   

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

MrC (Be back in the AM)

[Shingles]

Everything seems to be running fine.

Attached is the ADWcleaner log.

AdwCleanerR1.txt

Do I need to run anything to make sure you were able to remove that trajan you found the other day? Or did you already verify that it was removed? This is a little over my head so I apologize if that is a silly question.

~Jim

[MrCharlie]

No, you're good.

Please create a new system restore point before continuing.

Lots of adware found....lets clear it out.....

1. Please re-run AdwCleaner
   
2. Click on Delete button.
   
3. Confirm each time with OK if asked.
   
4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
   

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt.
  
• Please Post the contents of that document.
  
• Do Not Attach It!!!
  

MrC

[Shingles]

Sorry that it took me so long to reply. I had a busy day today.

Attached is the adwcleaner text file.

AdwCleanerS1.txt

Results of screen317's Security Check version 0.99.60

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Disabled!

AVG Internet Security 2013

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

JavaFX 2.1.1

Java 7 Update 7

Java version out of Date!

Adobe Flash Player 11.6.602.171

Adobe Reader 9 Adobe Reader out of Date!

Mozilla Firefox (19.0)

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

AVG avgwdsvc.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

TOSHIBA Toshiba Online Backup Activation TobuActivation.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

~Jim

[MrCharlie]

Java 7 Update 7 <----please update, should be Update 15

Java version out of Date! <-----Go to control panel > Java > Update Tab > Update Now

Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe.

----------------------------------------

You have out dated programs on the system which are vulnerable to malware.

Please update or uninstall them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Shingles]

Mr. Charlie,

I followed all of the instructions in your last post. In addition I've increased the frequency of up my automatically scheduled antivirus scans and my maleware bytes scans.

With all due respect, I hope to never need your services again.

Thank you for all of your help.

[MrCharlie]

OK Take Care MrC