The FBI says I been bad, but that I can be good again for $$$

[One_iota]

Mbar log file

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Malwarebytes Anti-Rootkit BETA 1.06.0.1004

www.malwarebytes.org

Database version: v2013.06.26.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Owner :: OWNER-PC [administrator]

6/26/2013 12:54:48 AM

mbar-log-2013-06-26 (00-54-48).txt

Scan type: Quick scan

Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System |

Heuristics/Extra | Heuristics/Shuriken | PUM | P2P

Scan options disabled: PUP

Objects scanned: 316817

Time elapsed: 44 minute(s), 48 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

c:\Users\Spike.Owner-PC\AppData\Local\Temp\kp0ibmkkpthwl5b3oggfg.exe (Trojan.Winlock) -> Delete on reboot.

Physical Sectors Detected: 0

(No malicious items detected)

(end)

[One_iota]

OK attaching

[One_iota]

Not sure if the attachment stuck. I can't see anything identifying any attachment. My computer at work formats things in this forum way different than what I see on my ipad.

[D-FRED-BROWN]

See if you can just upload them to sendspace.com. I recommend just putting them all in a .zip file and uploading that.

[One_iota]

Scan logs.zipOK, all five logs in one zipped file.

[D-FRED-BROWN]

We're making progress.

----------Step 1----------------
Please download AdwCleaner by Xplode onto your desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Search.
• A logfile will automatically open after the scan has finished.
• Please post the contents of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[R1].txt as well.

----------Step 2----------------
Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

----------Step 3----------------
We need to create a New FULL OTL Report

• Please download OTL from here if you have not done so already:
  • Main Mirror
• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Click the "Scan All Users" checkbox.
• Change the "Extra Registry" option to "SafeList"
• Push the Run Scan button.
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

----------Step 4 (note: this scan may take a little time)----------------I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


----------Step 5----------------
Please post the AdwCleaner logfile, the JRT.txt, the OTL.txt and Extras.txt, and the ESET online scan log in your next reply.

Let me know how things go.

[One_iota]

Oh I screwed up. I ran the adwCleaner and copied the log file. then I clicked 'delete'. I thought it might give me a list of things to delete. Nope, it just started deleting stuff. Lots of stuff. Hopefully it was all adware. One thing that quit working was internet explorer, but I can still use Chrome.

Should I continue with your previous prescription or do I need to take a different avenue now?

[D-FRED-BROWN]

It shouldn't be too hard to fix- try resetting IE using these instructions: http://support.microsoft.com/kb/923737

 

Let me know how it goes

[D-FRED-BROWN]

Still with me?

[One_iota]

Yes, thank you for checking. Over the weekend I was helping a friend move to LA, then on monday, the neighbors kid shot out my sliding glass door, with a bb pistol. Jeese

[D-FRED-BROWN]

No worries. Take all the time you need. Sounds like you have quite a handful to deal with!

[One_iota]

Cool. It took me better than three hours to clean up the glass and two hours to find someone to fix it. (Home Depot SUCKS - they still haven't called me back.) It took the glassman fifteen minutes to put in new glass. And it took the kid with the bb gun maybe three minutes to kill it. Slightly unbalanced I think. AND the glassman got paid and the kid got to blow something up. All I got was heatstroke - its been 109 degrees here the last four days. Today was forecast 111 and thunder showers. ???

[D-FRED-BROWN]

Yeesh. I'm in the middle of a cold front- can't begin to imagine what 111 feels like

[One_iota]

Scan logs - round 2.zipCold Front? In the summer? What / Where is MHK?

 

Here's another batch of log files. The extra AdwCleaner file was made when I deleted instead of chose close.

 

IE is working fine now. Thanks.

[D-FRED-BROWN]

Still have a little more to do, but we're nearly there.

----------Step 1----------------
We need to run an OTL Fix

• Please reopen on your desktop.
• Copy and Paste the following code into the textbox.
  
  
  

  :OTL
  [3 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
  
  [2009/07/13 21:55:00 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini
   
  [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
   
  [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
   
  [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
   
  [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
   
  [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
  "" = C:\Windows\SysNative\shell32.dll -- [2013/02/26 22:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation)
  "ThreadingModel" = Apartment
   
  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
  "" = %SystemRoot%\system32\shell32.dll -- [2013/02/26 21:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
  "ThreadingModel" = Apartment
   
  [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
  "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 18:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
  "ThreadingModel" = Free
   
  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
  "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 05:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
  "ThreadingModel" = Free
   
  [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
  "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 18:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
  "ThreadingModel" = Both
   
  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
  
  @Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:CB0AACC9
  
  
  :Commands
  [purity]
  [emptytemp]
  [emptyjava]
  [emptyflash]
  [Reboot]

• Push
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open. Copy and Paste that report in your next reply.

----------Step 2----------------
Instructions for DELETE:

• Close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with Ok.
• You will be prompted to restart your computer. A text file will open after the restart.
• Please post the contents of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[s1].txt as well.

Afterwards, please reboot the computer.

----------Step 3----------------
Please post the OTL and AdwCleaner reports in your next reply. How are things running now?

[AdvancedSetup]

Are you still with us?

[One_iota]

Yes, I am. Thank you for checking. Last few weekends have been crazy here. What with all that Global Warming going on. I'm currently on step two of the last set of instructions. I should be able to post the log files this afternoon.

[D-FRED-BROWN]

No worries. Take all the time you need.

[One_iota]

aih, something weird. I double clicked on the AdwCleaner to Delete and it says I dont have the recent version, so yes to download it. Then some page in French comes up. not understanding French very well, I just closed the window. and was gonna reopen the program, but looks like it was removed from my computer.

Gonna see if I can re get it.

[One_iota]

Scan logs 3.zipOk Heres the latest set. when i ran the delete option in AdwCleaner, as with the first time when i ran it, there were no prompts before deleting.

 

 

[D-FRED-BROWN]

Do you have the OTL log as well? Please post it if possible.

 

Also

 

What / Where is MHK?

Kansas . It warmed back up here now. Hit 103 today

[One_iota]

Wow. 103! and how cold was it there last week?

The file that OTL made is the one that was named all numbers, in the zip file I sent. Should I rename it and send it again?

[D-FRED-BROWN]

Nevermind, I missed that. It looks fine, no need to do it again.

It was around 80-85 here last week, probably around 70 during the nights.

-----------------
 

Things look good. Judging by your last few logs, I'd say your system is clean.

Before we move on, please take the time to install the following updates. Program updates are a critical part of your computer's safety net, as outdated applications leave you vulnerable to malware.

 

---------

Upgrade Java : (64 bits)

• Download the latest version of Java SE Runtime Environment (JRE) JRE 7 Update 3 .
• Under the JAVA Platform Standard Edition, click the "Download JRE" button to the right.
• Check the box that says: "Accept License Agreement.".
• Click on the link to download Windows Offline Installation 64 bit ( jre-7u3-windows-x64.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista or Win 7 users, right click on the jre-7u3-windows-x64.exe and select "Run as an Administrator.")

---------

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

• Download the latest version of Adobe Reader and save it to your desktop.
• Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
• Click the download button at the bottom.
• If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
• Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
  If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
• Then from your desktop double-click on Adobe Reader to install the newest version.
  If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
• When the "Adobe Setup - Welcome" window opens, click the Install > button.
• If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

---------

 

Your Flash Player is out of date!
To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, visit this link: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger).
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

 

---------

Please let me know how the updates went, as failed updates may be due to malware.

 

[One_iota]

The vulnerabilities you speak of, being caused by outdated programs - is it just the free programs or would include purchased software too? What about quicktime?

What about having multiple versions of Acrobat Pro? Here at work I have all the Acrobats installed going back to version 5. Except for 6. 6 sucked. If I wasn't behind a gov firewall, would I be asking for trouble?

[D-FRED-BROWN]

 

The vulnerabilities you speak of, being caused by outdated programs - is it just the free programs or would include purchased software too?

Technically, ANY program is vulnerable... however, the ones we see most exploited by cybercriminals are Java, Adobe Reader, Adobe Flash Player, Shockwave. Microsoft Office is also exploited pretty often. You should keep all of your programs updated to minimize this risk as much as possible.

 

 

What about having multiple versions of Acrobat Pro? Here at work I have all the Acrobats installed going back to version 5. Except for 6. 6 sucked.

I would uninstall all old versions and stick with only the newest one. Having older versions of outdated programs installed leaves you just as vulnerable- if it's on your system, the bad guys can use it to their advantage.

 

 

If I wasn't behind a gov firewall, would I be asking for trouble?

Firewalls are a good means of protection- there are some great software firewalls out there available for free. I will provide some suggestions for security software below .

 

------------

 

Unless there are any other issues, I will now provide you with some steps to better protect your computer.

First, we need to remove ComboFix.

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------------

Let's remove OTL and the other tools we used as well:

• Reopen on your desktop.
  
• Click on
  
• You will be prompted to reboot your system. Please do so.
  

-------------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

-------------------

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.

AntiVir

AVG

Microsoft Security Essentials

-------------------

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard

A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

-------------------

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

• Outpost Firewall Free
  Online Armor Firewall
  

A tutorial on understanding and using firewalls may be found here.

-------------------

Please keep your security programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time.

-------------------

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewa...nti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

-------------------

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

-------------------

For more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

-------------------

I would grateful if you could reply to this post so that I know you have read it and, if you have no other questions, the thread can then be closed.

I will leave the thread open for a few more days. If you need anything, just come back here and let me know. After that time you will have to send me a PM.

---------------------------------------------------------

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against malware, then click here:

Every little bit helps.

-DFB