Help with Trojan.FakeMS (& gen'l philosophy of removals)

[cheebie]

I want to start out by saying that I appreciate that MalwareBytes is available as a free program (at least, that’s how I am using it.) Any criticisms I might make about it here are, therefore, not intended to be ungrateful! Just wondering about the limitations of the product, and trying to suggest how it might be improved.

 

(1) The Trojan in question is Trojan.FakeMS (no “tail” apparently.) A Google search led me to _this_ page on MalwareBytes: http://forums.malwarebytes.org/index.php?showtopic=119437

 

I note here that a search run from the Search window on the MWB Forum page for “trojan.fakems” does _NOT_ find this posting, but _does_ find another one:

http://forums.malwarebytes.org/index.php?showtopic=86224&hl=%2Btrojanfakems

 

I would suggest that maybe MWB needs to tune-up their search engine a bit.

 

 

(2) This Trojan hit my wife’s computer, while she was away on an important business trip (of course!) I haven’t really determined yet whether it was present before she left; she’s getting home tonight. Her computer uses Win XP SP3, and Microsoft Security Essentials (MSE), kept updated and run every night. I also have not yet determined if she did anything which might have let this nasty little Trojan through (past MSE.)

 

She reported to me that she was getting the bogus warning screens that her “MSE database was out of date, and that she had thirty days to update it.” When she connected to the hotel’s wireless network and tried to go to a site (CNN.com), she got all these popups about how her computer needed service urgently, and to call an 800-number (the dick who wrote this Trojan included this number: 1-888-730-2055. I am reporting it to both the FCC and the FTC, in case there is still a person connected to it.)

 

Naturally, my first response was to have her run MalwareBytes. It updated itself quickly, and we ran a “quick” scan. MWB quickly found the Trojan, and upon confirmation to proceed, reported that it had successfully removed it.

 

MSE was still not running, so I had her open a Windows Explorer window (I was going to try to start MSE brute-force.) However, she noticed that all of the WE windows had titles like “C:\Program Files  - Windows _Internet_ Explorer” (emphasis added.) I knew that the Trojan had probably corrupted a bunch of things like that, and she did not have time to work any further with me on it; so we just shut it down.

 

I later Googled the name of the Trojan, and found a number of links (including the MWB link mentioned above.) The thing that was interesting to me was that many of these links (including MWB’s) suggested what appeared to be a very generic approach to the problem, which included running SIX or more separate programs! (ComboFix, VirusCount, etc.) This link:

http://answers.microsoft.com/en-us/windows/forum/windows_7-security/trojanfakems-detected-by-malwarebytes-anti-malware/5a13bb84-de7c-4fd2-9f9f-a5c2e1bb5a4a

...provided some insight as to why people feel that multi-tool overkill is necessary. The poster is a Microsoft MVP; but is his (generic) list and procedure any better (or any worse) than those provided here at MalwareBytes?

 

My question here is this: if MWB was able to detect and remove the Trojan, why aren’t they able to do a more comprehensive scan for damages known to be caused by this Trojan, and repair those as well? I realize that this is no simple task; but why should it be necessary to run a handful of OTHER programs (some of which may not even be relevant)? Surely it is possible for someone to maintain a database of damages known to be caused by a given Trojan, and the means to repair those damages? (And if MONEY was the issue: I would have been HAPPY to pay between $10 and $100 bucks (for one shot) for MWB to access some database kept at its central site and safely FIX all this crap! MWB: Business model?) Or am I just naive to think that anyone could attempt to maintain such a comprehensive database?

 

(3) So at this point, I have the PC on which MWB has _said_ it has removed the Trojan; but some damages (and possibly remnants of the Trojan) remain. IS IT REALLY THE RIGHT THING TO DO TO JUST BOOT UP NORMALLY, and then attempt some of these various fixes? Or are there things which might be done from a Safe Boot, or some kind of CD-boot arrangement like BartPE, which would prevent the Trojan from wreaking any further havoc? (By some miracle, I _have_ a Bart PE disk for this computer.) I would also appreciate advice on when it is and is NOT appropriate to let the computer be connected to the internet. Obviously, it would be necessary to have a connection when downloading “fix” programs, unless there was a way I could download them to _my_ computer, and transfer them via CD.

 

(4) If the right thing to do is to proceed through a normal boot, the first thing that would occur to me would be to do a System Restore to a date several days prior to the attack. It’s my understanding that this would restore an undamaged copy of the Registry. Does this sound like a good (and adequate) idea, or does Trojan.FakeMS either inhibit the System Restore process, or (worse) corrupt all previous Restore points?

 

Clearly, if the Trojan has created or physically altered a number of _files_, then restoring a good Registry would not constitute an adequate solution.

 

(5) I _have_ read a couple posts about how to proceed with getting help from MalwareBytes:

http://forums.malwarebytes.org/index.php?showtopic=86224&hl=%2Btrojanfakems

and:

http://forums.malwarebytes.org//index.php?showtopic=9573

 

In the latter, the author recommends downloading “dds.com” from bleepingcomputer.com. I clicked on the link provided in the article, hoping only to learn more about what dds.com was supposed to do. When Windows displayed the “download or run” screen, I clicked “cancel.” Immediately “under” that screen was a red screen from McAfee Site Advisor, stating that the file I had attempted to download contained viruses, spyware, etc, and that I should not download it. (I clicked on “cancel download” on that screen to dismiss it.) Does anyone know if that is a NORMAL response to attempts to download dds.com? I can appreciate that if some dirtbag wanted to deliver a payload to already-vulnerable computers, hijacking and infecting “dds.com” would be a great way to do it!

 

Thanks,

George

[AdvancedSetup]

Hello George,

You have a lot of questions but most of them sort of do fall into the category at least a little bit that you are inexperienced in the complexity and difficulty in any single tool being able to single-handedly both detect, prevent, and cure ALL ails of a computer. Even in a non infected computer the underlying operation of how a Windows computer runs is heavily controlled by what are called EVENTS. There can be a million events going on in a very short period of time even on a clean computer, let alone on one that is infected. There are estimates of over 5,000 different infections (most are very slight variations of the same basic infection) that come out every day. That slight variation is what helps it to elude detection. It is possible to prevent ALL infections but then the computer is so locked down, slow, and unusable that the "cure" is much worse than the infection.

For the sake of argument lets say an infection did get past security and is now on the computer. The Registry can easily have over a million keys, data, and value entries that the vast majority are not documented and often those that are documented are not done well. So now you have an infection that comes along and modifies keys, value, data in the Registry all of which are unknown because this infection is "new". Then you have the file system of the computer where there are hundreds of thousands of different files and folders and again many are not documented as to what they are or what they do but yet you want a single security product to know every single file on a computer (there are well over 1 billion computers connected to the Internet now days) when there are probably over a million different software applications and programs that can be downloaded and installed. Some are very proprietary and have no public documentation about them.

My point is that it is very complex and the potential damage and how to correct the damage (when we don't have your specific infection in a test lab to analyze) is Herculean at best. I've been doing Computer and Network Support now for over 20 years and no product is perfect bar none. I think that Malwarebytes has come a long way and is well ahead of some competitors but we too miss things and/or cannot fix all issues. There are about a dozen malware training schools out on the Internet that are well known and respected that provide free training for helpers to help others with cleaning computers and why you often see so many posts using different tools. Most of these helpers spend over a year or more studying computers in order to be able to assist users such as yourself or your wife to scan and clean up from an infection. However in many cases you are also partly to blame for the infection in some cases. Many times the culprit is outdated software such as Flash or Java or missing Windows updates. Most users though simply don't know enough about computers and how to take care of them properly and prevent themselves from being infected.

So long story short... if you do want help cleaning your wife's computer then we'll be more than happy to assist you in doing so and all the tools we will have you use are well known and respected but can and often are flagged by antivirus programs because some of the components can be dangerous in the wrong hands. There is always a possibility that the computer can break and become non bootable and why we do try to take as best precautions as we can to prevent such an issue but there is no guarantee. One should always have their data backed up to an external source.

If you'd like help cleaning the computer please let me know.

Thank you

[cheebie]

Hi Ron,

 

Thank you very much for your in-depth explanation regarding my questions about the philosophy of virus detection and repair. Perhaps I shouldn’t have intermingled my questions about philosophy with my questions about how to repair (in a forum which is clearly labeled “Malware Removal Help”!) Yet, to me the questions were intertwined.

 

Although I would love to discuss some of your points further, I acknowledge that this is not the place to do it! (Maybe in the new MalwareBytes Blog feature; I haven’t checked it out yet...)

 

So yes, please: I would appreciate it very much if you (or some other Helper) would give me some instructions on how to proceed with cleaning up my wife’s computer. (Just so that there is no misunderstanding: I _do_ have pretty good knowledge of computers, and I would say that I am an “intrepid” Registry Editor - not to say that I know EVERYTHING about it!)

 

So, in hopes of avoiding the reposting of my entire request:

 - Question #1 can be ignored.

 

 - The description part of Question #2 should still be helpful; but the “philosophy” question can be ignored.

 

 - Question #3 is no longer relevant, since I had to proceed with a boot-up. However, I would appreciate it if, in your answers, you could still address this part:

“I would also appreciate advice on when it is and is NOT appropriate to let the computer be connected to the internet. Obviously, it would be necessary to have a connection when downloading “fix” programs, unless there was a way I could download them to _my_ computer, and transfer them via CD.”

 

 - Question #4 is also no longer relevant. I did perform a System Restore to a point long before the Trojan became evident (June 15); but it does not appear to have changed anything with regard to the computer’s behavior (maybe this _did_  wipe out some of the bad Registry entries which would otherwise be there.)

 

 - I assume that Question #5 has also been answered, with your description of how some repair programs can appear to be malware when being downloaded. (I would appreciate it if the responder could also make note if a program they ask me to download and run is likely to similarly be mis-identified as malware.)

 

 

Thanks in advance,

George

[AdvancedSetup]

No problem George. The most likely culprit is the ZeroAccess rootkit which is very prevalent right now.

The steps below are designed to take care of most of the issue but depending on what else is there or might be there we will more than likely have to run other tools to ensure the computer is cleaned up as best we can.

All of the links below are safe to download (just be careful as some sites have advertising)

MBAR which is our rootkit scanner can in most cases find and remove most rootkits. If it does find a rootkit then you should run the scanner again after the reboot and don't forget to check for updates.

When replying with the logs some of the helpers like you to copy/paste but myself I would rather that you attach the files by clicking on the More Reply Options button.

Here is a Standard reply that some helpers will give you if they do find a rootkit on your system.

 

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

 

Message borrowed from quietman7 with minor wording and link changes

If you do want to try to clean up the computer then please run the following and post back all the logs as ATTACHMENTS by clicking on the More Reply Options button.

STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
• Make sure that at least the first two check boxes are selected.
• Click on OK
• Then click on YES to create the folder.
• Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

  STEP 02

  Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
  STEP 03

  Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus
  STEP 04

  Please download AdwCleaner by Xplode to your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • If prompted by the User Account Control click Yes to allow it to run.
  • Under Actions click on the Delete button.
  • Click OK on all prompts.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the entire contents of that logfile to your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.
  STEP 05

  

  Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

[cheebie]

Hi Ron,

Wow! You guys don’t pull any punches, do you?? :-)

I’m kidding. Thanks for a really great response. Between what you said, and the boilerplate from Quietman, I think this is the best explanation I’ve seen for why “Your Father’s [Anti-Virus]” doesn’t cut it anymore! Admittedly (and fortunately), I have not been forced to review NUMEROUS examples of such explanations.

I will follow the instructions that you gave. However, I’d like to add a few comments & questions which might help things go more easily:

(1) I do have ERUNT (ERUNTgui, actually) installed on the infected computer, and I will certainly do a backup of what’s there.

(a) I do have some previous ERUNT backups present on that machine, probably some within the last six months or so (which would be fine with me to restore; they would be pre-virus, but they wouldn’t unwind any big installation changes.) Please let me know at what point in this process it might be appropriate to attempt to restore an earlier Registry within ERUNT.

(b) I also have a complete backup of the whole disk (Windows Backup) which was made in January of this year (this will be my go-to resource in case we have to go to the Nuclear Reformatting Option.) As you know, I can restore any subset of that backup; I could restore just the Hive files (if the system will let me), or I could restore the entire Windows directory. Please let me know if and when that might be appropriate.

(2) As I stated in my original question, I am very wary about connecting this poor machine to the internet (or more accurately, to my router. I would certainly disconnect any OTHER machines from the router before plugging this one in.) I realize that it may come down to having no other choice; but if there are still parts of the virus active which are sending out data when they have the chance (or downloading more virus payloads), I would like to avoid giving them any more opportunities.

(a) The virus has very efficiently destroyed the copy of MSE that was being used on this computer. I would feel better about connecting to the internet if I had SOME kind of anti-virus/real-time data filtering in place. Can you advise me as to where in this process it might be appropriate to reinstall MSE? (And any tips or advice you might have about doing that from a CD.)

(b) To avoid the connection to the internet, I would like to

1. Try to run programs FROM the CD wherever possible; or

2. At least provide the installation files on a CD, and let them install themselves to the infected drive.

© For each of the tools you’ve recommended (except ERUNT), would you please provide me with any tips or advice you might have with regard to running/installing these tools from a CD?

Unless and until I hear back from you, I will move forward on my own with trying to prepare a Killer CD. Thanks again for your very expert help! (And message received about ATTACHING the log files! That would be MY preference as well.)

George

P.S. For some reason, I am not able to access HTML formatting on the Forum today (I usually compose in Word, and just paste over here; it's always worked fine.) However, TODAY, all the HTML formatting icons are grayed out; and when I paste from Word, it strips out all of the formatting. Any suggestions?

[cheebie]

Hah! Followup question already!

I have downloaded files for all the tools you mentioned above, EXCEPT ESET (which, as you noted, is an ONLINE scanner.) Poking a little further on ESET's site, I found this page:

http://www.eset.com/us/download/utilities/

...which not only has a link to the Online scanner, but also a button to navigate to "Stand-Alone Malware Removal Tools". In te description of the Online Scanner, they say:

"ESET Online Scanner uses the same ThreatSense® technology and signatures as ESET Smart Security/ESET NOD32 Antivirus, and is always up-to-date."

On THIS page:

http://www.eset.com/us/download/home/

...they offer the opportunity to download free trial versions of both ESET Smart Security and ESET NOD32 Antivirus. Would either of these programs work for me, in place of the Online scanner (given that I am still trying to avoid an unprotected connection to the internet.)

Finally, on THIS page:

http://kb.eset.com/esetkb/index?page=content&id=SOLN2372

...they offer a number of Stand-Alone Malware Removal Tools. ESET Rogue Applications Remover seems to be a more generalized application; they also offer a number of specific solution for specific infections, none of which would seem to apply to me. Do you think anything here might be helpful for me to use?

Thanks,

George

[AdvancedSetup]

Since you have no antivirus then please go ahead and download and install this one for now.

http://www.filehippo.com/download_avast_antivirus/

 

You will need to connect to the Internet to allow it to update though, then you can disconnect.

 

Typically most antivirus cannot deal with this on their own though so go ahead and run the requested scans and I'll check back on you later tonight or tomorrow.

 

We'll wait and see if needed but good to know you have the ERUNT backups and Windows if needed.

 

Thanks

[cheebie]

Hi Ron,

Thanks for getting back to me so quickly (on a Saturday!)

Just so I'm clear: you are recommending

(1) Go ahead and run ERUNT (before anything else happens!)

(2) Install AVAST (which can can probably do from my CD, except for the very-latest updates.)

(3) Connect to the internet to get said updates.

(4) Proceed with running the other programs you recommended, dropping AVAST where indicated in your instructions.

I did manage to download an .msi file for installing ESET NOD32, which I understand to be a similar (to AVAST) comprehensive antivirus and real-time data stream filter. Would you still recommend that I use AVAST for my (at least temporary) antivirus? Or would ESET be just as good? (I understand that I must not run BOTH of them.)

(This is a longer-term question, which you could answer later: I would be interested in hearing your recomendations for our main antivirus program. My wife and I were both (grumbling) McAfee users for many years, until they made a change to their code in ~2011 which completely HOSED single-processor computers (like mine) and placed an unreasonable load even on two-processor computers (like my wife's.) I thought that action was way too arrogant for something that we were PAYING for; so we both switched to MSE, which ran better on both computers and seemed to be working well. We would run MalwareBytes "ocassionally" as a double-check (although, in her case, apparently not often enough.) Both my wife and I are pretty well schooled in Safe Computing practices; we know better than to open files from strange websites, or allow just any process to run. So I'm of the belief that her current infection was something that slipped under MSE's radar. We could be convinced to use something better.)

Thanks,

George

[cheebie]

Hi Ron,

OK, I have finished running the tools you listed. The available log files are attached. A few comments on my procedure:

(1) As I had discussed, I made up a CD with all the apps on it. After running ERUNT, I ran MBAR off the CD. I’m happy to report that it runs FINE from a CD; the only problem (which didn’t hit me until after I was running it) is that MBAR does not know how to save the log files to a CD! (Nor is it smart enough, in this Beta version, to realize that it can’t write log files to the source, and ask the user WHERE they want the log files to be written. MWB: next version, maybe?) So the first set of log files were lost into the BitVoid.

Right after starting MBAR, a regular Windows comment window popped up, and said something about “Rootkit activity detected”, referred to an “item” called “AppInit_DLLs”, said that I shouldn’t delete it if I wasn’t sure about it, and gave me “Yes” and “No” buttons to proceed. I clicked “Yes.” The database version was 2013.06.01.01, which I figured was recent enough for my purposes (since I didn’t want to connect to the web just yet.) This first scan found 17 problems: one was C:\Windows\System32\drivers\ipsec.sys. The others were all in the form “$Ntuninstallkb _ _ _ _ _”, which I recognize as Windows Update files. Each of those was labeled with “BackDoor.0access”.

(2) I then copied all of the application files from the CD onto the hard disk, and ran everything from there. I ran MBAM again, and it started out with the same message about “AppInit_DLLs”. The second run did not find any other problems. The log files from the second run are attached. (I note here that MBAR marks the “mbar-log” files with the date and time in the filename, but does NOT do that for the “system-log.txt”. I appended the date/time myself. It looks like MBAR overwrites the system-log file every time it runs. Is this a bug, or does the system-log file always come up with the same info every time MBAR is run?)

(3) I then ran Junkware Removal. The only interesting thing here is that JRT automatically created an ERUNT Registry backup (without even asking!) Oh, well; you can’t have too many Reg backups, right?

(4) I then ran “Adware Cleaner”.

(5) At this point, I was curious about the error message generated by MBAR, and decided to run it again (at least, far enough to get the error message.) Happily, on this third run the “AppInit_DLLs” message did NOT appear!

(6) Throughout all of this, I had not installed the AVAST antivirus, because no connection to the web had been necessary.

(7) Now it was time to run ESET. I installed their package, hoping to run it as a free trial. However, they required a connection to the web in order to validate their license! Since I was going to have to connect to the web one way or the other (and since I was going to have to drop any antivirus in order to run ESET from the web), I just did the Temporary Disable thing on the installed version of ESET, connected to the web, and ran the online version of the scanner. I can either uninstall ESET (and install AVAST), or just proceed to get a license for my 30-day trial; what is your recommendation?

As requested, I had UNchecked the "Remove found threats" option; so I assume those things are still there.

****************************

I haven’t proceeded with testing any more of the computer’s functionality; I did notice, however, that Windows Explorer windows are still labeled with “Microsoft Internet Explorer” (e.g. “C:\Logs - Microsoft Internet Explorer”.) This is a new behavior, which I attribute to the virus.

I’ll be waiting to hear from you regarding the next step(s).

Thanks,

George

system-log-2013-07-13 (16-35-00).txt

AdwCleanerS1.txt

ESET scan 07-13-2013.txt

JRT.txt

mbar-log-2013-07-13 (16-35-00).txt

[cheebie]

Hi again,

Since my wife's machine has been sorta-running, I was able to grab the MalwareBytes log from the run she did on 7/7 (the day that she discovered the virus problem.) I have attached it here, for whatever good it might do. I note that in the log, it seems that MWB found only ONE file that was infected, and removed it.

I also wondered about the identification of the virus involved. Until now, I only knew it by the description my wife read off the MalwareBytes screen, saying that it had found a "Trojan.FakeMS" infection. I see that the deleted file is labeled with the same tag. Is this a full and accurate description of the virus involved? You had referred to it earlier as being a ZeroAccess rootkit; I understand that may refer to a family of Trojans with various names.

Thanks,

George

mbam-log-2013-07-07 (09-08-05).txt

[AdvancedSetup]

Hello George

 

I did not say you had ZeroAccess - I said that it is a most likely infection as it is currently very common.  What your wife's computer had appears to simply be junk more related to PUP than anything else.

 

ESET and avast are both good antivirus products.  Myself I'm not a huge fan of the interface on ESET but it is a good product.  I'm in agreement with you on McAfee and its had a lot of ups and downs over the years.

 

If paying - my choice is Norton Internet Security or Kaspersky.   I believe that Kaspersky has some of the better tools at cleaning if you do get infected than any others but I don't like the slow updates they have.

I run NIS on my wife's computer along with the PRO version of Malwarebytes Anti-Malware and it's kept her clean now for a couple years.  If you're on older hardware then yes it is best to "demo", "Trial" all these different packages as some of them including ours can put a heavy load on older systems.

 

If you use Firefox then I'd highly recommend NoScript and Ad-Block Plus those can be annoying and take time to train but amazing how well they can protect you too.

 

I don't think there is anything to worry about on this computer but lets run some more scans to see what is what.

 

 

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop
dds.scr
dds.com


Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment. 

When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt
   

• Save both reports to your desktop
• Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
  You can ignore the note about zipping the Attach.txt file

 

 

 

Then please run the following

 

Next, download Security Check from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

 

Thanks

[cheebie]

Hi Ron,

 

Attached are the files you requested. And (surprise!) I need to add a couple comments:

 

(1) As you will notice in the logs, I ran a removal tool (from Microsoft) to clear out the remainders of MSE. ESET had been periodically complaining about another antivirus (MSE) being present. MSE had been the specific target of this virus, and it had disabled it pretty thoroughly (or so I thought.) MSE typically loads two processes (MsMpEng and another one), and they were not loading; so I didn’t know how MSE was getting detected. I tried to uninstall it through Control Panel | Add or Remove Programs. However, when I tried to uninstall, Windows gave me an error message to the effect that the program had already been uninstalled, and asked if I wanted to remove that entry from the list. With a little searching, I found the appropriate MS tool to remove MSE (an MS FixIt), and ran that. Everybody seems to be happy.

 

(2) I wanted to make sure that we were not miscommunicating with regard to the identity of the virus. In retrospect, the virus might have been around for a few weeks; we had noticed that her machine was occasionally running slow. At one point, I had noted that several iexplore.exe processes were hogging way more CPU time than they should. I should have run MalwareBytes at that time, but we were in the middle of a very stressful moving process, etc.

 

When the virus finally made itself obvious, it did so in two ways:

(a) It popped up a window stating that the MSE database was outdated, and that it needed to be updated within 30 days. This window mentioned the 888-730-2055 number, which one was supposed to call for “help” with the “upgrade”.

(b) When my wife attempted to connect to CNN.com, either her browser was redirected or else a window popped up saying “your computer is in need of service, call 888-730-2055.”

 

I therefore assume that both of these things were manifestations of the same virus, which also crippled MSE, destroyed the MalwareBytes database (fortunately AFTER my wife ran it and clobbered SOMEthing), and even deleted some other antivirus files I had kept in a directory (which had been used by McAfee’s AV team on a virus on MY machine a year ago.)

 

Since all this happened, I have been learning a TON about the current state of viruses. I read through the links that Quietman7 had suggested, and I learned that MalwareBytes' moniker of “Trojan.FakeMS” was not necessarily an industry-standard description of the virus. Lacking some better description, I have to depend on the various tools that have been recommended in order to be sure that NO other viruses are (or were) present.

 

I don’t doubt that there are a number of other things on my wife’s machine that qualify as “junkware” or “adware”; some of it may even have been installed by “Trojan.FakeMS” (as I understand it is common for Trojans to do that.) However, I don’t know that it’s accurate to characterize the attack and infection that took place as “What your wife's computer had appears to simply be junk more related to PUP than anything else.” Am I being clear here?

 

I have also read the links referring to “when to reformat and restore”. Obviously, this is a very difficult decision to make! We would, of course, prefer not to do that. Her computer does not contain confidential client files (health or financial); but she does use it to pay bills and access our bank accounts (the passwords are NOT kept on the computer!) We are more concerned about whether the computer can be trusted in the future to be resistant to other virus attacks.

 

So it seems to me that in order to make that decision (either that “the computer is safe to use” and hand it back over to her, or to face the time and effort involved in reformatting and restoring) seems to hinge on whether the primary attacking virus has been properly identified, and the damages known to be caused by that virus have been properly addressed and repaired. I would appreciate it if you would weigh in on this issue.

 

Thanks,

George

 

 

 

 

dds.txt

attach.txt

checkup.txt

[AdvancedSetup]

Before we continue any further let's clarify the term virus a bit more.

Malware | Rootkits | Trojans | Worm

MALWARE
 

Malware, short for malicious (or malevolent) software, is software used or created often to gain access to various forms of private information from computer systems. Signs of such an infection can sometimes be seen as unexpected browser behavior, popups, fake alerts, and similar undesirable operations. The infection can be coded as scripts, executables, code exploits, and other software. Much of the current code seen is more sophisticated than what has previously been around which some believe points to a more organized and well trained cadre of programmers creating multiple various malware threats now days.

Malware includes computer viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs and other malicious programs; the majority of active malware threats are usually rootkits, worms or Trojans rather than actual viruses.

Destructive malware can utilize popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from web sites, and virus-infected files downloaded from peer-to-peer connections.  Malware will also seek to exploit existing vulnerabilities on systems making their entry quiet and easy.

 
The symptoms you describe in item (1) fit one of the exact observations due to the ZeroAccess rootkit.
However all logs show no direct obvious signs of the ZeroAccess rootkit and in fact the manuaal removal of Microsoft Security Essentials is thwarted and not removable unless specific clean up is done to allow the removal.  I see no signs of such a removal having been done in the logs which would indicate that something else probably broke or attacked MSE that is unknown at this time as again the logs do not show anything that I'm aware of that could cause that.

Here are some observations I see based on the provided current logs.

Logs indicate that both antivirus programs are installed.  Though you can shut down certain features of an antivirus program often that has little or no affect on the underlying kernel level drivers used.  You should fully uninstall one of these antivirus programs as it will sooner or later cause you an issue.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: ESET NOD32 Antivirus 6.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

The logs also show that you appear to have this driver for antivirus also running which again can cause conflicts.
GFI Boot Time Operations Driver from VIPRE Antivirus
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-15 13560]

This just indicates that the Microsoft Security Essentials driver is loading
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 195296]


This shows that SUPERAntispyware is running as a service - (nothing wrong with running it as long as there are no conflicts but based on the age of the program the viability of protection it provides vs resources used is debatable)
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

This is yet another antivirus driver running on the system which again can potentially cause conflicts.
Related to SBREDrv.sys Anti-Rootkit Engine from Sunbelt Software.
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]


Here is a list of software that appears to be installed on the computer that should at least be reviewed and you decide for yourself if you want or need it.

Ad-Aware Browsing Protection Again nothing wrong with additional security as long as it does not conflict and is using new rules or databases
Coupon Printer for Windows Though not directly malware some feel that this type of program helps to eventually lead you to results that may pose a threat to your sysetm that without it you'd never have gone to that resource.
HiJackThis Appears to possibly be an older version.  If you want to use the tool for easy reference that's fine but one should be careful about what you remove using this tool as it is very outdated with todays computing environment.
Java Auto Updater
Java™ 6 Update 26 These are outdated versions of Java that use code that has been exploited and very easily leads to an infected copmuter even potentially running up to date antivirus.  You should uninstall ALL versions of Java and if possible do without it.  If you must use Java then make sure you are ALWAYS only running the very latest version.
Malwarebytes Anti-Malware version 1.70.0.1100 This is an old version of our product and you should download the latest version and update it or do a clean removal and reinstall so that you have the lastest version.   MBAM Clean Removal Process
PerfectRegistry This is just plain Snake Oil and can cause your computer more harm than any good it may advertise.  Do I need a Windows Registry Cleaner?
Shockwave This appears to be an old version of Shockwave and should be uninstalled and if deemed necessary install only the latest version from Adobe.
Spybot - Search & Destroy Appears to possibly be an older version and if deemed necessary should be removed and the latest version installed.
SUPERAntiSpyware Appears to possibly be an older version and if deemed necessary should be removed and the latest version installed.


The Event Logs also show the following.
Pml Driver HPZ12 service terminated unexpectedly

Here are some possible solutions or workarounds for this error.
PML Driver HPZ12
HP "Net Driver HPZ12" Service Causing Explorer Hang

Here are the listed events from the Event Logs recently on this sytem.  You should generally strive to prevent all errors if at all possible but that is beyond the scope of malware detection and removal.
 

==== Event Viewer Messages From Past Week ========.7/13/2013 5:56:58 PM, error: Service Control Manager [7034]  - The Pml Driver HPZ12 service terminated unexpectedly.  It has done this 1 time(s).7/13/2013 4:23:48 PM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'.  It has stopped monitoring the volume.7/13/2013 4:23:36 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  PCIIde SBRE7/11/2013 12:46:28 PM, error: Service Control Manager [7023]  - The Network Location Awareness (NLA) service terminated with the following error:  The specified procedure could not be found.7/11/2013 12:41:23 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  SBRE7/11/2013 12:41:22 PM, error: Service Control Manager [7000]  - The Microsoft Antimalware Service service failed to start due to the following error:  The file can not be accessed by the system.7/11/2013 11:55:53 AM, error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service..==== End Of File ===========================

My suggestion would be to run some futher scans and tests to ensure the system is not infected and follow-up with removal or renewal of the above listed items.

If you would like to continue to scan the system then please do the following.

Please visit this webpage for instructions on downloading and running ComboFix: How to use ComboFix

Please make sure you disable your security applications before running ComboFix.

Once Combofix has completed it will produce and open a log file.  Please attach that log file to your next reply.
If needed the file can be located here:  C:\combofix.txt

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


Thanks

[AdvancedSetup]

Just checking back to see if you wanted to continue or not or if you needed additional help.

[cheebie]

Hi Ron,

 

Yes, I do indeed want to continue (now more than ever, I’m afraid!) I apologize for not being able to get back to you yesterday: in the morning, I had to deal with another computer crisis (my wife is applying for jobs, and a website would not let her file her forms. Turns out that IE 6 wouldn't work; Firefox wouldn't work; but Google Chrome DID!) Then, our internet service went down in the evening, and didn't come back up till this morning. Yeesh...

 

 I did read through your advice, and had been working through getting rid of some the garbage as you suggested (I thought I would try to do as much of this as possible before running ComboFix.) At the same time, I was puzzling over your statement that “all logs show no direct obvious signs of the ZeroAccess rootkit...” I knew that there had been things in the logs I had posted which to _me_ seemed to make a positive ID. I thought about my original complaint, which mentioned “Trojan.FakeMS”; and also the things that cropped up when I ran MBAR, which were labeled with “Backdoor.0access” (see post #9, from July 13.) I knew that the original file (from July 7) had not made it into MBAM’s quarantine (or if it did, the malware destroyed it soon after, deleting the MBAM database as well.)

 

Several days ago (before running MBAR), I had updated MBAM to the newest version (1.75.xxx). Last night, it occurred to me to try running MBAM just to see what was in the Quarantine. To my surprise, all of the files that MBAR had identified were there in the Quarantine! I took a screen shot, which is attached here. My thought was that maybe these could be submitted to someone (like VirusTotal), and a positive ID made of the malware.

 

So today, I proceeded with trying to clean things up, thinking that I would be able to run ComboFix and post the logs, letting you know at the same time that I wanted to keep going. I confess that I was somewhat distracted, and maybe not thinking things through as clearly as I should. I was in Windows “Add or Remove Programs”, and noticed that the entry there for MBAM still reflected the _old_ version number (1.70.0.1100 .) I had thought that installing the new version of MBAM would have updated this Uninstall entry; and maybe on a healthy machine, it would have. There was no second entry for the new version I had installed. At any rate, I thought to myself that I needed to at least get rid of this old entry, and clicked “uninstall”. To my surprise, it uninstalled the _new_ version, right down to the directory -- INCLUDING the Quarantine!!! Aack!

 

So I haven’t done anything else to that machine, in hopes of maybe being able to recover the Quarantined files. I left Windows running, because I thought that closing it would probably just overwrite _more_ files. Before I go any further with any fixes, I felt that I needed to see if there was any way to recover the “evidence.”

 

I know that this issue is substantially outside of the topic of “Malware Removal”, and I don’t know if it’s something that you can help with. I submitted an “email” (web form) to MalwareBytes’ support, explaining what had happened (this was three hours ago.) I asked them to _call_ me back if they could; but I have not received either a phone call or an email in response. As far as I can see, I am kinda stalled until I figure out whether the Quarantined files can be recovered (unless you think that the issue of identifying the malware is not that important.) I will wait until I hear back from either you or MWB; and I will keep you posted here if I hear anything from them.

 

Drat!

 

Thanks,

George

[AdvancedSetup]

Hi George,

 

Yes that in fact is certainly the ZeroAccess rootkit.   No we do not need the Quarantined files.   Please go ahead and complete the reboot.

Then install the latest version of MBAM and update it and do a Quick Scan.  Why it did not list ZA in the MBAR log you attached I'm not sure.

 

At this point though it really is sort of water under the bridge.  We just need to continue to scan and cleanup any residual damage if possible and get the system back to a clean working state.

 

Please proceed with the other cleanup and then run Combofix and post back it's log along with any specific observations of anything malware related.

 

Thanks

[cheebie]

Whew! THANK YOU, RON!! I don't know if you could tell, but I was feeling REALLY frustrated with everything today. I had almost reached a similar decision myself: "heck with it, I need to move forward!"

 

Since MBAM is apparently gone, i think I will run the MBAM removal tool just to be sure; and then reinstall. I will run ComboFix tonight, and will post the logs here in a little bit.

 

Thanks for your patience,

George

[AdvancedSetup]

No problem. Sounds good, I'll be around.

[cheebie]

OK, I updated MBAM and ran it. It didn’t find anything; but during the middle of the run, ESET came back on (I had shut it off for 10 minutes, which I thought would be sufficient. Nice feature (seriously.)) ESET found two items that were being accessed by MBAM, and decided they were associated with a virus. I let it quarantine the items; the log is attached here.

 

However, when I ran ComboFix (according to instructions), it detected that MSE was still installed! It offered to run anyway (with warnings), but I just bailed out of it.

 

I want to quote some things from a previous post of yours, to see if you can help me get rid of whatever part of MSE it is that DDS and ComboFix are detecting.

 

...in fact the manual removal of Microsoft Security Essentials is thwarted and not removable unless specific clean up is done to allow the removal. I see no signs of such a removal having been done in the logs...

 

See entry in Attach.txt:

“RP2488: 7/14/2013 7:52:13 PM - Installed Microsoft Fix it 50535”

(I guess I thought this would jump out more! It’s the Microsoft MSE removal tool.)

 

... which would indicate that something else probably broke or attacked MSE that is unknown at this time as again the logs do not show anything that I'm aware of that could cause that.

 

The initial attack took place on July 7. Any logs were probably blown out by the malware. MSE seemed to be working fine before that time (Sys Tray icon appeared, scans ran at night, etc.) The bogus “warnings” from the malware all had to do with MSE; and as soon as the problems arose, my wife noticed that MSE was no longer running (no icon in the System Tray), and it hasn’t run since. I’m pretty sure that whatever killed MSE was the ZeroAccess malware, on July 7.

 

Here are some observations I see based on the provided current logs.

 

Logs indicate that both antivirus programs are installed. Though you can shut down certain features of an antivirus program often that has little or no affect on the underlying kernel level drivers used. You should fully uninstall one of these antivirus programs as it will sooner or later cause you an issue.

 

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

 

<snip>

 

This just indicates that the Microsoft Security Essentials driver is loading

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 195296]

 

As noted above, I _did_ run the MS MSE Removal tool. It would be ironic and funny (if it weren’t so sad) that Microsoft’s OWN TOOL neither (a) removed this driver, nor (b) removed their entries from the Registry (see your comments in your first reply about software applications that don’t follow the rules for the Registry!)

 

After your post shown here, I deleted “MpFilter.sys” manually and rebooted. DDS _still_ showed MSE as being loaded (and, as noted, ComboFix detects it as well.)

 

What _IS_ still installed on the system is Microsoft Security _Client_! It’s in a directory of the same name. This was untouched by the MSE Removal tool; and of course, Microsoft makes sure that you can’t simply delete the directory, or any of the contents. The removal tool was downloaded directly from Microsoft; is it possible that it just didn't WORK?

 

This entry, cited by DDS:

{EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

I don’t know what that is referring to. At first, it looked to me like a Registry key; but no, two different searches of the Registry revealed no such key.

 

There are still entries for MSE and MSC in the Registry; but of course, I am prevented from deleting them. I have access to some heavy-duty tools which SHOULD be able to blow these entries out; but that seems a little drastic. I'll hold that discussion for the moment.

 

 

Hopefully you have some other ideas that will allow me to get rid of MSE once and for all. I didn’t think I should proceed with running ComboFix as long as it was complaining about MSE. Please advise.

 

Thanks,

George

ESET log re MBAM.txt

[cheebie]

P.S. as I had noted somewhere above, the key process for MSE (MsMpEng.exe) is NOT RUNNING on this computer (per Task Manager.)

[AdvancedSetup]

It means you don't have file exclusions setup correctly for ESET to allow MBAM to run with it properly. 

 

I don't have a walk through for ESET NOD32 version 6 but basically in the Interface for exclusions you need to tell ESET that it's okay to allow our program access.

 

Please exclude these files from detection

 

mbam.exe
mbamgui.exe
mbampt.exe
mbamscheduler.exe
mbamservice.exe

 

Please go ahead and run combofix and post the log and we'll use combofix to help us remove any left over MSE

[cheebie]

Hi Ron,

I made some further attempts (last night and this morning) to see if I could get rid of that pesky MSE/MSC install. I found my way to this site:

http://answers.microsoft.com/en-us/protect/forum/mse-protect_start/uninstalling-mse/a63b8c4b-58ed-437e-8086-fa08d80725a4

…where there was a good discussion about this very issue:

“Update 9 June, 2013 (0x80073b01 ):

If you are attempting to remove MSE after encountering 0x80073b01 and attempts to remove MSE are met with an error regarding permissions and contacting your administrator, your PC is infected and it has modified the file structure of MSE.”

I think we knew that! I had tried several of the methods described on that page, and they had either failed (because I could not get access to the \Microsoft Security Client\Backups directory) or gave a specific error message about the permissions being incorrect. Finally, I created the MSEREMOVE.BAT file described on that page and ran it. That got rid of a lot of things (including all the files in the MSC directory, although not the sub-folders.) Alas, DDS (and ComboFix) still identified MSE as being installed.

Also on this page (near the top, and therefore more recent) was a recommendation to run HitmanPro, since it could allegedly repair the things that many malwares do to directory and file permissions, etc. (and thus allow AV software to sometimes be recovered, or at the least, removed.) From my recent research, I have heard that HitmanPro is an often-recommended product; however, I decided to not run it until I had heard from you. (Please let me know if you think it would help.)

So I went ahead and ran ComboFix; the log files are attached. At one point, ComboFix announced loudly that it had discovered Rootkit.ZeroAccess, and was going to take some additional steps to remove it (so I think we finally have the identity of the malware nailed down!) There was an extra reboot in there. It also mentioned that the malware had insinuated itself into the TCP/IP stack.

Ron, we (my wife and I) have known since your second post that in some circumstances, the computer’s file system is so altered that it can no longer be trusted. We knew that would lead us down one of two paths:

(1) Reformat this drive, reinstall Windows (XP), restore from the most recent backup (January), and try to copy over the contents of the most recent Documents and Setting folder.

(2) Upgrade to a new computer, with Windows 8, new Office apps, and a lot more horsepower.

We had also come to realize that the rapid increase in nastiness of the malware out there was essentially going to drive people (sooner or later) to newer and more powerful machines, which could take on the role of running more comprehensive anti-spyware programs (per your second post: “It is possible to prevent ALL infections, but then the computer is so locked down, slow, and unusable that the "cure" is much worse than the infection.” We don’t want to go quite to THAT extreme; but it stands to reason that the more powerful a computer is, the better chance it will have of being able to run more powerful AV software (without slowing to a crawl.))

If we followed the direction of (1) above, we would have a file system which was at least MORE “normal” than what we have now; however, it would be on a 2005 computer (Intel Core Duo T7200), running an OS which will be sunsetted in 2014 (XP).

For that amount of effort, it seemed like it made sense to take this opportunity to upgrade to a new machine, with an i7 and Windows 8. It’s not really a great time for us to be springing for a new computer; but there is also a price to consider for continuing to struggle with a computer whose OS has been Swiss-cheesed and which cannot really be trusted.

So from here forward, my efforts are going to be mostly focused on making the transfer to a new machine. However, I don’t think the time and effort we’ve put into cleaning this thing was in any way wasted (and I hope YOU don’t feel that way); I am considering that effort (and any subsequent efforts) to be in the interest of getting this machine as stable as possible, so that my wife’s settings and data can be transferred to the new machine.

I realize that the next questions here fall even further beyond the scope of “malware removal.” However, you have been very generous with sharing your opinions (as a Computer and Network support person for 20+ years), and I would very much appreciate hearing your opinions on these questions. Links to other sites and postings would also be very much appreciated.

(1) We understand that we will have to get a new version of Office that will run under Windows 8 (probably a good idea to update these anyway.) Therefore, the “migration” will mostly consist of application settings, and data files.

(2) Windows offers their “Easy Transfer” application for migration purposes. Any time any software manufacturer puts the name “Easy” into the title of their software, I am immediately skeptical! After working with me for a while now, you probably have some idea of my technical understanding and abilities (somewhere between “you” and “total dummie”!) Are you familiar with this tool, and with using it to migrate from XP to 8? Do you think this is something that I might be able to undertake by myself? (Or should I just surrender, and turn the job over to the professionals? Of the professional “geeks”, I tend to have the best feeling about BestBuy’s Geek Squad; but maybe you have a different recommendation.)

(3) Are there any forums you could recommend which provide help to users who are attempting a migration? (in similar fashion to how MalwareBytes, MajorGeeks, etc. offer consultation with “helpers”.)

(4) Will having AV software running on both old and new machines (during the migration) be effective at subduing any malware that might try to creep across? Or is that even an ISSUE?

(5) Lastly (for tonight): we would like to become better computer users, and keep our machines cleaner and better maintained. I _thought_ that I had always made sure that we got upgrades and updates (evidence on my wife’s computer notwithstanding); we both defrag, and occasionally use things like CCLeaner to try to keep the crap to a minimum. I don’t expect you to write a whole article on your recommended procedures; however, any recommendations you might have to trustable websites and links would be appreciated.

I have removed most (but not all) of the “garbage” you identified on my wife’s computer. I will continue on with that as time permits, until we have the new computer (I am going to get one, too! Yay!) In the meantime, I would certainly like to know if there are any other scans or tools that you think might be helpful to further clean up this computer.

Many thanks,

George

log.txt

Add-Remove Programs.txt

ComboFix.txt

ComboFix-quarantined-files.txt

[AdvancedSetup]

Well I applaud your efforts and your desire to learn as that is always great news.  Yes a bit late here and would require too big of an article to respond to everything properly.

I'll see about writing you up some stuff tomorrow some time.

[AdvancedSetup]

Will send you an update in private message

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!