Root Admin AdvancedSetup Posted July 30, 2013 Root Admin ID:708766 Share Posted July 30, 2013 Are you still with us? Link to post Share on other sites More sharing options...
slabadoo Posted July 30, 2013 Author ID:708862 Share Posted July 30, 2013 Hi Gringo, So i disabled all the add-ons, it seemed to work a little better but still gets hung up and I have to force quit it. Another thing I noticed is I use dreamweaver for my job and if I download a file locally (via FTP) that already exist, it asks me if i want to overwrite it which is normal but when I do, then make edits to it and try to save it it tells me I don't have permission. Not sure if these two go together but it's not how it used to work. I have to first delete the file locally before downloading the remote file then all seems to work as usual. Link to post Share on other sites More sharing options...
Staff gringo_pr Posted July 30, 2013 Staff ID:708991 Share Posted July 30, 2013 Hello These logs are looking allot better. But we still have some work to do. Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.. uninstall some programs NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list. You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)Programs to removeAdobe Reader X (10.0.1) Java™ 6 Update 24 Please download and install Revo Uninstaller FreeDouble click Revo Uninstaller to run it.From the list of programs double click on The Program to removeWhen prompted if you want to uninstall click Yes.Be sure the Moderate option is selected then click Next.The program will run, If prompted again click Yeswhen the built-in uninstaller is finished click on Next.Once the program has searched for leftovers click Next.Check/tick the bolded items only on the list then click Deletewhen prompted click on Yes and then on next.put a check on any folders that are found and select deletewhen prompted select yes then on nextOnce done click Finish.. Update Adobe readerRecently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. You can download it from http://www.adobe.com/products/acrobat/readstep2.html After installing the latest Adobe Reader, uninstall all previous versions. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader. Note: When installing FoxitReader, be careful not to install anything to do with AskBar.Install Java: Please go here to install Javaclick on the Free Java Download Buttonclick on Agree and start Free downloadclick on Runclick on run againclick on installwhen install is complete click on closeClean Out Temp FilesThis small application you may want to keep and use once a week to keep the computer clean. Download CCleaner from here CCleanerRun the installer to install the application.When it gives you the option to install Yahoo toolbar uncheck the box next to it.Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).Click Run Cleaner.Close CCleaner.: Malwarebytes' Anti-Malware : I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me nowDouble-click mbam icongo to the update tab at the topclick on check for updatesIf an update is found, it will download and install the latest version.Once the program has loaded, select Perform quick scan, then click Scan.When the scan is complete, click OK, then Show Results to view the results.Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.When completed, a log will open in Notepad. please copy and paste the log into your next replyIf you accidentally close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtNote: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Download HijackThisGo Here to download HijackThis programSave HijackThis to your desktop.Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)copy and paste hijackthis report into the topic"information and logs"In your next post I need the followingLog From MBAMreport from Hijackthislet me know of any problems you may have hadHow is the computer doing now?Gringo Link to post Share on other sites More sharing options...
slabadoo Posted August 1, 2013 Author ID:709670 Share Posted August 1, 2013 Hi Gringo, I was out for a couple days but now back. I will be performing the above today and will let you know what I come up with. FYI - thanks so far for all your help, it has been amazing!!!Thanks,Rick Link to post Share on other sites More sharing options...
slabadoo Posted August 1, 2013 Author ID:709677 Share Posted August 1, 2013 Also - do I do this as admin or as the user?Thanks,Rick Link to post Share on other sites More sharing options...
Staff gringo_pr Posted August 1, 2013 Staff ID:709759 Share Posted August 1, 2013 do as admin Link to post Share on other sites More sharing options...
slabadoo Posted August 1, 2013 Author ID:709810 Share Posted August 1, 2013 ok got as far as trying to install Java and it says the file is corrupt. What now?Thanks.Rick Link to post Share on other sites More sharing options...
Staff gringo_pr Posted August 2, 2013 Staff ID:709949 Share Posted August 2, 2013 Hello slabadoo run this to remove Java - http://singularlabs.com/software/javara/ then try again Gringo Link to post Share on other sites More sharing options...
slabadoo Posted August 2, 2013 Author ID:710172 Share Posted August 2, 2013 ok ran the java removal tool from above then tried to install java from the same link you gave me in a couple of earlier post it was this one: Install Java:Please go here to install Java That failed again with the same error corrupt so I tried to do the install using the JavaRa as it has an option to download the letest vesion of java. When I didi this it gave me a diffeent error "Installer : Wrapper.CreateFile failed with error 3: The System cannot find the path specified. What now?Thanks,Rick Link to post Share on other sites More sharing options...
Staff gringo_pr Posted August 5, 2013 Staff ID:711069 Share Posted August 5, 2013 OK send me the hijacjthis report and the MBAM report Gringo Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 7, 2013 Root Admin ID:711905 Share Posted August 7, 2013 Are you still with us? Link to post Share on other sites More sharing options...
slabadoo Posted August 7, 2013 Author ID:711997 Share Posted August 7, 2013 Yep - will send these reports today - Thanks! Link to post Share on other sites More sharing options...
Staff gringo_pr Posted August 7, 2013 Staff ID:712068 Share Posted August 7, 2013 I will be looking for them gringo Link to post Share on other sites More sharing options...
slabadoo Posted August 7, 2013 Author ID:712075 Share Posted August 7, 2013 OK Gringo here are the results: MB Log: Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.08.07.05Windows 7 Service Pack 1 x86 NTFSInternet Explorer 8.0.7601.17514Administrator :: AMD64-3 [administrator]8/7/2013 7:29:07 AMmbam-log-2013-08-07 (07-29-07).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 288900Time elapsed: 7 minute(s), 57 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) Here is the hijackthis log: Logfile of Trend Micro HijackThis v2.0.4Scan saved at 10:47:35 AM, on 8/7/2013Platform: Windows 7 SP1 (WinNT 6.00.3505)MSIE: Internet Explorer v8.00 (8.00.7601.17514)Boot mode: NormalRunning processes:C:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskhost.exeC:\Windows\SOUNDMAN.EXEC:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exeC:\Program Files\Microsoft Security Client\msseces.exeC:\Program Files\NVIDIA Corporation\Display\nvtray.exeC:\Windows\system32\notepad.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\notepad.exeC:\Windows\system32\wuauclt.exeC:\Users\Administrator\Desktop\HijackThis.exeC:\Windows\system32\SearchFilterHost.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = PreserveR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dllO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkeyO4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe -update activexO4 - HKUS\S-1-5-21-3721947400-3051713904-3596865697-1002\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')O4 - HKUS\S-1-5-21-3721947400-3051713904-3596865697-1002\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dllO9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLLO10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dllO10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dllO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com//activex/ractrl.cab?lmi=1007O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllO23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exeO23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exeO23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exeO23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exeO23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exeO23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe--End of file - 6645 bytes Most seems to be running better. I am still having permission issues. I am attaching an example error screenshot. This is from dreamweaver and it seems that when I download a remote file that is already in my local folder, it gives me the gray error in the background and when I try to save the file it gives me the white error: Link to post Share on other sites More sharing options...
Staff gringo_pr Posted August 7, 2013 Staff ID:712102 Share Posted August 7, 2013 Greetings I have no idea about dreamweaver :Remove unneeded start-up entries: This part of the fix is purely optional These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.Run HijackThis (rightclick and run as admin)Click on the Scan buttonPut a check beside all of the items listed below (if present):O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe -update activex O4 - HKUS\S-1-5-21-3721947400-3051713904-3596865697-1002\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser') O4 - HKUS\S-1-5-21-3721947400-3051713904-3596865697-1002\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Close all open windows and browsers/email, etc...Click on the "Fix Checked" buttonWhen completed, close the application. NOTE**You can research each of those lines >here< and see if you want to keep them or not just copy the name between the brackets and paste into the search space O4 - HKLM\..\Run: [IntelliPoint] Eset Online Scanner **Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin Go Eset web page to run an online scanner from ESET.Turn off the real time scanner of any existing antivirus program while performing the online scanclick on the Run ESET Online Scanner buttonTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the add/on to be installedClick StartMake sure that the option Remove found threats is untickedClick on Advanced Settings, ensure the optionsScan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.Click Scanwait for the virus definitions to be downloadedWait for the scan to finishWhen the scan is completeIf no threats were foundput a checkmark in "Uninstall application on close"close programreport to me that nothing was foundIf threats were foundclick on "list of threats found"click on "export to text file" and save it as ESET SCAN and save to the desktopClick on backput a checkmark in "Uninstall application on close"click on finishclose programcopy and paste the report hereGringo Link to post Share on other sites More sharing options...
slabadoo Posted August 7, 2013 Author ID:712121 Share Posted August 7, 2013 do I do this as the admin user as well? Also, the Dreamweaver question was simply an example of the access denied error I get. I am assuming that there may also be a permission setting that might have been changed at some point. If we could look at that once this is taken care of that would be helpful as I never used to have the error before I got infected. I can say that the windows firewall may be playing a role in it but hopefully we can look at that after. So - Admin or user for this next step?Thanks.Rick Link to post Share on other sites More sharing options...
Staff gringo_pr Posted August 7, 2013 Staff ID:712144 Share Posted August 7, 2013 Hello as admin Link to post Share on other sites More sharing options...
slabadoo Posted August 8, 2013 Author ID:712508 Share Posted August 8, 2013 ok Gringo - Here is the report. It found a bunch: C:\Documents and Settings\rmorse\Downloads\AIM_Install.exe Win32/OpenCandy applicationC:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir a variant of Win32/Rootkit.Kryptik.WQ trojanC:\Users\rmorse\Downloads\AIM_Install.exe Win32/OpenCandy applicationC:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_626c324d55864070\netbt.sys a variant of Win32/Rootkit.Kryptik.WQ trojanF:\MSI\fitbody.tv\OLDSITE\wp-content\uploads\20111017-09aspx ASP/Agent.NAA.Gen trojanF:\MSI\fitbody.tv\OLDSITE\wp-content\uploads\20111017-44.php PHP/Obfuscated.F applicationF:\MSI\medicus\Medicus_Physician\medicusphysicians.com\icons\index.php HTML/ScrInject.B.Gen virusF:\My D Drive\Rick\Queen Creek Olive Mill\Dreamweaver\queencreekolivemill.com\public_html\wp-content\themes\olivemill\cache\images\external_7a0cf2f7d7e34c7ff3d7c198ab29fd23.php PHP/Small.NAK trojanF:\My D Drive\Rick\Queen Creek Olive Mill\Dreamweaver\queencreekolivemill.myfreedev.net\public_html\wp-content\themes\olivemill_OLD\cache\images\external_7a0cf2f7d7e34c7ff3d7c198ab29fd23.php PHP/Small.NAK trojanF:\My D Drive\Rick\tadellonline.com\index.php HTML/ScrInject.B.Gen virusF:\My D Drive\Rick\tadellonline.com\admin\ak74shell.php PHP/WebShell.NAY trojanF:\My D Drive\Rick\tadellonline.com\admin\home.php HTML/ScrInject.B.Gen virusF:\My D Drive\Rick\tadellonline.com\admin\index.php HTML/ScrInject.B.Gen virusF:\My D Drive\Rick\tadellonline.com\admin\test_quest.php PHP/WebShell.NAY trojanF:\My D Drive\Rick\tadellonline.com\fckeditor\editor\dialog\fck_sedit.php PHP/WebShell.NAY trojanF:\Nero\Nero_Move_it-1[1].5.9.0e.exe Win32/Toolbar.AskSBar application Link to post Share on other sites More sharing options...
Staff gringo_pr Posted August 8, 2013 Staff ID:712643 Share Posted August 8, 2013 Hello slabadoo There are some minor things in your online scan that should be removed.delete filesCopy all text in the code box (below)...to Notepad.@echo offdel /f /s /q "C:\Documents and Settings\rmorse\Downloads\AIM_Install.exe"del /f /s /q "C:\Users\rmorse\Downloads\AIM_Install.exe"del /f /s /q "C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_626c324d55864070\netbt.sys"del /f /s /q "F:\MSI\fitbody.tv\OLDSITE\wp-content\uploads\20111017-09aspx"del /f /s /q "F:\MSI\fitbody.tv\OLDSITE\wp-content\uploads\20111017-44.php"del /f /s /q "F:\MSI\medicus\Medicus_Physician\medicusphysicians.com\icons\index.php"del /f /s /q "F:\My D Drive\Rick\Queen Creek Olive Mill\Dreamweaver\queencreekolivemill.com\public_html\wp-content\themes\olivemill\cache\images\external_7a0cf2f7d7e34c7ff3d7c198ab29fd23.php"del /f /s /q "F:\My D Drive\Rick\Queen Creek Olive Mill\Dreamweaver\queencreekolivemill.myfreedev.net\public_html\wp-content\themes\olivemill_OLD\cache\images\external_7a0cf2f7d7e34c7ff3d7c198ab29fd23.php"del /f /s /q "F:\My D Drive\Rick\tadellonline.com\index.php"del /f /s /q "F:\My D Drive\Rick\tadellonline.com\admin\ak74shell.php"del /f /s /q "F:\My D Drive\Rick\tadellonline.com\admin\home.php"del /f /s /q "F:\My D Drive\Rick\tadellonline.com\admin\index.php"del /f /s /q "F:\My D Drive\Rick\tadellonline.com\admin\test_quest.php"del /f /s /q "F:\My D Drive\Rick\tadellonline.com\fckeditor\editor\dialog\fck_sedit.php"del /f /s /q "F:\Nero\Nero_Move_it-1[1].5.9.0e.exe"del %0Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"It should look like this: <--XP<--vistaDouble click on delfile.bat to execute it.A black CMD window will flash, then disappear...this is normal.The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.:Why we need to remove some of our tools:Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.:DeFogger:Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.To re-enable your Emulation drivers, double click DeFogger to run the tool.The application window will appearClick the Re-enable button to re-enable your CD Emulation driversClick Yes to continueA 'Finished!' message will appearClick OKDeFogger will now ask to reboot the machine - click OK.Your Emulation drivers are now re-enabled.:Uninstall ComboFix:turn off all active protection softwarepush the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)please copy and past the following into the box ComboFix /Uninstall and click OK.Note the space between the X and the /Uninstall, it needs to be there.:Remove the rest of our tools:Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.Double-click OTCleanIt.exe.Click the CleanUp! button.Select Yes when the "Begin cleanup Process?" prompt appears.If you are prompted to Reboot during the cleanup, select Yes.The tool will delete itself once it finishes, if not delete it by yourself.If asked to restart the computer, please do soNote: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.:The programs you can keep:Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstallsCCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleanerMalwarebytes' Anti-Malware The Gold standerd today in antimalware scanners:Security programs:One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It istotally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)Note** If you decide to install MSE you will need to uninstall your present Antivirus:Security awareness:It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft articleStrong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.As Java seems to get exploited on a daily basis I advise to disable java in your web browsers - How to disable java in your web browsers - Disable JavaThe other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.Here are some articles that are must reads and should be read by everybody in your household that uses the internetinternetsafetyInternet Safety for KidsHere is some more reading for you from some of my collegesPC Safety and Security - What Do I Need? from my friends at Tech Support ForumCOMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removalquoted from Tech Support ForumConclusionThere is no such thing as 'perfect security'. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PMMy help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.Gringo Link to post Share on other sites More sharing options...
slabadoo Posted August 8, 2013 Author ID:712663 Share Posted August 8, 2013 Hi Gringo, That's great to hear. One question I have is I have used True Image by Acronis in the past. It's this softwate http://www.acronis.com/homecomputing/products/trueimage/ Once I do the steps above would it be a good time to make an image of my machine so that I have the ability to restore that way in the event this happens again? You mentioned something about files and restore. Please let me know what you recommend. I wil report back one I do the above steps.Thanks,Rick Link to post Share on other sites More sharing options...
Staff gringo_pr Posted August 9, 2013 Staff ID:712741 Share Posted August 9, 2013 Hello Yes that is a very good setup to have as that would remove all traces of any virus Gringo Link to post Share on other sites More sharing options...
Staff gringo_pr Posted August 12, 2013 Staff ID:713791 Share Posted August 12, 2013 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts