Infected and in trouble

[unluckychick]

I'm not seeing a link on my laptop or on my phone but a link appears when I look at the post on my e-mail but when I click that it gives me a 404....

[kevinf80]

yep very strange, the links were in the reply initially, try again....

 

 

 

http://jpshortstuff.247fixes.com/SystemLook_x64.exe      <<-   64 bit….

 

http://images.malwareremoval.com/jpshortstuff/SystemLook.exe  <<-  32 bit

[unluckychick]

This is the text from the notepad:

 

SystemLook 30.07.11 by jpshortstuff

Log created at 23:32 on 30/12/2013 by Mari

Administrator - Elevation successful

 

========== filefind ==========

 

Searching for "IObit"

No files found.

 

Searching for "IObit*"

C:\AdwCleaner\Quarantine\C\Program Files (x86)\IObit Apps Toolbar\IE\7.6\iobitappsToolbarIE.dll.vir --a---- 1357120 bytes [10:03 02/09/2013] [10:03 02/09/2013] 0E221E6B84EC39BC13C31CB9082155F1

C:\AdwCleaner\Quarantine\C\Program Files (x86)\IObit Apps Toolbar\Res\iobit-toolbar-logo-hover.gif.vir --a---- 2241 bytes [22:08 26/11/2012] [22:08 26/11/2012] 08CC20882E3EE6A96FF7DEDD8F944F34

C:\AdwCleaner\Quarantine\C\Program Files (x86)\IObit Apps Toolbar\Res\iobit-toolbar-logo.gif.vir --a---- 1189 bytes [22:08 26/11/2012] [22:08 26/11/2012] 28DB159A89746255D374474BD12625C1

 

========== folderfind ==========

 

Searching for "IObit"

No folders found.

 

Searching for "IObit*"

C:\AdwCleaner\Quarantine\C\Program Files (x86)\IObit Apps Toolbar d------ [22:40 29/12/2013]

 

========== Regfind ==========

 

Searching for "IObit"

[HKEY_CURRENT_USER\Software\AppDataLow\Software\IObit Apps]

[HKEY_CURRENT_USER\Software\IObit Apps]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]

"C:\Program Files (x86)\IObit Apps Toolbar\"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]

"C:\Program Files (x86)\IObit Apps Toolbar\Res\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]

"C:\Program Files (x86)\IObit Apps Toolbar\Res\Lang\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]

"C:\Program Files (x86)\IObit Apps Toolbar\IE\7.6\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]

"C:\Program Files (x86)\IObit Apps Toolbar\IE\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\179893296AD828D4A9C17CC7DC633064]

"191089AC088C2B64788B2A7C6165DAF3"="C:\Program Files (x86)\IObit Apps Toolbar\WidgiHelper.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23B4B261A2ECC1943BE70631F436E48A]

"191089AC088C2B64788B2A7C6165DAF3"="C:\Program Files (x86)\IObit Apps Toolbar\Res\Lang\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B16C90A2AD4A204D900BDFAB2391210]

"191089AC088C2B64788B2A7C6165DAF3"="C:\Program Files (x86)\IObit Apps Toolbar\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\735A81D2803AE1C42B77E58FA3BBD3FF]

"191089AC088C2B64788B2A7C6165DAF3"="C:\Program Files (x86)\IObit Apps Toolbar\Res\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\862E44DE850238E468F4745D6F4D3F04]

"191089AC088C2B64788B2A7C6165DAF3"="C:\Program Files (x86)\IObit Apps Toolbar\IE\7.6\iobitappsToolbarIE.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CD187B83EEECC4240BAAE3B5B6B2DF8A]

"191089AC088C2B64788B2A7C6165DAF3"="C:\Program Files (x86)\IObit Apps Toolbar\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\IObit Malware Fighter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit Apps]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit Apps]

"serverURL"="http://iobitapps.mybrowserbar.com/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit Apps]

"partnerName"="IObit Apps"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit Apps]

"partnerNameSafe"="iobitapps"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit Apps]

"installDir"="C:\Program Files (x86)\IObit Apps Toolbar\"

[HKEY_USERS\S-1-5-21-1389066822-2107305290-2761972221-1001\Software\AppDataLow\Software\IObit Apps]

[HKEY_USERS\S-1-5-21-1389066822-2107305290-2761972221-1001\Software\IObit Apps]

 

Searching for "IObit*"

No data found.

 

-= EOF =-

[kevinf80]

Ok run the following:

 

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

• Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Reg :Reg
  
  

  :Reg[-HKEY_CURRENT_USER\Software\AppDataLow\Software\IObit Apps][-HKEY_CURRENT_USER\Software\IObit Apps][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]"C:\Program Files (x86)\IObit Apps Toolbar\"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]"C:\Program Files (x86)\IObit Apps Toolbar\Res\"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]"C:\Program Files (x86)\IObit Apps Toolbar\Res\Lang\"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]"C:\Program Files (x86)\IObit Apps Toolbar\IE\7.6\"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]"C:\Program Files (x86)\IObit Apps Toolbar\IE\"=-[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\179893296AD828D4A9C17CC7DC633064][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23B4B261A2ECC1943BE70631F436E48A][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B16C90A2AD4A204D900BDFAB2391210][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\735A81D2803AE1C42B77E58FA3BBD3FF][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\862E44DE850238E468F4745D6F4D3F04][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CD187B83EEECC4240BAAE3B5B6B2DF8A][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit][-HKEY_USERS\S-1-5-21-1389066822-2107305290-2761972221-1001\Software\AppDataLow\Software\IObit Apps][-HKEY_USERS\S-1-5-21-1389066822-2107305290-2761972221-1001\Software\IObit Apps]:FilesC:\Program Files (x86)\IObit Apps Toolbar:Commands[EmptyTemp]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

 

Kevin....

[unluckychick]

Not sure if I did that correctly, but here's the log:

 

All processes killed

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\Software\AppDataLow\Software\IObit Apps\ deleted successfully.

Registry key HKEY_CURRENT_USER\Software\IObit Apps\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\179893296AD828D4A9C17CC7DC633064\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23B4B261A2ECC1943BE70631F436E48A\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B16C90A2AD4A204D900BDFAB2391210\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\735A81D2803AE1C42B77E58FA3BBD3FF\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CD187B83EEECC4240BAAE3B5B6B2DF8A\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\ deleted successfully.

Registry key HKEY_USERS\S-1-5-21-1389066822-2107305290-2761972221-1001\Software\AppDataLow\Software\IObit Apps\ not found.

Registry key HKEY_USERS\S-1-5-21-1389066822-2107305290-2761972221-1001\Software\IObit Apps\ not found.

========== FILES ==========

File/Folder C:\Program Files (x86)\IObit Apps Toolbar not found.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: All Users

 

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 57472 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: Default.migrated

 

User: EasySurvey

 

User: Mari

->Temp folder emptied: 138386 bytes

->Temporary Internet Files folder emptied: 243275122 bytes

->FireFox cache emptied: 17144398 bytes

->Google Chrome cache emptied: 346059066 bytes

->Flash cache emptied: 57820 bytes

 

User: Public

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 11214459 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 589,00 mb

 

 

OTM by OldTimer - Version 3.1.21.0 log created on 12302013_235108

 

Files moved on Reboot...

C:\Users\Mari\AppData\Local\Temp\winstore.log moved successfully.

C:\Users\Mari\AppData\Local\Microsoft\Windows\INetCache\counters.dat moved successfully.

File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

C:\WINDOWS\temp\FireFly(201312301406344C0).log moved successfully.

C:\WINDOWS\temp\integratedoffice.exe_c2ruidll(201312301406344C0).log moved successfully.

C:\WINDOWS\temp\integratedoffice.exe_streamserver(201312301406354C0).log moved successfully.

File move failed. C:\WINDOWS\temp\ood_stream.x86.fi-fi.dat scheduled to be moved on reboot.

File move failed. C:\WINDOWS\temp\ood_stream.x86.x-none.dat scheduled to be moved on reboot.

 

Registry entries deleted on Reboot...

[kevinf80]

What is the status of your system now, any remaining issues or concerns..

[unluckychick]

Everything seems to be working just fine as far as I can tell!

 

Just wondering though about all the programs we added during the process, which ones is it ok for me to delete and do I need to take any special steps to do so?

 

Also, could you give any sort of opinion on how badly I was infected? And since I've most likely used my online banking while this thing was on my laptop should I worry about it and other password stuff?

 

Thank you for being so incredibly patient with me with all of this!

[kevinf80]

I would change all passwords as a precaution, I only see unwanted adware and PUP`s nothing outright malicious....

 

We need to remove FRST,  first it is very important to deal with its own Quarantine folder by using FRST itself..

 

OK, we continue:

 

Delete any fixlist.txt file previously used, continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

 

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful.

 

Next,

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Allso whilst C:\ is expanded delete any files/folders related to AdwCleaner and Zoek.....

 

Next,

 

 

•  

   

• Double-click OTM.exe to run it. Windows 7/8 or Vista accept UAC alert..

   

   

• Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.

   

   

• It should ask if you want to clean up, select Yes. You maybe asked to reboot, allow that to happen.

   

   

 

 

Next,

 

Download "Delfix by Xplode" and save it to your desktop.

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

 

•  

     

• Activate UAC

   

     

• Remove disinfection tools

   

     

• Create registry backup

   

     

• Purge System Restore

   

     

• Reset system settings

   

   

 

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Any tools left on your desktop such as System Look can be deleted...

 

Let me know if the above completes, also if any remaining issues or concerns.....

 

Kevin

 

***EDIT***

 

Also Uninstall adwcleaner.exe (unless you want to keep it)

•   Please close all open programs and internet browsers.
  
•   Double click on adwcleaner.exe to run the tool.
  
•   Click on Uninstall
  
• Click Yes at Would you like to Uninstall Adwcleaner
  

fixlist.txt

[unluckychick]

Everything went fine and I believe I was able to delete everything we used with your instructions!

 

Everything seems to be running smooth now and I'm not seeing any obvious signs of the virus left on my laptop.

 

Anything else I need to do?

[kevinf80]

Nothing left to do, if no remaining issues/concerns you should be good to go.. Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me know if we can close out...

 

Take care,

 

Kevin...

[unluckychick]

I think we should be fine to close!

 

I'll be sure to read that right away, I don't wanna have to go through this again anytime soon hahahha

 

Thank you so much for your help Kevin, you've been amazing!

[kevinf80]

Happy to help....

[unluckychick]

One last quick question! I have used usb sticks on the laptop while the virus was on it. I newd to use the usbs and my external harddrive again, do you tuink they are infected from the virus? What should I do when I connect them?

[kevinf80]

I use "No Autorun" for that very reason, it will protect your system from possible infection via USB memory stick or external hard drive, you can d/l from the following link:

 

http://sourceforge.net/projects/noautorun/

 

That link also has tabs to discussions, reviews, support etc etc. Read up from the link and learn how to use the features. When you are confident install the program and run it, then you can insert the USB sticks and scan them with your AV program and Malwarebytes...

 

Kevin...

[unluckychick]

How likely do you think it is that they have transferred to the USBs? I've used the same sticks at school on the computers and never noticed anything/got av warnings.

[kevinf80]

I believe the chances that your USB sticks were infected is very slim, there is still no reason not to check them out. Also is a very good reason to have No Auto run on your system if you use USB sticks that have been in contact with other PC`s....

[unluckychick]

Ok, thanks man! I'll read up on the program after new years and not plug in my usb's before that. The programs seems a bit tricky to understand a first glance at least but I'll try my best! Cheers!

[kevinf80]

Its quite easy to follow and is more or less on auto mode once installed, it runs when Windows is started, sits in the tray next to your clock. It will open if you put any USB devices in and respond.

 

When installed (with no usb in) right click on the icon next to clock and the menu opens, you can easily follow any needed instructions from that menu....

[unluckychick]

Can you make an exception for a device or something? My internet is one that works with a USB stick

[kevinf80]

I`ve also got one of those when i`m on the road, don`t have any issues with it.... Do you have a problem with yours...

 

If you right click the icon and select "Config" that opens a new window. Make sure the box under security is unticked, like the image..

[unluckychick]

Sorry I haven't even tried it yet, I'm currently traveling and uskng my phone. I'll give the program a proper look tomorrow though! I was just wondering if it would cause problems with the internet but I guess I'll see tomorrow hahahah

[kevinf80]

Okey dokey, have fun......

[AdvancedSetup]

Are we done here?  Is this topic okay to close now or do you still need help?

[unluckychick]

Hey I just noticed an issue on my laptop that appeared now after thr things we did.

 

On the metro view, I can't access e-mail, weather, the calendar or the windows shop!

 

I believe the issue is with other apps as well!

[kevinf80]

In that situation probably the best option is to Refresh the system, go to the following link:

 

http://windows.microsoft.com/en-gb/windows-8/restore-refresh-reset-pc

 

Please read and fully understand the instructions before you progress, also scroll to and expand "Refresh your PC without affecting your files"

 

Kevin...