[RKinner]

Looks like we caught it before it got too bad this time. I think we can fix this one fairly quickly. First see if Windows Firewall is present in the services window:

Right click on Computer and select Manage then Services and Applications then Services.

Find Windows Firewall. IF you find it, right click on it and select Properties. Verify that it has Startup Type: Automatic. Apply. Try and START the firewall if it is not already Started. Do you get an error message?

Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot.
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron


Download and Save the free Avast installer.
http://www.avast.com...ivirus-download

Uninstall Microsoft Security Essentials

Reboot

Install Avast. (Register when it asks you - they will try to talk you in to buying the full product but the free version is what we want.)
Once you have it installed and it has updated:
Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours so this is a good thing to let run while you sleep.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
See if you can find C:\ProgramData\Alwil Software\Avast5\report\aswboot.txt or maybe C:\ProgramData\Avast Software\Avast5\report\aswboot.txt and copy and paste it into a reply.

[Advertisements]

Ron,

Thanks for seeing this through. Since you suggested we caught this early and there is hope-- I'll hold off on reformatting. I went ahead and wiped my external HD that I think was the culprit. As for your last post:

Firewall was up and running. No errors- it was set to automatic and started when I opened the management screen. Cleared Java. Ran VEW. Here is log:

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 30/12/2011 2:38:51 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 30/12/2011 8:38:03 PM
Type: Error Category: 0
Event: 3002 Source: Microsoft Antimalware
Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

Log: 'System' Date/Time: 30/12/2011 8:36:14 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} did not register with DCOM within the required timeout.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



I'm preparing to follow your antivirus advice. Doing so after this post. I'll post scan log.

Edited by JeremyK, 30 December 2011 - 02:42 PM.

[JeremyK]

Ron,

Thanks for seeing this through. Since you suggested we caught this early and there is hope-- I'll hold off on reformatting. I went ahead and wiped my external HD that I think was the culprit. As for your last post:

Firewall was up and running. No errors- it was set to automatic and started when I opened the management screen. Cleared Java. Ran VEW. Here is log:

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 30/12/2011 2:38:51 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 30/12/2011 8:38:03 PM
Type: Error Category: 0
Event: 3002 Source: Microsoft Antimalware
Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

Log: 'System' Date/Time: 30/12/2011 8:36:14 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} did not register with DCOM within the required timeout.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



I'm preparing to follow your antivirus advice. Doing so after this post. I'll post scan log.

Edited by JeremyK, 30 December 2011 - 02:42 PM.

[JeremyK]

After seeing how long the avast scan will take, I think I need to wait until I sleep. That said, do you suspect I'm still at great risk? If so, I'll just give up the PC for the day and scan.

Thanks,
J

[RKinner]

I think it would be best considering your history to wait until after Avast does the full boot-time scan.

I would uninstall Vuze and Vuze Toolbar. P2P programs like Vuze are a good source for malware. Even if the program was clean to start with it might have been stored on an infected computer. If you must use p2p you should always submit the files you get to http://virustotal.com

Some people object to the voice notification of Avast updates. (Namely me - I leave the PC on all of the time I hate to wake up in the middle of the night because Avast want to tell me that it got another update.) To turn it off, click on the Avast ball then on Settings. Then on Sounds and uncheck Automatic Updates OK. (It will still update it just won't tell you about it.)

They have also started using their info popup to try and get you to upgrade so I go into Settings, Popups and change the first two to 1 second.

The registration is good for 12-14 months then you will need to register again. They will, of course, try to talk you into buying the product but you can always register again for another year free.

[JeremyK]

Hey Ron,

Scan complete. Avast caught nothing. Here is the log:

12/30/2011 14:55
Scan of all local drives

File C:\Program Files\Heroes of Newerth\editor\textures.s2z|>00000000\ui\images\logo.dds Error 42125 {ZIP archive is corrupted.}

Scanning aborted
Number of searched folders: 13323
Number of tested files: 1055095
Number of infected files: 0

----------------------------------------
12/30/2011 18:12
Scan of all local drives

File C:\Program Files\Heroes of Newerth\editor\textures.s2z|>00000000\ui\images\logo.dds Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 36195
Number of tested files: 1854223
Number of infected files: 0



I went ahead and removed vuze. This whole virus experience has really humbled me. I think I'll be avoiding anything I know is risky. I once thought I had a good enough hold on safe browsing to avoid infection... clearly I was wrong.

[RKinner]

I think we are about done then. Did I ask you if the Security Center was running?

If it is then it's cleanup time:


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab if you go there it will remove itself and its logs.

To hide hidden files again (OTL may do it for you):

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.


If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron

[JeremyK]

Hey Ron,

I followed your cleanup steps. I checked the security center (I think). See attachment. Is there further verification needed to know if the center is running?

Any other final things that ought to be done to ensure the PC is clean and healthy?

Thanks for everything.

Jeremy

Attached Thumbnails

• 

[RKinner]

That's good enough.

[JeremyK]

After so many steps it is hard to imagine that its finally clean. I want you to know that I am really thankful for all your time and effort. I appreciate your willingness to help folks for the sake of it. I hope you have a good new year. Unless there is anything else that I ought to do, then I suppose we're through it! Thanks again.

Best,
Jeremy

[RKinner]

bye

[JeremyK]

bye