[Jules4me]

Sorry, I needed to go to bed and I wasn't sure how long the ESET scan was going to take.

When I went to delete the Swagbucks toolbar, it was apparently deleted by something already, because it was not under the programs list to delete.

Why do you want me to delete the Swagbucks Toolbar? It is a business I work for and I use it on a daily basis. I was going to delete it, because you asked me to, but I would like to know why.

Again, thank you for your great attention to my computer.

[Advertisements]

Hi,

Sorry, I needed to go to bed and I wasn't sure how long the ESET scan was going to take.

Fair enough. The scan can take a long time to complete depending on the system.
Just post it ASAP so we can continue.

When I went to delete the Swagbucks toolbar, it was apparently deleted by something already, because it was not under the programs list to delete.

Why do you want me to delete the Swagbucks Toolbar? It is a business I work for and I use it on a daily basis. I was going to delete it, because you asked me to, but I would like to know why.

SwagBucks is one of those programs/toolbars that is all over the map. Lots of folks think it's great. Lots of folks have had problems and think it's a scam.

Most people that we ask about the SwagBucks toolbar say they didn't install it. I've seen reports of tracking and sometimes the way it got installed on the system is dubious.
As an example....you say it is not in your list of installed programs. And we haven't done anything to remove the program other than my instruction to remove it. We did include removing the Chrome homepage and default search enging in the OTL fix, but it is still in the OTL log after the fix. And it still shows up on your system and in the OTL list of programs installed.

From the OTL log after the last scan:

OTL logfile created on: 8/30/2012 12:26:34 PM - Run 2
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Users\GreenDell\Downloads
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

========== Chrome ==========
CHR - homepage: http://www.swagbucks.com/
CHR - default_search_provider: swagbucks.com (Enabled)
CHR - default_search_provider: search_url = http://www.swagbucks...q={searchTerms}
CHR - homepage: http://www.swagbucks.com/


========== HKEY_LOCAL_MACHINE Uninstall List ==========
...
"Swag_Bucks Toolbar" = Swag Bucks Toolbar

It is odd when the OTL scan shows a program/toolbar yet it can't be found in the programs installed list in the control panel. And most of these things we see are toolbars that for some reason won't show themselves. And when OTL is used to remove an entry, but doesn't, that usually means that the program or toolbar has put something in a location that the scan doesn't look at so it can keep itself on the system. I'm not saying it's malware....just dubious.

The bottom line is we tend to err on the side of caution and remove it. If you want to keep it do so my all means. At the end of the day the computer is yours and it is your choice.

Again, thank you for your great attention to my computer.

You're welcome again

[godawgs]

Hi,

Sorry, I needed to go to bed and I wasn't sure how long the ESET scan was going to take.

Fair enough. The scan can take a long time to complete depending on the system.
Just post it ASAP so we can continue.

When I went to delete the Swagbucks toolbar, it was apparently deleted by something already, because it was not under the programs list to delete.

Why do you want me to delete the Swagbucks Toolbar? It is a business I work for and I use it on a daily basis. I was going to delete it, because you asked me to, but I would like to know why.

SwagBucks is one of those programs/toolbars that is all over the map. Lots of folks think it's great. Lots of folks have had problems and think it's a scam.

Most people that we ask about the SwagBucks toolbar say they didn't install it. I've seen reports of tracking and sometimes the way it got installed on the system is dubious.
As an example....you say it is not in your list of installed programs. And we haven't done anything to remove the program other than my instruction to remove it. We did include removing the Chrome homepage and default search enging in the OTL fix, but it is still in the OTL log after the fix. And it still shows up on your system and in the OTL list of programs installed.

From the OTL log after the last scan:

OTL logfile created on: 8/30/2012 12:26:34 PM - Run 2
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Users\GreenDell\Downloads
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

========== Chrome ==========
CHR - homepage: http://www.swagbucks.com/
CHR - default_search_provider: swagbucks.com (Enabled)
CHR - default_search_provider: search_url = http://www.swagbucks...q={searchTerms}
CHR - homepage: http://www.swagbucks.com/


========== HKEY_LOCAL_MACHINE Uninstall List ==========
...
"Swag_Bucks Toolbar" = Swag Bucks Toolbar

It is odd when the OTL scan shows a program/toolbar yet it can't be found in the programs installed list in the control panel. And most of these things we see are toolbars that for some reason won't show themselves. And when OTL is used to remove an entry, but doesn't, that usually means that the program or toolbar has put something in a location that the scan doesn't look at so it can keep itself on the system. I'm not saying it's malware....just dubious.

The bottom line is we tend to err on the side of caution and remove it. If you want to keep it do so my all means. At the end of the day the computer is yours and it is your choice.

Again, thank you for your great attention to my computer.

You're welcome again

[Jules4me]

I'm not sure if you saw that I posted the ESET log early this morning.



As far as Swagbucks is concerned, the Chrome entries are not a toolbar, but just settings to make Swagbucks my default search engine. Also I have my homepage set to swagbucks.com. Since you feel the toolbar is a liability and it is not mandatory for me to have it, then I won't have it. As far as it being a scam, well it is what you make it. I will receive a 1099 this year to claim on my taxes because I have made that much money. This month alone I have made $125. It makes a nice side income. That is another issue entirely and I am not trying to change your mind, but as with any business, you get out of it what you put in it. However, I do trust your judgement and will not download the toolbar.

For the next sections, I apologize cause I'm not sure how to quote by section like you do, so I just copied and pasted. I hope this is ok.


This section:


========== HKEY_LOCAL_MACHINE Uninstall List ==========
...
"Swag_Bucks Toolbar" = Swag Bucks Toolbar


I only see this in OTL scan 1. I'm not sure if I am missing something.




I am curious about this (are these active on my computer?):

O1 HOSTS File: ([2012/08/28 17:54:15 | 000,444,042 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 15254 more lines...

[godawgs]

Hi Jules,

I'm not sure if you saw that I posted the ESET log early this morning.

I did not. I missed it. Thank for bringing that to my attention. It looks good.

As far as Swagbucks is concerned, the Chrome entries are not a toolbar, but just settings to make Swagbucks my default search engine...However, I do trust your judgement and will not download the toolbar.

I understand that the Chrome entries aren't the toolbar. And if you put them back in after the OTL fix, fair enough. If you feel comfortable with SwagBucks you should keep it. In this instance my judgement doesn't matter....I don't think SwagBucks is malware, so your judgement prevails here. I'm not being flippant here and I can't overstress this point...If you are comfortable with SwagBucks and you haven't experienced any problems with it, please re-download it. Unless it is something that is harmful to your computer it isn't our job to tell you what you should have on your computer.

You didn't miss anything....I did. I went back and checked the AdwCleaner scan that we ran. It flagged SwagBucks and removed it. So that solved that riddle. The toolbar was not trying to keep itself on the computer, I just missed it in the AdwCleaner. Again, if you use it and it and are not having any problems, you should reinstall it. If you ever find that it is causing problems you can come back here and we'll look at it again.

For the next sections, I apologize cause I'm not sure how to quote by section like you do, so I just copied and pasted. I hope this is ok.

Of course it's OK. You are doing great.

The Hosts File entries you asked about are malicious web sites that have been added to your hosts file. They are not active in the sense that they are sites your computer has visited. This was done by the SpyBot S&D program. Because each entry begins with 127.0.0.1, if you are ever directed to one of the sites, or click on a link that redirects you to one of these sites, your computer will check it's hosts file first and display a blank page or an about:blank page ect;. This keeps you from accidentally being redirected to one of these malicious sites. I know it looks bad when you see some of the sites that are listed but it's actually a good thing. Every time you update the SpyBot program it adds any new sites that the program developers have found since the last update. I hope that made sense.

The last thing we are gonna do before cleanup is see what programs need updating. I saw in your log that you have Java 7 Update 5 installed. This was the most recent Java but there are a couple of huge exploits in that version that have just recently been discovered. Java has issued a new update to deal with those.


Step-1.

Run Security Check

Download Security Check from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step-2.

Things For Your Next Post:
1. The Checkup.txt log

[Jules4me]

Results of screen317's Security Check version 0.99.49
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
JavaFX 2.1.1
Java™ 7 Update 5
Java version out of Date!
Adobe Flash Player 11.3.300.271
Adobe Reader X (10.1.4)
Mozilla Firefox (15.0)
Google Chrome 21.0.1180.79
Google Chrome 21.0.1180.83
````````Process Check: objlist.exe by Laurent````````
Windows Defender MSASCui.exe
Spybot Teatimer.exe is disabled!
Windows Defender MSASCui.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

[Jules4me]

Going to update Java now. Thanks for heads up.

[Jules4me]

Oh and by the way, you are totally awesome!!

[godawgs]

Going to update Java now. Thanks for heads up.

Since that's the only security program that needs updating we are down to cleanup. I'll be back with instructions for that. It is important that we clean up the tools we used so that if you're ever infected again you'll download fresh tools.
I will also post some suggestions that will hopefully be helpful in preventing future infections.

Oh and by the way, you are totally awesome!!

And you are very welcome

[Jules4me]

My kids used this computer for several months as their "game" computer. After I took it back over, I deleted a bunch of malware. Online game sites are unfortunately loaded with it. I will happily accept any suggestions for future prevention, but I am hoping since I am the sole user now, infection will be less likely.

I will need to disinfect another computer that became the game computer after our work with this one is finished. I am happy you make it so easy to work through all these programs. I wish I had your knowledge so I wouldn't have to bother you with our other computers, but I am so thankful you are here to help.

[godawgs]

My kids used this computer for several months as their "game" computer. After I took it back over, I deleted a bunch of malware. Online game sites are unfortunately loaded with it. I will happily accept any suggestions for future prevention, but I am hoping since I am the sole user now, infection will be less likely.

I'm glad mine are grown!

I will need to disinfect another computer that became the game computer after our work with this one is finished. I am happy you make it so easy to work through all these programs. I wish I had your knowledge so I wouldn't have to bother you with our other computers, but I am so thankful you are here to help.

OK. Just start a new topic and one of us will be happy to help. If you want me to give it a shot, just put ATTN: godawgs in the topic along with the topic title. And you aren't bothering us....you're in it with us. You do just as much as we do.


OK! Well done. Here is the best part of the process! The mullygrubs are gone! That's a technical term for your log(s) appear to be clean! If you have no further issues with your computer, please proceed with the housekeeping procedures outlined below.
The first thing we need to do is to remove all the tools that we have used. This is so that should you ever be re-infected, you will download updated versions.

Step-1.

Click the Start Orb and click Control Panel. In the list of programs installed find ESET online Scanner and uninstall it.

Step-2.

OTL Cleanup
1. Please copy all of the text in the code box below. To do this, highlight everything inside the code box , right click and click Copy.

• :COMMANDS
  [CLEARALLRESTOREPOINTS]
  [REBOOT]
  

• Please re-open on your desktop.
• Place the mouse pointer inside the textbox, right click and click Paste. This will put the above script inside the textbox.
• Click the button.
• Let the program run unhindered. When finished click the OK button and close the log that appears.
• NOTE: I do not need to review the log produced.
• OTL may ask to reboot the machine. Please do so if asked.

2. Please re-open on your desktop.

• Be sure all other programs are closed as this step will require a reboot.
• Click on
• You will be prompted to reboot your system. Please do so.

The above process will flush all old System Restore points and create a new clean one. It will also remove the OTL logs created during the cleanup process. After it is finished, OTL will remove itself. This is so that if you are ever infected again you will download the most current copy of the tool.


Go to the folder you downloaded these files to and delete them. If it was the desktop, delete them there. If it was the Downloads folder, delete them there.

aswMBR.exe
MBR.dat
aswMBR.txt
RougeKiller.exe
All REReport.txt files
AdwCleaner.exe
All AdwCleaner[R1].txt files and all AdwCleaner[S1].txt files
SecurityCheck.exe
Checkup.txt

Delete any other .bat, .log, .reg, .txt, and any other files created during this process, and left on the desktop or in the folder you downloaded them to. Empty the Recycle Bin.


Step-3

Re-Start TeaTimer

• Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
• If prompted with a legal dialog, accept the warning.
• Click Mode and then on "Advanced Mode".
  
• You may be presented with a warning dialog. If so, press Yes.
• Click on
• Click on
• Check these checkboxes:
  
• Close/Exit Spybot Search and Destroy.

Step-4.

Reset Hidden Files and Folders

1. Click the Start Orb.
2. Click Computer.
4. In the Menu bar at the top of the page, click the Tools menu and click Folder Options.
5. Select the View tab.
6. Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
7. Click the box beside Hide protected operating system files (recommended) . Click Yes to confirm. Click OK.



Preventing Re-Infection

Below, I have included a number of recommendations for how to protect your computer against future malware infections.

:Keep Windows Updated:-Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Vista and Windows 7 Users:
1. Click Start> All Programs, from the list find Windows Update and click it.


:Turn On Automatic Updates:

Vista and Windows 7
1. Click Start> Control Panel. Click Security. Under Windows Update, Click Turn automatic on or off.
2. On the next page, under Important Updates, Click the Drop down arrow on the right side of the box and Click Install Updates Automatically(recommended).
If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your task bar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

: Keep Java Updated :

• Click the Start button
• Click Control Panel
• Double Click Java - Looks like a coffee cup. You may have to switch to Classical View on the upper left of the Control Panel to see it.
• Click the Update tab
• Click Update Now
• Allow any updates to be downloaded and installed

: Keep Adobe Reader Updated :

• Open Adobe Reader
• Click Help on the menu at the top
• Click Check for Updates
• Allow any updates to be downloaded and installed

NOTE: Whether you use Adobe Reader, Acrobat or Foxit Reader to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Click Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. Click OK Close program. It's the same for Foxit Reader except Preferences is under the Tools menu, and you uncheck Enable Javascript Actions.

:Web Browsers:

:Make your Internet Explorer more secure:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
5. Change the Download signed ActiveX controls to "Prompt"
6. Change the Download unsigned ActiveX controls to "Disable"
7. Change the Initialise and script ActiveX controls not marked as safe to "Disable"
8. Change the Installation of desktop items to "Prompt"
9. Change the Launching programs and files in an IFRAME to "Prompt"
10. When all these settings have been made, click on the OK button.
11. If it prompts you as to whether or not you want to save the settings, click the Yes button.
12. Next press the Apply button and then the OK to exit the Internet Properties page.


Preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running a full scan at least once a month. Run Quick Scans at least once a week. Download the Free versions. And update the definitions before running scans.

========Anti Spyware========

• Malwarebytes-Free Version- a powerful tool to search for and eliminate malware found on your computer.
• SUPERAntiSpyware Free Edition-another scanning tool to find and eliminate malware.
• SpywareBlaster-to help prevent spyware from installing in the first place. A tutorial can be found here.
• SpywareGuard-to catch and block spyware before it can execute. A tutorial can be found here.
• WinPatrol - will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. Help file and tutorial can be found here.

It's a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

========TEMP File Cleaners========

• TFC by OldTimer-A very powerful cleaning program for 32 and 64 bit OS. Note: You may have this already as part of the fixes you have run.
• CleanUP-Click the Download CleanUP! link. There is also a Learn how to use CleanUP! link on this page.

:BACKUPS:

• Keep a backup of your important files.-Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
• ERUNT-(Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

:Keep Installed Programs Up to Date:

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
A couple of programs that will do this are listed below. Only download and install one of the programs and run it monthly:
Secunia Software Inspector
Filehippo Update Checker

Finally, please read How did I Get Infected in the First Place(by Mr. Tony Klein and dvk01)


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For 24 hours or so. If Anything Comes Up - Just Come Back And Let Me Know

Stay safe
godawgs

[Jules4me]

Yikes! We might have a problem. I was doing the OTL scan where I copied in those commands and the program asked to reboot. As it was coming back up, it is just stuck on the Welcome screen. The blue circle is just circling beside the "Welcome." This has been going on for 5 minutes now.

[godawgs]

There may be a lot of restore points OTL is clearing. Let it run for a while. Is this a laptop or a desktop?

[Jules4me]

This is a laptop and it is still doing the same thing.

[godawgs]

Give it another 5-10 minutes. If it still hasn't booted up, you will need to force the system to turn off. This is usually done by holding the power button down until the computer turns off. Then give it a minute or so and turn it back on. It should boot up.

[Jules4me]

Ok I'll do that in another 10 minutes or so, if needed. Thanks.