[Buddierdl]

Do you have a Window 7 CD?

[Advertisements]

No, but I can probably find one somehow. What did you have in mind?

[PoorestFish]

No, but I can probably find one somehow. What did you have in mind?

[Buddierdl]

Try to see if you can get one. We have kind of tried everything and run out of ideas. A repair install with the disc can preserve your data while fixing windows components. I will get some instructions for you. Let me know if you can get the CD.

[PoorestFish]

I will try to get my hands on one as soon as I can.

[PoorestFish]

Realized I had a copy of the ISO since I downloaded Windows 7 the first time. Burned another copy of the disc.

So should I go ahead and just do a repair install? Is it going to kill my file type or program associations? I remember doing a repair a long while ago and it said it preserved my programs, but just ended up leaving a whole bunch of broken shortcuts and other problems that forced me to just clean install rather than deal with the issues and I have too much data this time to want to resort to that.

[Buddierdl]

Hi PoorestFish,

So should I go ahead and just do a repair install? Is it going to kill my file type or program associations? I remember doing a repair a long while ago and it said it preserved my programs, but just ended up leaving a whole bunch of broken shortcuts and other problems that forced me to just clean install rather than deal with the issues and I have too much data this time to want to resort to that.

This is the tutorial for doing a repair install. It should preserve your data and programs. Make sure that you follow it carefully. It wouldn't hurt to have a backup of your data just in case. I think we have pretty much done all we can to resolve the update issue and this is the best course now.

[PoorestFish]

Doing a quick backup now and hope to have a full repair done by tomorrow. I will report back.

[Buddierdl]

Ok. Let me know how it goes and if there are any remaining problems. Then we can cleanup the tools and be done.

[PoorestFish]

Okay.

Everything installed and I am currently looking at around 100+ Windows Updates and it looks like everything else is able to connect also. Is there anything I should do before I run updates or other normal functions?

[Buddierdl]

Hi PoorestFish,

I'm glad we finally got it working. Please let the updates install as soon as possible in order to secure you computer. Be sure to update MSE too. Also, let's run a few last scans to catch any remanats.

Step 1: Run SecurityCheck

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 2: Run MBAM.

• Open MBAM and update the definitions.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 3: Run online scan.

Run ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically. The scan may take several hours.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Things I need in your next reply:

• SecurityCheck log
• MBAM log
• ESET log
• Any outstanding problems?

[PoorestFish]

Step 1 and 2 are done and I am currently running the Online Scanner now on ESET.

Taking a while so I thought I would partially update you, but no immediate problems noticed so far. I don't want to jinx it, but it looks like things are running well.

Attached Files

•  checkup.txt   1.07KB   127 downloads
•  mbam-log-2013-02-26 (21-29-36).txt   1.83KB   102 downloads

[PoorestFish]

Also, copy and pasted is the log. Not sure if it is supposed to be this short.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

Also, listed below are the copied scan results.

C:\$RECYCLE.BIN\S-1-5-21-3782306242-4252608964-214980045-1000\$RZI9AA1\DNSFlushcws1.zip Win32/Bagle.gen.zip worm
C:\Program Files (x86)\CustoPackTools\utils\ask\AskInstallChecker.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\CustoPackTools\utils\ask\askToolbarInstaller.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir Win32/Sirefef.EZ trojan
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir Win64/Sirefef.W trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{89a93d84-3005-99e8-31c1-2ece2fb69df4}\U\[email protected] Win64/Conedex.C trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{89a93d84-3005-99e8-31c1-2ece2fb69df4}\U\[email protected] Win64/Sirefef.AW trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{89a93d84-3005-99e8-31c1-2ece2fb69df4}\U\[email protected] a variant of Win64/Sirefef.AN trojan
C:\TDSSKiller_Quarantine\25.12.2012_21.58.35\zasubsys0000\zafs0000\tsk0003.dta Win64/Conedex.C trojan
C:\TDSSKiller_Quarantine\25.12.2012_21.58.35\zasubsys0000\zafs0000\tsk0006.dta Win64/Sirefef.AW trojan
C:\TDSSKiller_Quarantine\25.12.2012_21.58.35\zasubsys0000\zafs0000\tsk0008.dta a variant of Win64/Sirefef.AN trojan
C:\_OTL\MovedFiles\01012013_092933\C_Windows\system32\config\systemprofile\AppData\Local\{87644C2E-F242-4688-9686-725779AEB5C6}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan

Otherwise, everything looks good.

[Buddierdl]

Hi PoorestFish,

One last little thing to take care of. Most of the threats were already in quarantine. If all goes okay, then we can do our cleanup.

Please be aware that this fix will delete your temporary files. If the virus has "hidden" any of your files, please do not run the fix, but stop and let me know.

Start OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following

  :Commands
  [createrestorepoint]
  
  :Files
  C:\$RECYCLE.BIN\S-1-5-21-3782306242-4252608964-214980045-1000\$RZI9AA1
  
  :Commands
  [emptytemp]

• Then click the Run Fix button at the top
• Let the program run unhindered.
• Post the log it produces in your next reply. The log should be saved in C:\_OTL\MovedFiles and should be named with numbers describing the date and time it was run.

[PoorestFish]

Posted is the log.

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
C:\$RECYCLE.BIN\S-1-5-21-3782306242-4252608964-214980045-1000\$RZI9AA1 folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 57616 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Robert Chau
->Temp folder emptied: 192202492 bytes
->Temporary Internet Files folder emptied: 85939191 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 272156747 bytes
->Flash cache emptied: 62245 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1279796 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 81704723 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 9551315863 bytes

Total Files Cleaned = 9,713.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 02282013_172554

Files\Folders moved on Reboot...
C:\Users\Robert Chau\AppData\Local\Temp\Bunndle\BunndleOfferManager.dll moved successfully.
C:\Users\Robert Chau\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Users\Robert Chau\AppData\Local\Temp\lmgrd9.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[Buddierdl]

Congratulations, PoorestFish . Your computer now appears to be clean. Please complete the followings steps to finalize the cleaning process.
It would be a good idea also to reset your firewall in case the malware opened any ports.

Please update these programs, as old versions pose a security risk.

• Java
  
  WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
  See this article and this article.
  I would recommend that you completely uninstall Java unless you need it to run an important software.
  In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
  
  If you do need java, then you should definitely update to the latest version:
  
  Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, then click Remove JRE.
  • Run the built-in uninstallers for all copies of java listed
  • Click the Next button
  • Click the Next button again
  • Click the Java Manual Download link
  • A browser window will open with the Java download page
  • Click the Windows Offline (32-bit) or Windows Offline (64-bit) link to download Java (based on your browser type)
  • Run the installer
  • Close JavaRa
• Adobe Flash -> You can get the latest version here.
• Adobe Reader -> You already have the latest version, but I would recommend securing Adobe Reader against the latest exploits as follows:
  • Launch Adobe Reader.
  • Click on Edit and select Preferences.
  • On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
  • Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
  • Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
  • Click the OK button.

Uninstall Combofix:

• Hold down the Windows key + R on your keyboard. This will display the Run dialogue box.
• In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK.
• Follow the prompts on the screen.
• A message should appear confirming that ComboFix was uninstalled.

Clean up OTL:

• Open OTL and select the "CleanUp" button.
• Allow the computer to reboot.
• Any logs or removal tools left over can be deleted now. If ESET is still installed, you can uninstall it from the "Programs and Features" menu in the control panel.

Delete possibly infected restore points. Your computer may have saved a restore point while it was infected, so we need to delete the old restore points and create a new, clean one.

First set up a new, clean restore point:

• Open System by clicking the Start button, right-clicking Computer, and then clicking Properties.
• In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
• Click the System Protection tab, and then click Create.
• In the System Protection dialog box, type a description, and then click Create.

Then delete the old, infected ones:

• Go Start > All Programs > Accessories > System Tools
• Right click Disc Cleanup and select run as administrator
• Then select the more options tab
• Select system restore and shadow copies "Clean up"
• Follow the prompts

Empty temp files. I would recommend doing this every so often to free up some space on your computer.

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Ensure that Windows is always updated. Keeping Windows updated is very important to prevent security vulnerabilities. I recommend turning on automatic updates following the instructions below:

• First, click on Start and click onAll Programs, then Windows Update.
• Click on Change Settings in the left pane and then check the option for Automatic Updates.

Always ensure that your firewall and anti-virus program are updated and running. These are your first line of defense against infection.

Make sure that you keep all of your programs updated. Out-of-date programs can make your computer more vulnerable to infection. Software manufacturers release updates to fix security problems as they are discovered. Secunia Personal Software Inspector, free to download here, is a good program that will scan your computer looking for programs that need to be updated.

This article has good information about how computers get infected. You can read it for good tips on staying clean and safe.