[Satchfan]

All looking good. If there are no remaining problems and the final scan shows up clear we should be able to tidy up.

====================

The OTL fix log can be found at C:\_OTL\MovedFiles. It will have a file name consisting of numbers that reflect the date and time the fix was run. It will be something similar to 13032013_*****.log .

====================

Run ESET Online Scan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan


1. Click the Eset online Scanner button.
2. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop.
• Double click on the Eset installer icon on your desktop.

3. Check Yes, I accept the Terms of Use
4. Click the Start button.
5. Accept any security warnings from your browser.
6. Check Scan archives
7. Push the Start button.
8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
9. When the scan completes, push List of found threats
10. Push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Note - when ESET doesn't find any threats, no report will be created.
11. Push the back button.
12. Push Finish
If a log has been produced post it in your next reply.

Please let me know if there are any remaining problems

Thanks

Satchfan

[Advertisements]

ESET Online Scan only reported one file as infected. It was the System32.exe(.vir) that ComboFixer quarantined.

Attached Files

•  03132013_144358.log   10.27KB   84 downloads

[ChaseAllen]

ESET Online Scan only reported one file as infected. It was the System32.exe(.vir) that ComboFixer quarantined.

Attached Files

•  03132013_144358.log   10.27KB   84 downloads

[Satchfan]

Looks like we are about ready to tidy up but there is one last thing first.

Windows Firewall

You should not have Windows Firewall on when you have another firewall enabled.


1. Open Windows Firewall by clicking Start, Control Panel, and then click Windows Firewall.
2. On the left, click Turn Windows Firewall on or off. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Click Off (not recommended) , and then OK.
When you’ve done that, please run SecurityCheck again and send the new log.

Thanks

Satchfan

[Satchfan]

Hi

It has been several days since I asked you to follow some instructions prior to our tidying up.

Please let me know if you are having problems.

Thanks

Satchfan

[ChaseAllen]

Hello Satchfan,

I'm sorry for the late reply, I have been caught up in my competition. Thank you for keeping the topic open as I am going to run security check again tonight and post the results in the afternoon. I can't express how thankful I am for your help in removing the malware from my computer!

Edited by ChaseAllen, 19 March 2013 - 09:30 PM.

[Satchfan]

You're welcome.

I'll wait for your reply.

[ChaseAllen]

My Windows Firewall was automatically turned off by Norton Anti-Virus. Even with Norton off, I am unable to change Windows Firewall settings.

I've tried running SecurityCheck with and without Norton on. Both resulted in the same log.

Attached Files

•  checkup2.txt   992bytes   52 downloads

Edited by ChaseAllen, 20 March 2013 - 01:35 PM.

[Satchfan]

You are right: even though it appears to be enabled, Norton disables the Windows firewall.

Good work, your computer appears to be clean.

Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:

Uninstall Combofix

Follow these steps to uninstall Combofix

• click START then RUN
• now type Combofix /uninstall in the runbox and click OK.

Note the space between the X and the /, it needs to be there.

• please follow the prompts to uninstall Combofix.
• once it's finished uninstalling itself you will receive a message saying Combofix was uninstalled successfully.

===================================================

Uninstall OTL

• double-click OTL.exe
• click the CleanUp! button.
• select Yes when the Begin cleanup Process? prompt appears.
• if you are prompted to reboot during the cleanup, select Yes.
• the tool will delete itself once it finishes, if not delete it by yourself.

NOTE: If you receive a warning from your firewall or other security programs regarding OTL attempting to contact the internet, please allow it to do so.

===================================================

Uninstall AdwCleaner

• double click on adwcleaner.exe to run the tool
• click on Uninstall
• confirm with Yes.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Update installed programs

Your version of Flash Player is out-of-date.

Go here and download the latest version.

NEXT

Visit ADOBE and download the latest version of Acrobat Reader.

Having the latest updates ensures there are no security vulnerabilities in your system.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

===================================================

Install Spybot - Search and Destroy - Download and install Spybot Search and Destroy which provides real time spyware and hijacker protection .

You should scan your computer with the program on a regular basis as you would with your anti-virus software.

A tutorial on installing and using SS&D can be found here

===================================================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

===================================================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

===================================================

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

===================================================

I also recommend that you read the following:

How to prevent malware by miekiemoes


If I hear nothing for 24 hours I shall assume all is well and close the topic.

Safe computing

Satchfan

[ChaseAllen]

Thank you for the recommendations!

I still have a question, however. I'm not sure of which step, but somewhere along the line something changed my folder settings. And now I see a bunch of folders and files I never recall being there that appear to be some kind of system files? (Ex: C:\boot and C:\Perflogs, lots of log files under C:\Users\Chase.). Which setting in folder options under control panel will turn this off?

[Satchfan]

• open Windows Explorer, (Windows key+E)
• at the top, click on Organise, >Folder and search options
• click on the “View” tab
• under “Files and Folders”, remove the check in Show hidden files, folders and drives

Satchfan

[ChaseAllen]

That didn't fix it. These arn't hiddden files/folders. And I never recall them being there before.

Edited by ChaseAllen, 21 March 2013 - 07:37 PM.

[Satchfan]

Apologies for the rash reply - it was very late here

You can safely delete those.

The “perflogs” folder is only a record of a test of your operating systems performance rating.

"boot.bak" is part of the Recovery Console or Erunt and is also no longer needed.

[ChaseAllen]

So I should delete the C:\Boot folder?

Also what about C:\Users\Mcx1-CHASE-LAPTOP ?

It says (along with C:\Perflogs, C:\Boot, C:\Utility, C:\Intel, C:\Temp\SCX-4x21_Print, C:\Users\Chase\RouterCfm.cfg, C:\Users\Chase\.gitconfig, C:\Users\Chase\random.dat, C:\Users\Chase\.vladmin(file), C:\Users\Chase\xobglu16.dll, C:\Users\Chase\Tracing, C:\{CE516BC0-219A-44FA-ADA2-0163E34DBE69}(file), C:\Users\Default, C:\Users\Public) that they were modified/created 4 years ago (Long before I got this computer). And I know for a fact that these were not here until recently.

That is, all except C:\Users\Public and C:\Users\Default. It says that those were modified on 3/11/2013. (I actually take that back. I'm not 100% sure on the C:\Users\Default directory, it might have been there before)

These files/directories were not once hidden. I've always kept show hidden files and folders on. It just seems so weird that these old directories/files all of the sudden make their presence aware on my computer. I just feel that one of the programs that you had me run may have "flipped a switch" somewhere? Or, maybe running in safe mode revealed/used these directories/files? I've never ran in safe mode on this machine up until this point. That seems to be a logical explanation for the creation of the 3(or 2) new user directories and logs?

I suppose it's not too big a of a deal. But I just want to make sure everything looks ok.

Thanks

[Satchfan]

C:\Users\Mcx1-CHASE-LAPTOP – Xbox-related

C:\Temp\SCX-4x21_Print – this appears to be Samsung printer driver

C:\Users\Chase\xobglu16.dll – do you have Macromedia Director installed?

C:\Users\Chase\.gitconfig - http://en.wikipedia.org/wiki/GitHub


Users/Default and Users/Public are normal Windows folders.

I’m not sure what exactly all those are but I would say that none of them are worth troubling yourself about as they are not “bad”.

[ChaseAllen]

That makes sense. I do not recall installing macromedia director, may be Internet browser flash related. Weird that I could never see these up until now though. But defiantly not worth worrying about.

Thanks again for your help in keeping my computer clean!