[zep516]

Hello,

I'm also in and out, just to review the only issue left is the Internet Explorer 10 redirect?

Thanks
Joe

[Advertisements]

Yes. As far as I can tell, that is it.

[MMHarding]

Yes. As far as I can tell, that is it.

[MMHarding]

That - and reoccuring detected files on malwarebytes and security essentials (that I haven't rerun since we first connected.)

[zep516]

Hello MMHarding,

Lets "reset" Internet Explorer.
I have provided instruction below and you may refer to this site Here If needed.

1. Close all Internet Explorer and Explorer windows that are currently open.

2. Start Internet Explorer.

3.On the Tools menu, click Internet options. If you don't see the Tools menu, press Alt on the key board.

4.In the Internet Options window, click the Advanced tab.

5.In the Reset Internet Explorer Settings dialog box, click Reset.

Note: Select the Delete personal settings check box if you also want to remove browsing history, search providers, Accelerators, home pages, Tracking Protection, and ActiveX Filtering data.

I would "Delete personal settings" and then reset you home page. See how to do that Here. If needed.

When Internet Explorer finishes applying the default settings, click Close, and then click OK.
Exit and then start Internet Explorer.

Lets run a scan with RogueKiller too, for you that will be the 64Bit Download.

To do that:

• Download and save to your Desktop RogueKiller for 32bit or RogueKiller for 64bit
• Quit all programs
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start"
• For Windows XP, double-click to start.
• Start RogueKiller.exe
• Wait until Prescan has finished
• Click on Scan.
• Wait until the Status box shows "Scan Finished"
• Click on Delete
• Wait unit the Status box shows Deleting Finished
• Click on Report and copy/paste the content of the Notepad
• The log should be found in RKreport[1].txt on your Desktop
• Close RogueKiller

In your next reply please post the

• RKreport[1].txt from RogueKiller.
• Let me know if resetting Internet Explore fixed the redirect

Thanks
Joe

[MMHarding]

Seems great. the IE is working fine.

Here is the log.

RogueKiller V8.8.4 _x64_ [Jan 27 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : mmharding [Admin rights]
Mode : Scan -- Date : 02/02/2014 15:17:23
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[DNS][PUM] HKLM\[...]\CCSet\[...]\{FDC187F3-9230-486C-91AD-261256035FF4} : NameServer (8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - PHILIPPINES (PH) - UNITED STATES (US)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS001\[...]\{FDC187F3-9230-486C-91AD-261256035FF4} : NameServer (8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - PHILIPPINES (PH) - UNITED STATES (US)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS002\[...]\{FDC187F3-9230-486C-91AD-261256035FF4} : NameServer (8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - UNITED STATES (US) - PHILIPPINES (PH) - UNITED STATES (US)]) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD3200BEKT-75PVMT1 +++++
--- User ---
[MBR] 29b2f2d492e4743b27944a834314a289
[BSP] 4d03355c020bb5548da4497cefc94412 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 13568 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 27869184 | Size: 291636 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_02022014_151723.txt >>

[MMHarding]

Hi There - Please let me know what is next! Thanks - Marsha

[zep516]

Hello MMHarding,

Next

Lets run an online scanner to double check any malware.

ESET Online Scanner Remember as with all the tools scans Right click and "Run as Adminstrator."

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go >>HERE<< then click on:
  
  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on the icon to install.
  
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:
  
• Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth Technology

• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed make sure you first copy the logfile located at C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt)
• Copy and paste that log as a reply to this topic.
• Now click on:
  (Selecting Uninstall application on close if you so wish)

Next

Please run a Malwarebytes scan 1 more time,

In your next reply to me post:

• Eset on line scan Log report.
• Fresh Malwarebytes Log.

Thanks
Joe

[MMHarding]

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5a0d0659c9506048a654541cd56d1efe
# engine=16850
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-01-29 05:12:59
# local_time=2014-01-29 12:12:59 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 16288847 142559029 0 0
# scanned=208993
# found=5
# cleaned=5
# scan_time=11117
sh=737D70C09B888A11F687A8CDB020FD5394D4ED96 ft=1 fh=2bd1acaa4e01c158 vn="a variant of Win32/Toolbar.Visicom.B application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\xfin_portal\comcastdx.dll.vir"
sh=EFACF95B980D73274F817953E5D2029A30EF649D ft=1 fh=f999fd34447eddfa vn="a variant of Win32/Toolbar.Visicom.A application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\xfin_portal\comcasttb.dll.vir"
sh=DA03B4A5B82EDF67AE6067663595D78C5D75B2C6 ft=1 fh=c71c00114d73177a vn="a variant of Win32/Toolbar.Visicom.C application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\xfin_portal\dtuser.exe.vir"
sh=1EE556EE7B4C97157B91DC7B913131FFA02BBC95 ft=0 fh=0000000000000000 vn="Win32/TrojanProxy.Agent.NKK trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Microsoft_SDK\cc1xx.cmd"
sh=9EAFC55ED26F39E65588A80E23024FB1E2AF6E59 ft=0 fh=0000000000000000 vn="Win32/TrojanProxy.Agent.NKK trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Microsoft_SDK\cc1xx.js"

[zep516]

Marsha,

Looking good , need the fresh Malwarebytes log when you get a chance.

Thanks
Joe

[MMHarding]

Here you go. I ran it last night. It didn't take anywhere near as long as before to run. Did I do it right?


Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.04.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16750
mmharding :: PNALT34 [administrator]

2/3/2014 11:21:54 PM
mbam-log-2014-02-03 (23-21-54).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 428025
Time elapsed: 52 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[zep516]

Hi Marsha,

You did it right again, very well done for someone that claims to be a computer novice

I also wanted to let you know the items that ESET Scanner found are all in the Quarantine folder that AdwCleaner created. We will be getting rid of that, when we clean up all the tools we used, That will be the very last exercise that we perform....

Tell me how the computer is, and if any issues remain.

Joe

[MMHarding]

Thank you. I think everything is running well. The IE is fine. It seems like the Google Chrome is slower now than before the IE was working but that may be my imagination. The only other things I notice - and this may just be another issue with my computer - is that the mouse and keyboard are really sensitive. I will be typing and the prompt will jump back. Again, I think it may just be a keyboard issue. I can't exactly remember when it started but it was fairly recently.

[zep516]

Hello MMHarding,

Chrome may just need; Delete your cache and other browser data and maybe the mouse/kb settings require adjusting. Or if wireless one's the batteries replacing for example.

Next

Since your log reports are clean and free of malware, lets clean up after ourselves.

OTL Clean-Up

Right click on the icon on your desktop and choose Run as administrator to open the main window.

Next click on the button.

Once clean up is complete you will be prompted to reboot your computer. Please do so.

This will remove most of the programs we have used including itself.

Next

Double-click on AdwCleaner.exe to run the tool again.

• Click on the Uninstall button.
• Click Yes when asked are you sure you want to uninstall.
• Both AdwCleaner.exe, its folder and all logs will be removed.

Right click on the JRT Icon and select delete.
If there are any left over tools or logs on your computer please delete them now.

Next

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button


Last

I post this for everyone. There prevention steps

Turn On Automatic Updates:

To do that:

1. Click Start,click Run, type sysdm.cpl, and then press ENTER.

2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for "any" time of day. Remember, your computer must be on at the scheduled timefor updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are then downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that "you" can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

Antispyware programs:

I would recommend the download and installation of the following program and the updating of it regularly:

WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Please read this great article by miekiemoes How to prevent Malware
and this great article by Tony Klein So How Did I Get Infected In First Place

Thanks
Joe

Also read the latest!

CryptoPrevent Tool:

How to prevent your computer from becoming infected by CryptoLocker

Best wishes!

Joe

[MMHarding]

Thanks, Joe. I really appreciate your help. You were great!

[zep516]

You're welcome

Joe