BLVALUE|ZeroAccess issue

Viruses and worms
1

I found some good info earlier and have been using the tools but have come to a halt. The process is considered hidden, it is STOPPED and has been for a while.

I have the adwcleaner info

AdwCleaner v3.007 - Report created 12/10/2013 at 23:00:45

Updated 09/10/2013 by Xplode

Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

Username : Mar - MAR-PLAYTOY

Running from : C:\Documents and Settings\Mar\Desktop\adwcleaner.exe

Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Documents and Settings\Mar\Application Data\Mozilla\Firefox\Profiles\t80yzm1x.default\searchplugins\WebSearch.xml
File Found : C:\Documents and Settings\Mar\Application Data\Mozilla\Firefox\Profiles\t80yzm1x.default\user.js
Folder Found C:\Documents and Settings\All Users\Application Data\AlawarWrapper
Folder Found C:\Documents and Settings\All Users\Application Data\savEnshare!
Folder Found C:\Documents and Settings\All Users\Application Data\SearchNewTab
Folder Found C:\Documents and Settings\All Users\Application Data\SearchNewTab
Folder Found C:\Documents and Settings\Mar\Application Data\Mozilla\Firefox\Profiles\t80yzm1x.default\jetpack
Folder Found C:\Documents and Settings\Mar\Application Data\yourfiledownloader

***** [ Shortcuts ] *****

***** [ Registry ] *****

Data Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~1\sshelp~1\sprote~1.dll
Data Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~1\websea~1\sprote~1.dll
Key Found : HKCU\Software\Alexa Internet
Key Found : HKCU\Software\AppDataLow\SProtector
Key Found : HKCU\Software\Crossrider
Key Found : HKCU\Software\distromatic
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\YourFileDownloader
Key Found : HKLM\SOFTWARE\Classes\CLSID{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Found : HKLM\SOFTWARE\Classes\CLSID{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Found : HKLM\SOFTWARE\Classes\CLSID{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.BHO
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.BHO.1
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.Sandbox
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.Sandbox.1
Key Found : HKLM\SOFTWARE\Classes\Interface{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Found : HKLM\SOFTWARE\Classes\Interface{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Found : HKLM\SOFTWARE\Classes\Interface{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Found : HKLM\SOFTWARE\Classes\TypeLib{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}
Key Found : HKLM\Software\SP Global
Key Found : HKLM\Software\SProtector
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]

***** [ Browsers ] *****

-\ Internet Explorer v6.0.2900.5512

-\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Documents and Settings\Mar\Application Data\Mozilla\Firefox\Profiles\t80yzm1x.default\prefs.js ]

Line Found : user_pref(“aol_toolbar.default.homepage.check”, false);
Line Found : user_pref(“aol_toolbar.default.search.check”, false);
Line Found : user_pref(“browser.search.defaultenginename,S”, “WebSearch”);
Line Found : user_pref(“browser.search.defaulturl”, “hxxp://websearch.the-searcheng.info/?pid=1182&r=2013/09/13&hid=7141243511682829539&lg=EN&cc=US&unqvl=35&l=1&q=”);
Line Found : user_pref(“browser.search.order.1,S”, “WebSearch”);
Line Found : user_pref(“browser.search.selectedEngine,S”, “WebSearch”);
Line Found : user_pref(“extensions.BabylonToolbar.prtkDS”, 0);
Line Found : user_pref(“extensions.BabylonToolbar.prtkHmpg”, 0);
Line Found : user_pref(“extensions.crossrider.bic”, “13b5a14025c960840bf2a7eeb1b2359e”);
Line Found : user_pref(“extensions.wrc.SearchRules.ask.com.url”, “^hxxp(s)?\:\/\/(.+\.)?ask\.com\/.*”);
Line Found : user_pref(“sweetim.toolbar.previous.browser.search.defaultenginename”, “”);
Line Found : user_pref(“sweetim.toolbar.previous.browser.search.selectedEngine”, “”);
Line Found : user_pref(“sweetim.toolbar.previous.browser.startup.homepage”, “”);
Line Found : user_pref(“sweetim.toolbar.previous.keyword.URL”, “”);
Line Found : user_pref(“sweetim.toolbar.scripts.1.domain-blacklist”, “”);
Line Found : user_pref(“sweetim.toolbar.searchguard.UserRejectedGuard_DS”, “”);
Line Found : user_pref(“sweetim.toolbar.searchguard.UserRejectedGuard_HP”, “”);
Line Found : user_pref(“sweetim.toolbar.searchguard.enable”, “”);

AdwCleaner[R0].txt - [4847 octets] - [12/10/2013 23:00:45]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4907 octets] ##########

I ran and deleted 21 pups using the Malwarebytes anti-malware

I have the aswMBR info
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-10-12 23:53:30

23:53:30.234 OS Version: Windows 5.1.2600 Service Pack 3
23:53:30.234 Number of processors: 2 586 0x170A
23:53:30.234 ComputerName: MAR-PLAYTOY UserName: Mar
23:53:32.171 Initialize success
23:53:32.531 AVAST engine defs: 13101200
23:53:44.609 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-6
23:53:44.609 Disk 0 Vendor: ST500DM002-1BD142 KC45 Size: 476940MB BusType: 3
23:53:44.609 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP2T1L0-e
23:53:44.609 Disk 1 Vendor: ST500DM002-1BD142 KC45 Size: 476940MB BusType: 3
23:53:44.609 Disk 2 \Device\Harddisk2\DR2 → \Device\Ide\IdeDeviceP3T0L0-1a
23:53:44.609 Disk 2 Vendor: ST3500413AS JC45 Size: 476940MB BusType: 3
23:53:44.703 Disk 0 MBR read successfully
23:53:44.703 Disk 0 MBR scan
23:53:44.703 Disk 0 Windows XP default MBR code
23:53:44.718 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
23:53:44.718 Disk 0 scanning sectors +976752000
23:53:44.812 Disk 0 scanning C:\WINDOWS\system32\drivers
23:54:01.562 Service scanning
23:54:09.187 Service ?etadpug HIDDEN
23:54:09.703 Modules scanning
23:54:26.312 Disk 0 trace - called modules:
23:54:26.343 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
23:54:26.343 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8b085ab8]
23:54:26.359 3 CLASSPNP.SYS[f74d7fd7] → nt!IofCallDriver → \Device\00000074[0x8b0e6290]
23:54:26.375 5 ACPI.sys[f735e620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-6[0x8b0dad98]
23:54:27.468 AVAST engine scan C:\WINDOWS
23:55:03.796 AVAST engine scan C:\WINDOWS\system32
23:59:48.734 AVAST engine scan C:\WINDOWS\system32\drivers
00:00:48.093 AVAST engine scan C:\Documents and Settings\Mar
00:14:08.906 AVAST engine scan C:\Documents and Settings\All Users
00:28:09.250 Scan finished successfully
00:31:34.156 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Mar\Desktop\MBR.dat”
00:31:34.156 The log file has been saved successfully to “C:\Documents and Settings\Mar\Desktop\aswMBR finished scan.txt”

2

Continued


I have the RogueKiller info… when I tried deleting the service it was blocked and the two keys disappeared but are still acknowledging the ZeroAccess infection

RogueKiller V8.7.2 [Oct 3 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Mar [Admin rights]
Mode : Scan – Date : 10/13/2013 00:45:13
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][SERVICE] ???etadpug – C:\WINDOWS\system32\drivers???etadpug.sys → STOPPED

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][ZeroAccess] HKCU[…]\Run : Google Update (“C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}?????????ﯹ๛{b23bb259-fd64-bce3-5842-880b61818bfd}\GoogleUpdate.exe” >) → FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-436374069-115176313-682003330-1003[…]\Run : Google Update (“C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}?????????ﯹ๛{b23bb259-fd64-bce3-5842-880b61818bfd}\GoogleUpdate.exe” >) → FOUND
[HJ DESK][PUM] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HID SVC][Hidden from API] HKLM[…]\CCSet[…]\Services : . e () → FOUND
[HID SVC][Hidden from API] HKLM[…]\CS001[…]\Services : . e () → FOUND
[HID SVC][Hidden from API] HKLM[…]\CS003[…]\Services : . e () → FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install [-] → FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] → FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (?MILLIS_PER_SECOND@GCDate@@2JB) : GrooveUtil.DLL → HOOKED (Unknown @ 0xC8F70CD4)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
→ %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST500DM002-1BD142 +++++
— User —
[MBR] d515d12d2b30dd4ff4bdc4a414281bbc
[BSP] 51f7dd4c212744477716b285387f54c0 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 … OK!
User = LL2 … OK!

+++++ PhysicalDrive1: (\.\PHYSICALDRIVE1 @ IDE) (Standard disk drives) - ST500DM002-1BD142 +++++
— User —
[MBR] 16337ea40251197727effb961f377dc5
[BSP] 46435fdb9d7facbc7e5bfb602ac9b1d9 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 … OK!
User = LL2 … OK!

+++++ PhysicalDrive2: (\.\PHYSICALDRIVE2 @ IDE) (Standard disk drives) - ST3500413AS +++++
— User —
[MBR] dc596c48c336b881ff0c88b9f4c6efe9
[BSP] 2f58e70d5b06faf049d689ded4c68138 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 … OK!
User = LL2 … OK!

+++++ PhysicalDrive3: (\.\PHYSICALDRIVE3 @ USB) (Standard disk drives) - USB 2.0 USB Flash Drive USB Device +++++
— User —
[MBR] db6e11fffd035e0d9fbfd1af8749f7af
[BSP] a83a24340e59ea8cbbf2d8eaa19e98b0 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 1927 Mo
User = LL1 … OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_10132013_004513.txt >>

I tried booting in safe mode to run scans and delete etc before I got these new tools… I am thinking about trying it again…

Thank you for your time
Mar

3

I found a RK_Quarantine folder on my desktop too… does this mean these items were quarentined?

I see two registry keys in the folder, looks like the ones that disappeared that I mentioned above… below is the report:

[ZeroAccess] Time : 13/10/2013 00:54:49

ERROR [Install.vir] → C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install

[ZeroAccess] Time : 13/10/2013 00:54:49

ERROR [Install.vir] → C:\Program Files\Google\Desktop\Install

[ZeroAccess] Time : 13/10/2013 00:54:49

[@.vir] → C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}?????????{b23bb259-fd64-bce3-5842-880b61818bfd}@

[ZeroAccess] Time : 13/10/2013 00:54:49

[L.vir] → C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}?????????{b23bb259-fd64-bce3-5842-880b61818bfd}\L

[ZeroAccess] Time : 13/10/2013 00:54:49

[U.vir] → C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}?????????{b23bb259-fd64-bce3-5842-880b61818bfd}\U

[ZeroAccess] Time : 13/10/2013 00:54:49

[{b23bb259-fd64-bce3-5842-880b61818bfd}.vir] → C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}?????????{b23bb259-fd64-bce3-5842-880b61818bfd}

[ZeroAccess] Time : 13/10/2013 00:54:49

[???.vir] → C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}?????????

[ZeroAccess] Time : 13/10/2013 00:54:49

[???.vir] → C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}??????

[ZeroAccess] Time : 13/10/2013 00:54:49

[???.vir] → C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}???

[ZeroAccess] Time : 13/10/2013 00:54:49

[{b23bb259-fd64-bce3-5842-880b61818bfd}.vir] → C:\Documents and Settings\Mar\Local Settings\Application Data\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}

[ZeroAccess] Time : 13/10/2013 00:54:49

[@.vir] → C:\Program Files\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}\ \ ???{b23bb259-fd64-bce3-5842-880b61818bfd}@

[ZeroAccess] Time : 13/10/2013 00:54:49

[GoogleUpdate.exe.vir] → C:\Program Files\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}\ \ ???{b23bb259-fd64-bce3-5842-880b61818bfd}\GoogleUpdate.exe

[ZeroAccess] Time : 13/10/2013 00:54:49

[00000004.@.vir] → C:\Program Files\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}\ \ ???{b23bb259-fd64-bce3-5842-880b61818bfd}\L\00000004.@

[ZeroAccess] Time : 13/10/2013 00:54:49

[L.vir] → C:\Program Files\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}\ \ ???{b23bb259-fd64-bce3-5842-880b61818bfd}\L

[ZeroAccess] Time : 13/10/2013 00:54:49

[00000008.@.vir] → C:\Program Files\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}\ \ ???{b23bb259-fd64-bce3-5842-880b61818bfd}\U\00000008.@

[ZeroAccess] Time : 13/10/2013 00:54:49

[U.vir] → C:\Program Files\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}\ \ ???{b23bb259-fd64-bce3-5842-880b61818bfd}\U

[ZeroAccess] Time : 13/10/2013 00:54:49

[{b23bb259-fd64-bce3-5842-880b61818bfd}.vir] → C:\Program Files\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}\ \ ???{b23bb259-fd64-bce3-5842-880b61818bfd}

[ZeroAccess] Time : 13/10/2013 00:54:49

[???.vir] → C:\Program Files\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}\ \ ???

[ZeroAccess] Time : 13/10/2013 00:54:49

[ .vir] → C:\Program Files\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}\ \

[ZeroAccess] Time : 13/10/2013 00:54:49

[ .vir] → C:\Program Files\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}\

[ZeroAccess] Time : 13/10/2013 00:54:49

[{b23bb259-fd64-bce3-5842-880b61818bfd}.vir] → C:\Program Files\Google\Desktop\Install{b23bb259-fd64-bce3-5842-880b61818bfd}

Thank you

4

Sorry - but these posts maybe incorrectly posted now… all the paths listed in the above report no longer exist… the rouge killer did it’s job and I was able to delete the folders that initially denied me access to them… thank you I will keep scanning though…

5

hey and welcome to the forum. thanks for sharing the needed logs.

please also post a otl log from this guide

http://forum.avast.com/index.php?topic=53253.0

ps you can attach the logs instruction in the guide it get easier for the malware expert to see :wink:

6

Good morning mikeaelrask… Thank you: the link you directed me to is where I got all my information but over looked the attachment part. I now see the “attachments and other options” to choose from below this box.

I apparently still have an issue and will upload the info - I still have a hidden service… I am at this time virus clean… Avast boot scan clean - pc came up clean, cleaned all registry files… now what

New scans done and attached

7

That is the zero access service and needs to be removed

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

8

Thank you essexboy…

Attached is my ComboFix report… ComboFix did delete a few items and folders, I also re-ran the aswMBR I am waiting for it to finishing scanning; I do not see the RED hidden service now… I do not see the hidden service in my msconfig.exe either ;D

Totally Awesome… Awesome support too !! Thank you !!

9

OK I will use Combofix to remove the disabled service (no need for this log) and then I will use OTL to check for remnants and any adware. Looking at the Combofix log it appears that Avast disabled the service as combofix did not remove it

  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "?etadpug"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will not require.

THEN

[*]Run OTL.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]There will only be one log this time

10

Thank you again… I opened the log that ComboFix produced and manually deleted “?etadpug” from this key… I clean my registry fairy often… I am scanning for remnants though

Thank you again !!!

11

Any further problems ?

12

IT has been a few days and just ran a scan… came up clean and so far so good, no other issues to report…

Thank you again for all your assistance !!! :smiley:

13

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF



:Commands
[CLEARALLRESTOREPOINTS] 
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

14

OK this was done… I still have Melwarebytes on the computer / my Avast Internet Security / ProcessGuard… I already know how I got infected… it was dumb because I never take chances but trying to help my daughter… told her it won’t happen now or again… other then this I am usually don’t have issues with these…

Thank you again !!!

15

My pleasure :slight_smile: