My laptop won’t finish booting on my account so I am working from my wife’s old account to do these scans. I can boot to safe mode, but neither avast or malwarebytes protection runs in safe mode making me hesitant to let the computer access a connection. I did start to run scans and cleanup in my account before the boot problem arose. I think I may have allowed either avast or malwarebytes to delete something I shouldn’t have. Below is the malwarebytes quick scan that didn’t find anything, neither did it when ran on my account. However the full scan did find infections on my account and it was after that the boot problem arose. I can access the scan logs in my account if they would be helpful.

Thank you for being here and doing the things you do.

Database version: v2012.07.20.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Carolea :: KEVEN [limited]

Protection: Enabled

8/5/2012 1:59:10 PM
mbam-log-2012-08-05 (13-59-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 165614
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

click the reply button (at top or bottom) and attach the other logs here…not in a new topic :

Sorry, I realized that after I posted, but there doesn’t seem to be an option to delete your own post.

i will do that

Hi there when you ran the OTL scan you did not select all users… Therefore I am unable to see into your logon… When you run the fresh OTL scan could you ensure that all users is selected

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Files ipconfig /flushdns /c C:\Windows\assembly\GAC_32\Desktop.ini C:\Windows\assembly\GAC_64\Desktop.ini C:\ProgramData\Installations\{DB7AE42C-695D-4D36-A8FA-31A1C6454436} C:\Windows\Installer\{05919438-749f-84f0-1361-19d593641c66} C:\Users\user\AppData\Local\{05919438-749f-84f0-1361-19d593641c66}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again select all users and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

OTL doesn’t seem to be able to complete the scan it is stuck on “Scanning Firefox settings” (not responding).

Okay, now I’m posting from a different computer. OTL finally finished. I disabled avast, but combofix still reported it running I tried stopping it through task manager and got an access denied. Combofix ran anyway, but after rebooting it just flutters from the corner of the screen to the center, opening and closing very rapidly. I don’t seem to be able to click anything because of this. I was able to open task manager with ctrl+alt+delete, but cant click anything in it to get combofix to stop. I did a long push on the power button to re-reboot, but it’s doing the same thing again.

Okay, it’s been along strange process, but everything is done.

That was combofix fighting to replace the infected services file … Repair time now

Download the following registry fixes to your desktop by right clicking and selecting “Save Target As…”
https://dl.dropbox.com/u/73555776/nsi7.reg
https://dl.dropbox.com/u/73555776/bits.reg
Right click each file in turn and select merge
Accept the warnings
Reboot

This OTL fix will take a while as it resets some elements on your system

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Files ipconfig /flushdns /c netsh int ip reset c:\resetlog.txt /c ipconfig /release /c ipconfig /renew /c

[*]Then click the [b]Run Fix[/b] button at the top [*]Let the program run unhindered, reboot the PC when it is done Post the log that pops up on completion.

Sorry, I’m not getting the merge thing. Nothing that says merge or anything similar comes up when I right click on the files.

Even though those files had the .reg extension, looking at properties there was a .txt added on so, I ended up forcing reg editor to open them. (don’t ask how because I couldn’t tell you. it was sort of an accident) However Reg editor is now the default program for .txt files and the computer won’t let me change it back. when I first booted up this afternoon it was fairly quick and smooth. After putting in those two files and running the OTL fix it’s really slow again.

To reset the reg and txt associations to what they should be follow the steps on this page http://www.sevenforums.com/tutorials/19449-default-file-type-associations-restore.html

Could you reboot the computer and let me know how it is behaving

When I first turned it on the computer came out of hibernation fairly quickly, however right after I clicked on the link for the forum with the default program fixes it locked up. I did a hard restart and it took several minutes to boot.

The files I downloaded to fix the default programs show up as registry files and right clicking does get the merge function. The nsi7 and bits files still show as text files even though I deleted the .txt extension.

I’m not getting any more pop ups from avast, and other than booting slow and occasionally freezing it seems to be running good.

Thank you for the help and the patience you have shown considering I probably didn’t do everything the way I should have.

What I will do know is remove my tools and then we will look at the speed problem… Once the tool removal is complete could you defragment the drive

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe

Okay, Sorry it has taken so long to get back.
I have run your cleanups, Updated Java, created a new restore point, purged the infected files,
installed FileHippo and updated everything it found (except the ones that were Beta only).

I have checked windows update and installed the optional updates it indicated (except the Bing bar).

I have read through the guide you linked to (although it didn’t really say anything about how I got
infected in the first place) and have installed some of the suggested programs (erunt and keylogger Pro).

I have also signed up for an account with OpenDNS, but apparently my ISP is not compatible with third party DNS servers.

I have deleted several programs that I knew I didn’t need or want. There are a lot
of programs on here that I don’t have a clue about so I don’t mess with them.

I also found that windows firewall was turned back on and think it was conflicting with Avast, as since I turned it off
I have had less program freezes. I have been able to log on to my own account, but it boots really slow.

Some of the things I’m having trouble with:

1. I felt with FileHippo I didn’t need Secunia PSI and it has been sort of a PITA anyway, but the uninstaller gets about 20
   seconds in and freezes.

2. Something is really messed up in my personal folder. Depending on where I access it from, different folders have a little arrow in the corner and when I try to open them I get an access denied error. There are at different times duplicates of the folders that will open.

3. I have lost some settings in Eudora including the registration. This isn’t a big deal as eventually I will figure out how to get those settings and redo them, except the registration as there is no more support for the version I have. So I will just have to Manually sort the junk.

4.I get popups from Firefox asking for the password for the software security device. I haven’t a clue.

5.I left the computer running for a while and came back to find a window open with a large log.I was unable to copy the text of the log, but it started with: “System.Reflection.TargetInvocationException”. I think this had something to do with the HP wireless assistant.

Apparently ERUNT isn’t Windows 7 compatable:

Unable to creat file:
C:\Windows\ERDNT\AutoBackup\8-11-2012\ERDNT.INF

Registry Backup will continue, but no restore information
for the ERNDT program will be saved. this means that later
restoration of the registry can only be done manually, by
using another OS to copy back the files.

Error saving file
C:\Windows\ERDNT\AutoBackup\8-11-2012\BCD!

Continue with the next file?

[RegCreatKeyEx:5-Access is denied]

This continues on for several more files.

This morning I shut down before going to work and as soon as I saw the shutting down screen I closed the screen. When I opened it back up 12.5 hours later it was still at the same screen. I had to hold the power button to get it to shut down.

It then took approximately 8 minutes to boot up. I haven’t had any pop ups from Avast! so I think all these problems are due to corrupted or missing files from my feeble attempts to get rid of the virus myself.

Sorry this is so long, but i figured it would be best to get it all up front.

Thanks so much for getting rid of the virus, I hope to be running smooth and fast again sometime.

What you could do is check the system file veracity

Go Start >All Programs > Accessories
Right click command prompt and select run as Administrator
In the black box type the following :

sfc /scannow

Let windows do its thing and reboot if asked

Then to repair any other damage download and run the following programme but only select the applicable elements e.g. Permissions

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the necessary items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

Finally follow this up with a disc defrag