Win 7 Security 2011 $59.95 - Urgent Help Please

RussJK

d123 wrote: »

+1

Can I also suggest you run malwarebytes in Safe Mode (push f8 as the PC boots) when you do, some of the malware will remain if you run it in a normal boot.

They advise in the MBAM forums to only run it in safe mode only if you can't get it going in normal mode, as it's designed to run in normal mode. Then again, I don't think the developers appreciate how often it gets blocked from running by a lot of these rogue antivirus programs.

The_Grandmaster

Deleted_User wrote: »

Hello GrandMaster -

I followed the instructions and this came on screen. Does this mean that it was unsuccessful?

"This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 08/05/2011 at 16:17:42.
Operating System: Windows 7 Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\SysWOW64\InfDefaultInstall.exe
C:\Windows\SysWOW64\runonce.exe


Rkill completed on 08/05/2011 at 16:17:51. " - or is it all right?

I am just about to download Hitman Pro 3.5 - I am trying and I appreciate all the help, thank you.

I believe that rkill has been run properly (not 100% sure but the process terminated suggests to me it's worked). You haven't restarted your computer I hope... If you have, please rerun rkill and then move onto the following:

Can you now try and download malwarebytes please? (I've never tried hitmanpro so I can't really help concerning that) Download Malwarebytes Anti-Malware 1.50 - FileHippo.com and Install. Go to UPDATE tab, click CHECK FOR UPDATES and run a QUICK SCAN. Remove everything it finds and post log here.

Then Go to UPDATE tab, click CHECK FOR UPDATES and run a FULL SCAN. Remove everything it finds and post log here.

P.S. Please don't reinstall microsoft security essential just yet - you want to install it when your computer is clean.

[Deleted User]

RussJK wrote: »

Hello. We can't tell if you have followed the instructions or not, because we haven't seen any of the Logs.

No problem, just go through each and complete each step one by one. It'll be a bit long and a bit back and forth (depending on what you have done), but I'm guessing you might appreciate more detail. If you don't understand something, please just ask.

1. Did you already run a Malwarebytes scan? and clean what it found? If so, please go into Malwarebytes again, click on the 'Logs' tab, then open the log that shows what you found. It'll open in notepad - all you need to do is copy all the text, then paste it in this thread. Please do this before anything else.

2. Did you run the System Restore, and load a restore point from a date before all this happened? If you haven't, then you really need to that to fix any settings the malware might have changed. Just make sure that the date of the Restore Point is a date before you got the infection.
Here is a guide if you are using Windows XP:
http://support.microsoft.com/kb/306084

Here is a guide if you are using Vista or Windows 7:
http://www.howtogeek.com/howto/windows-vista/using-windows-vista-system-restore/

3. If you do system restore, you may find you may need to reinstall Malwarebytes to be able to run it properly again. If so, you can get the most up to date version here:
http://data-cdn.mbamupdates.com/tools/mbam-rules.exe
Once again, run the Malwarebytes update, then do a full scan this time and clean anything it finds, and please post the log here even if it doesn't find anything.

4. Save this file to your desktop:
http://www.trendmicro.com/ftp/products/hijackthis/HijackThis.exe
Then hold down the LEFT SHIFT button while you RIGHT MOUSE CLICK on the file on your desktop, and select 'Run As Administrator' and hijackthis should load.

5. When HijackThis loads, press 'Run system scan and save log', and it'll do a scan of your system settings. Don't 'fix' anything though.

6. When the log file opens in Notepad, just copy the contents and paste them into this thread and we'll take a look at it.

7. Run HitManPro, and remove anything it finds.
http://www.surfright.nl/en/hitmanpro

8. You'll have to reinstall Microsoft Security Essentials (or another antivirus). I don't want to confuse you with options, so just download it and reinstall it:
http://download.cnet.com/Microsoft-Security-Essentials/3000-2239_4-10969260.html

That should be enough for now. Let us know how you go with each step.

This is a copy of the 'log' Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org

Database version: 6531

Windows 6.1.7600 (Safe Mode)
Internet Explorer 9.0.8112.16421

08/05/2011 16:08:26
mbam-log-2011-05-08 (16-08-26).txt

Scan type: Quick scan
Objects scanned: 157758
Time elapsed: 3 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected).

I have to go out but when I come home I'll make it a priority to go through all the steps vigilently. I tried the HiJackThis but it would not work - although it seems to be in my programmes. It asked me to 'Start, run, type notepadC:\Windows\System32\drivers\etc\hosts and enter. I did this and it would not accept it.

I was also unsuccessful in trying to instal Hitman Pro but, as with the other things, I'll come back to it when I get home later.

You have all been firts class in helping me and I appreciate it VERY much, thank you.

Crimson

[Deleted User]

I followed the instructions and after telling me that I could not access it - this happened. I'm afraid it is beyond me but at least something is happening and I am grateful. Thank you again. Crimson

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:45:26, on 08/05/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Consumer Input\dca-ua.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Users\Christine\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshiba.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files (x86)\Consumer Input\dca-bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Consumer Input Update] C:\Program Files (x86)\Consumer Input\dca-ua.exe
O4 - HKCU\..\Run: [FileHippo.com] "C:\Program Files (x86)\FileHippo.com\UpdateChecker.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TOSHIBA Online Product Information] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TOSHIBA Online Product Information] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe (User 'Default user')
O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files (x86)\Toshiba\TRDCReminder\TRDCReminder.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {EBB176D2-AF75-4706-832F-4C8448F72757} (TNSClickerc.Clicker) - http://www.shopandscan.com/TNSClickrc.CAB
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Notebook Performance Tuning Service (TEMPRO) (TemproMonitoringService) - Toshiba Europe GmbH - C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9845 bytes

closed

scan and fix with this

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

and

http://www.malwarebytes.org/StartUpLite.exe

RussJK

Deleted_User wrote: »

This is a copy of the 'log' Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6531
08/05/2011 16:08:26

I have to go out but when I come home I'll make it a priority to go through all the steps vigilently. I tried the HiJackThis but it would not work - although it seems to be in my programmes. It asked me to 'Start, run, type notepadC:\Windows\System32\drivers\etc\hosts and enter. I did this and it would not accept it.

I was also unsuccessful in trying to instal Hitman Pro but, as with the other things, I'll come back to it when I get home later.
Crimson

The Malwarebytes log you posted was from one you've done this afternoon - looks clear which is good, just make sure you post the log from whichever scan you originally did that removed the malware as well.

The HijackThis log is fine, plenty of startup bloat you could remove but can deal with that later. If you still get the error message trying to run HJT after following Step 4, then let me know and I'll suggest an alternative.

Hitmanpro doesn't need to be installed - you just run it once and let it do its thing, then can safely delete it.

[Deleted User]

This is the first Malwarebyte I ran:

"Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org

Database version: 6528

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

07/05/2011 23:57:03
mbam-log-2011-05-07 (23-57-03).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 254492
Time elapsed: 37 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)"

I'll now go on to work on the other thingts you have suggested. I am sorry I am quite slow. As before all the help is greatly appreciated.

Crimson

The_Grandmaster

To be quite honest I am quite confused - all your malwarebytes log (both quick and full scan) show nothing...

Have you run a scan such as superantispyware with anything (malware etc.) detected? If yes, can you post that log here.

Your hijackthis log seems fine althoug things can be removed to speed up computer which I shall leave for someone else to do who can advise better than me.

[Deleted User]

Hello again -

This is the most recent 'report' from Rkill: "This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 08/05/2011 at 20:36:55.
Operating System: Windows 7 Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\SysWOW64\InfDefaultInstall.exe
C:\Windows\SysWOW64\runonce.exe


Rkill completed on 08/05/2011 at 20:38:35."

I know I am going in slow motion but I hope this is all right. I performed a System Restore very early this morning after speaking to the Credit Card company. Now that Microsoft Security Essentials has been reinstalled (and I have a new on line banking password) is it safe for me to log on to my bank account again? I'd prefer to wait if there is still any risk.


Thank you, again.

Crimson.

[Deleted User]

Hello again - This time I was successful in downloading Hitman Pro. It identified a number of 'threats' in iexplore and explorer.exe - a total of 7 traces. I quarantined them and once completed I closed.

I think I have followed all of the advice now but if there is anything else, anything at all, please let me know. I would definitely NEVER have managed without all the great help from you all. Thank you so much.

Crimson