Multiple virus attacking computer speed, smitfraud and trojans.

It is an extremely bad idea to allow all users to have Admin. privileges!! Once malware enters your system on an account with Admin. privileges, it has free reign for the whole system. I strongly suggest you only have one Admin. account and all others be changed to limited.

Fortunately, the scans took care of the malware, at least on this user account. You need to run SAS and MBAM on each user account.

Attach any logs that show malware for each user account and make sure to identify the account.

 

I see that each account had virtually the exact same infections.

If you are now back in the one Admin account, please re-run ComboFix and then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

I am confused. You want to remove Kodak EasyShare software? Does nothing happen when you try to uninstall it from the add/remove programs list? And why do you have a user account with that name and with Admin. privileges?

We can try to remove the Kodak files:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Driver::
KodakDigitalDisplayService

File::
c:\Program Files\Kodak\Digital Display\KodakDigitalDisplaySoftware.exe
c:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe
c:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll

Folder::
C:\Program Files\Kodak

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"=-
"c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"=-
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=-

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Otherwise, your logs are clean. I suggest that you post in the software forum for your remaining issues.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!
    
    

 

You need to attach the SAS and MBAM scan logs.

What I meant about users is this:

Code:

Users on this computer:
Is Admin? | Username
------------------
   Yes    | Administrator
          | Andrew
   Yes    | Dad
          | Guest
          | HelpAssistant (Disabled)
          | Justin & Andrew
   Yes    | kodak[COLOR=DarkRed] <----- this account[/COLOR]
   Yes    | LogMeInRemoteUser
          | Mike

What has happened in the last day or so? It would appear as though you picked up a very nasty bit of malware.

Do you have your OS disc?

Please go back to the Read and Run First instructions and download a new copy of Combofix and run it and get me the above logs as well as the new Combo log and a new MGLogs.zip

 

Combo is still detecting many of your system files to be infected. We could try replacing them, but the danger is that we will not get them all and it will just continue to spread again. At this point, your best bet is to backup all your personal data and files ( do not back up exe. files ) and do a complete reformat and clean install.

Do you have a recovery partition? If not, you will need to find ./ borrow a copy of your OS. You should have your install code somewhere on the back of the computer.

 

NO. Doing a repair install will not remove the malware. You need to backup your personal files and then once that is done ( either to a cd or thumb drive ) you need to reformat your hard drive and do a clean installation.

I suggest that you post in the software forum if you are unsure about how to proceed.

 

No, that doesn't work with applications. You would need to reinstall your apps. You would also need to add user accounts and do all the updates again. It is a large amount of effort, but sadly, about your only choice.

 

Yes, that would be a good choice for you to be able to backup pictures and data files to a cd. But you can not use this to backup apps!!

 

Again, no. There are too many corrupt files to be able to "debug". You need to do a reformat and a clean install.