Not sure what happened or whether I'm infected

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Digibirder, Nov 19, 2011.

  1. Digibirder

    Digibirder Private First Class

    I have a Windows 7 Home Premium 64bit machine with Comodo Internet Security running (as recommended here on a previous problem).

    I was recently looking at what appeared to be a innocent website, looked away out of my window for a few seconds, and when I looked back there were numerous small windows open saying that some part of my system had a serious error. I managed to close down all the windows, and close the browser window, but then a box came up asking me to scan the system, which then threw up several errors.

    The 'results' of the scan showed that I needed this program to help with the problems. It was then that I realised this was not right.

    I am running in restricted mode, so I have to approve any changes to the system, so I declined the option to allow reinstall.exe to make any changes to my system. This kept popping up and I kept declining.

    Eventually I had to shut the computer down at the button, but on restarting there is now a shortcut on my desktop to System Fix. Also, in Comodo Summary tab, under Defense+ it says there are 12 unrecognised files blocked and treated as partially limited. These include some that I recognise and trust, but there are eight which are dated today. Five are in c:\users\username\appdata\local\temp and have different filenames following that, one being reinstall.exe. Two files are in c:\programdata and have random letters and numbers followed by .exe as the file names. The last f 16ile is in c:\users\username\appdata\roaming and again has random letters and numbers. Under the Company header, two of the entries have iF[copyright symbol]SYSEM listed.

    I've checked in Program Files and nothing appears to have been installed, assuming as I didn't allow it access, so what are my next steps? Is it safe to assume that I can just get rid of the desktop shortcut and allow Comodo to deal with the files in Defense+? Should I run anything else?

    I haven't gone through all the procedures you recommend yet, as I wasn't sure that this thing has actually taken hold, but will do that if necessary. Have done it all before when my husband got infected.
     
    Digibirder, Nov 19, 2011
    #1
  2. Digibirder

    Digibirder Private First Class

    Just realised after closing the Comodo window that most of my desktop icons have disappeared.

    And when I click the Start button, the list of icons has gone, apart from Solitaire, and when I click All Programs there are no icons of installed programs, only folders of certain installed programs.
     
    Digibirder, Nov 19, 2011
    #2
  3. Digibirder

    Digibirder Private First Class

    OK, Something is certainly wrong, so I'm running the scans and will post the logs shortly, but I have read on another site that running Combofix deletes items from the Temp folder, and that site also says that this is where certain of the hidden menu and desktop items are moved to by this malware.

    Should I still run Combofix? Will I get back my Start Menu programs and other hidden items/icons?
     
    Digibirder, Nov 19, 2011
    #3
  4. Digibirder

    Digibirder Private First Class

    Righto, I've run four of the scans (left out RootRepeal as I'm on 64bit, as stated on the RR page) and the logs are attached.

    Things certainly seem to be back to normal now, but I'm not sure what else might crop up later.

    I have my desktop shortcuts back, and seem to have everything back in the Programs list from the Start menu. Quick Launch items still not back, but I can sort that.

    I'm getting no warning messages, but I really don't think this thing installed fully anyway, having denied it access in UAC to make changes to the system, so hopefully it's all OK. I had reconnected to the network and Internet some time ago, although I'm on a laptop at the moment to be sure, and haven't done any surfing on that computer.

    Many thanks.
    Diane
     

    Attached Files:

    Digibirder, Nov 19, 2011
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Java(TM) 6 Update 26 <--- Uninstall outdated Java.

    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
c:\users\DH59\AppData\Roaming\0391B56F
C:\Users\DH59\AppData\Local\{00543EE5-7A26-40A7-894F-CADA848A9839}
C:\Users\DH59\AppData\Local\{009A1AF2-0CB1-4673-BBE8-EB481402677A}
C:\Users\DH59\AppData\Local\{00EFB309-53BC-4C72-BBD2-BC5487F8B938}
C:\Users\DH59\AppData\Local\{02959E74-32CA-4C03-8784-A594981CD4FC}
C:\Users\DH59\AppData\Local\{04311736-B3BA-4EF7-895D-5A0870AEA287}
C:\Users\DH59\AppData\Local\{04C30CA5-97E4-4F7B-8542-0BB56B94017F}
C:\Users\DH59\AppData\Local\{081D6D62-10E9-4C66-B031-65B24CC3B474}
C:\Users\DH59\AppData\Local\{08FAC172-915B-4D46-8ACF-14BDB2A8DC65}
C:\Users\DH59\AppData\Local\{0906DB16-5E2C-4940-818A-1EC439B7C137}
C:\Users\DH59\AppData\Local\{09152F16-E230-45A5-B916-D6B93FD933A7}
C:\Users\DH59\AppData\Local\{095BDD97-78FC-44A0-A5C7-60BEAD573BA1}
C:\Users\DH59\AppData\Local\{0A0C2A98-DA00-4EAB-B3F3-5E2BAF92C859}
C:\Users\DH59\AppData\Local\{0A5BA5ED-958F-42DF-82C4-AA2696BBA337}
C:\Users\DH59\AppData\Local\{0AFAC927-0138-470D-BB61-004EDAA5D0FF}
C:\Users\DH59\AppData\Local\{0B4E54E0-0EC1-483F-BF09-4C07E4A31D2C}
C:\Users\DH59\AppData\Local\{0BABDCC9-1EB5-482E-95E7-CC5769B69032}
C:\Users\DH59\AppData\Local\{0E48F159-AA2E-4B1F-9A52-7268FF00957D}
C:\Users\DH59\AppData\Local\{0F9A4C93-9B52-4D99-BA02-4C2A4FEF6202}
C:\Users\DH59\AppData\Local\{11364A6D-74DF-48BF-B337-9DF2F682A5A6}
C:\Users\DH59\AppData\Local\{12417334-D0DF-4C49-9D3E-675B1F00EC9E}
C:\Users\DH59\AppData\Local\{1272EFA5-A6B5-47DE-A22B-74AF7F9BF80F}
C:\Users\DH59\AppData\Local\{136B0406-47DA-4F7C-8E92-9DBB0B8E9FF7}
C:\Users\DH59\AppData\Local\{14774ECC-06DB-4593-922E-2B5D68F2C0D6}
C:\Users\DH59\AppData\Local\{15A2A583-8671-451A-AB69-F5ABF5063832}
C:\Users\DH59\AppData\Local\{1696EF72-E829-4C27-9EE8-D234D9CCB3A4}
C:\Users\DH59\AppData\Local\{16A22FEF-5CD3-4D29-86B0-FBE52AF1846A}
C:\Users\DH59\AppData\Local\{18388F67-3CAB-4297-A349-B33A699805E9}
C:\Users\DH59\AppData\Local\{193C6946-2099-4FE0-BD22-713E415AC790}
C:\Users\DH59\AppData\Local\{1BF9AEF3-9120-411A-9D07-C74386901525}
C:\Users\DH59\AppData\Local\{1E8FA899-AC1A-4CCC-B488-C62708567958}
C:\Users\DH59\AppData\Local\{2060F573-412F-4185-AA3B-8376B9CBB5FB}
C:\Users\DH59\AppData\Local\{20F3E75E-FF92-4750-B703-0562F5A95566}
C:\Users\DH59\AppData\Local\{2402159E-3E0A-480C-BB51-A4E7257D479D}
C:\Users\DH59\AppData\Local\{274FAEAA-6B3F-4A63-809F-10BA800FCA28}
C:\Users\DH59\AppData\Local\{27ECEAE3-5AFB-4049-BA21-9CBD802B46FC}
C:\Users\DH59\AppData\Local\{27EDB8F4-46B1-44F6-AE6A-311FD411DA9F}
C:\Users\DH59\AppData\Local\{28D03E38-B32D-42A7-82B4-5F6EA7F8FA31}
C:\Users\DH59\AppData\Local\{2ADC3B7A-3AD2-45A6-8501-70A99CB21FB7}
C:\Users\DH59\AppData\Local\{2DCE0188-C929-43C9-B08F-442518ABEFCD}
C:\Users\DH59\AppData\Local\{2DD82B39-5343-4066-8722-F457EDDCCE31}
C:\Users\DH59\AppData\Local\{2DD9A855-BCF1-4998-8D19-2F0FDCF2E8B5}
C:\Users\DH59\AppData\Local\{2E50226A-17CE-451E-B460-60A67B420C65}
C:\Users\DH59\AppData\Local\{2E784BF8-3BFD-4A0B-937E-78F44724C9B5}
C:\Users\DH59\AppData\Local\{316770AD-4A71-4EC6-8E10-0BAD207A97C4}
C:\Users\DH59\AppData\Local\{31D67856-81E2-43E2-BD97-876EFB4F5E7D}
C:\Users\DH59\AppData\Local\{331B072D-7CD9-4F5D-9439-F47BCE38BA18}
C:\Users\DH59\AppData\Local\{3456CEE1-3A9F-4950-A84B-099A7358B9D7}
C:\Users\DH59\AppData\Local\{3508947F-9EAA-4A82-BEFF-D0725ABB2F21}
C:\Users\DH59\AppData\Local\{35B9F018-2973-4BA5-929E-0489227056B4}
C:\Users\DH59\AppData\Local\{368BB98E-F2B1-4E53-9F2D-CEA5E1EAC779}
C:\Users\DH59\AppData\Local\{371B1546-642A-4F2F-9493-86D28C0CD99E}
C:\Users\DH59\AppData\Local\{3763CF2D-09BC-40D7-BFE2-2F2CA5B3E133}
C:\Users\DH59\AppData\Local\{3821A77D-CB75-4B91-90B1-7FDD7B725767}
C:\Users\DH59\AppData\Local\{3900E809-5B41-4AAD-AC7F-C361EFD5C1A9}
C:\Users\DH59\AppData\Local\{3B2D6310-2BB2-4B23-991F-6ACAF2B5E19E}
C:\Users\DH59\AppData\Local\{3D293E5E-39A1-4EF4-9AEF-C514AB2B41ED}
C:\Users\DH59\AppData\Local\{3D532E64-EA43-4388-87A0-A920D1577471}
C:\Users\DH59\AppData\Local\{3DDD4AA3-DD4C-4C0E-BAC9-995ADCAB563B}
C:\Users\DH59\AppData\Local\{3DF6767A-3005-4007-BEB2-E37354D28365}
C:\Users\DH59\AppData\Local\{3EDBBEFF-276D-4297-BC51-999542DD06BA}
C:\Users\DH59\AppData\Local\{4200245B-6ECC-4C6D-AF4F-1E720D54BBD9}
C:\Users\DH59\AppData\Local\{424B85B6-D659-44CF-9315-172056F9A948}
C:\Users\DH59\AppData\Local\{4260CE9D-A42F-4A4F-AE48-E82AD99DF7AE}
C:\Users\DH59\AppData\Local\{44B32EE2-8FE8-438D-8903-210CA913017E}
C:\Users\DH59\AppData\Local\{45206838-1DC8-454E-9F1E-10C8B2A8D3E1}
C:\Users\DH59\AppData\Local\{458B271E-4548-4CBD-9CE3-D1DE4A0B14DD}
C:\Users\DH59\AppData\Local\{46348C05-BFFB-47B8-BDE3-BCB7699133E8}
C:\Users\DH59\AppData\Local\{469541F1-6A3B-4C31-B322-06E08B9A39C6}
C:\Users\DH59\AppData\Local\{46CC3178-5C8E-4C27-9FDC-FE618EEEE7CD}
C:\Users\DH59\AppData\Local\{47101685-17B9-4967-B89A-9BF30B243727}
C:\Users\DH59\AppData\Local\{4729211B-6A20-4411-8A9B-9A9233FA0173}
C:\Users\DH59\AppData\Local\{490C84A7-26AC-46ED-9FDD-2B3EC425B6FE}
C:\Users\DH59\AppData\Local\{49354548-AA22-4DAE-9EFD-A2996CA14E53}
C:\Users\DH59\AppData\Local\{49490511-BB3E-47D2-9A6B-DC5BF2591FC9}
C:\Users\DH59\AppData\Local\{4BA493F7-3D3F-4981-B7E7-4BBFB858023E}
C:\Users\DH59\AppData\Local\{4D29E7DD-1EE5-4482-BB00-B9B1A6304CFF}
C:\Users\DH59\AppData\Local\{4DA9998D-849A-41FC-A881-B5D6F9EE4CFF}
C:\Users\DH59\AppData\Local\{4DE339DC-1E77-4B7D-B0AE-37F7A5CB905E}
C:\Users\DH59\AppData\Local\{4E2D4D68-A240-4AB4-A657-46DE4F8AF571}
C:\Users\DH59\AppData\Local\{4E3CB9DD-325E-40BF-94B1-9332311B4A0C}
C:\Users\DH59\AppData\Local\{4E733A45-3923-4304-B5A3-87CAFACF1EEB}
C:\Users\DH59\AppData\Local\{4EA71977-34D7-4616-991A-EDBF317C88CA}
C:\Users\DH59\AppData\Local\{4F6444FC-CA1E-4D99-A38D-070896C25C57}
C:\Users\DH59\AppData\Local\{501F002B-3A66-4C30-BE02-58A0DF7E01D9}
C:\Users\DH59\AppData\Local\{53A74D29-3875-4D38-95CC-5AF4C2BE27C0}
C:\Users\DH59\AppData\Local\{53B75A9E-6854-47DF-AA27-B322D426B96F}
C:\Users\DH59\AppData\Local\{56E8F51F-2066-47E6-A0EA-EDA3A4630397}
C:\Users\DH59\AppData\Local\{57CCECA3-93AF-46B2-8B1B-161806D7B02A}
C:\Users\DH59\AppData\Local\{5B2DA1EC-BC19-46C9-937D-8319D78CA4D8}
C:\Users\DH59\AppData\Local\{5B31BD07-C1EB-4528-9A50-BD8F2F3DDE52}
C:\Users\DH59\AppData\Local\{5F000C98-4976-452E-B8A9-380595AEA679}
C:\Users\DH59\AppData\Local\{5F472303-10F2-40E4-AF7C-9673CFF15D67}
C:\Users\DH59\AppData\Local\{5FB3EB13-6B8E-4EFF-9BE1-7432A0B3E09E}
C:\Users\DH59\AppData\Local\{614B70F1-B6EF-4813-A3B6-74DA2CA19F49}
C:\Users\DH59\AppData\Local\{619C8D80-9D32-47B2-9096-5EC556ECD7E2}
C:\Users\DH59\AppData\Local\{62A8026E-A559-4B26-8B50-1FF3C4C9B4FC}
C:\Users\DH59\AppData\Local\{639F1E1B-1D6A-469C-AA79-98731EC0A460}
C:\Users\DH59\AppData\Local\{63FA3F95-9BCB-49E9-8743-E39A3A3699C4}
C:\Users\DH59\AppData\Local\{64744EBD-FEB9-4870-AC45-B6E067C09090}
C:\Users\DH59\AppData\Local\{65216D3E-40D1-4E10-85E5-D0B053E8BCA4}
C:\Users\DH59\AppData\Local\{690C7422-371D-48CC-837F-A3EEF496805D}
C:\Users\DH59\AppData\Local\{69D4B947-508A-43C6-9CC5-814D9F88993D}
C:\Users\DH59\AppData\Local\{6A3BDD4A-D265-4F96-9708-724457C2039B}
C:\Users\DH59\AppData\Local\{6B615800-BADA-4CD3-9037-7636A42E2021}
C:\Users\DH59\AppData\Local\{72A2D785-4481-4348-A598-DFB71BFBF260}
C:\Users\DH59\AppData\Local\{72AE5058-DE05-49B6-97C7-8B058C22C1B9}
C:\Users\DH59\AppData\Local\{755AA260-8AA4-410C-8D2D-97FE357FEBDE}
C:\Users\DH59\AppData\Local\{77F94A68-106F-4E75-9D84-B09465EDC665}
C:\Users\DH59\AppData\Local\{7FB29C64-E0CB-4826-B00D-E654E639B84A}
C:\Users\DH59\AppData\Local\{82DD5C70-ED38-40AE-A984-8E958D946D46}
C:\Users\DH59\AppData\Local\{830580EA-0C13-48A4-BB20-2CCF64BB22AF}
C:\Users\DH59\AppData\Local\{84654ABC-83AC-4207-A490-C4AE9FC433EB}
C:\Users\DH59\AppData\Local\{855966A1-27D0-4613-BD12-B6F485F3B958}
C:\Users\DH59\AppData\Local\{8565323D-6E21-4F99-91B0-F00AA8EFBEB9}
C:\Users\DH59\AppData\Local\{894DD858-D443-42DA-97A9-6A924AC75540}
C:\Users\DH59\AppData\Local\{898E5919-6375-49CC-9A91-03B0785C33B9}
C:\Users\DH59\AppData\Local\{8A2F83FD-507A-44A2-AE49-C07DDEACBA6F}
C:\Users\DH59\AppData\Local\{8AE07C42-273D-473B-87DB-E69A23819FEB}
C:\Users\DH59\AppData\Local\{8C426ED3-226F-413C-888E-C906322629EA}
C:\Users\DH59\AppData\Local\{8C57BFCA-AC6E-4478-9578-337C0176D29D}
C:\Users\DH59\AppData\Local\{8CE8DB12-96C8-437C-9ACD-CB42DC06EC1A}
C:\Users\DH59\AppData\Local\{8DCAB75E-8AD9-473F-A744-893DF761B292}
C:\Users\DH59\AppData\Local\{8F299B74-6324-47C6-929B-38A644594918}
C:\Users\DH59\AppData\Local\{8F8492B7-A527-4E3F-B6F8-C9F9D05265F9}
C:\Users\DH59\AppData\Local\{8FAB76D6-6E57-4110-83D0-8A9F7D193C01}
C:\Users\DH59\AppData\Local\{8FC0D13E-962E-4858-BAE6-0188368BCD9B}
C:\Users\DH59\AppData\Local\{90B73D36-4B3F-4002-8160-B706F1D927DA}
C:\Users\DH59\AppData\Local\{915953CE-882E-4233-AAB8-60A95032A16D}
C:\Users\DH59\AppData\Local\{92EF1C20-D4C2-4DEC-883C-E151AC204AE5}
C:\Users\DH59\AppData\Local\{933ED5F9-29AA-4F39-85E8-15DA3BBF53A6}
C:\Users\DH59\AppData\Local\{944C17B6-E869-4A15-ABF3-0E81E09AE005}
C:\Users\DH59\AppData\Local\{95769B2E-A1A6-4A9A-8499-BB539AF2315C}
C:\Users\DH59\AppData\Local\{9B86829D-B4C0-4CF0-9982-02F6F03B1CFB}
C:\Users\DH59\AppData\Local\{A0E099A7-0E9E-4CB1-8104-0B1B8F5630C7}
C:\Users\DH59\AppData\Local\{A17FE89E-1FC3-408A-A8F3-AD8E64DF9881}
C:\Users\DH59\AppData\Local\{A1ADBD9A-C705-4658-A6E4-6692503D10C9}
C:\Users\DH59\AppData\Local\{A2560AE6-2040-4549-A1BB-FA83AC5A47D0}
C:\Users\DH59\AppData\Local\{A3097EE2-C50C-4DFC-A297-90A0BF375FD2}
C:\Users\DH59\AppData\Local\{AADCC5E6-E2B7-41AB-AF9C-19968F6AA637}
C:\Users\DH59\AppData\Local\{AD4249BD-6D82-4F99-9DAC-8E05EE7F08A8}
C:\Users\DH59\AppData\Local\{ADF112BD-7B55-4586-BC43-8B6A64C6C3B0}
C:\Users\DH59\AppData\Local\{B12645A5-DE2C-4B35-A49F-599211D11A28}
C:\Users\DH59\AppData\Local\{B1FF4C84-54EA-4D41-8503-54483D15C7B2}
C:\Users\DH59\AppData\Local\{B3E61BF0-CC65-4A39-8F47-F14BF00FE18C}
C:\Users\DH59\AppData\Local\{B412F3D0-9BA8-4AAA-9A00-F1579267F6EC}
C:\Users\DH59\AppData\Local\{B481C38A-030F-4D12-8624-00BEDDB0EDB8}
C:\Users\DH59\AppData\Local\{B4A2F1DB-D7C8-44C2-AA5C-6FCB106702A2}
C:\Users\DH59\AppData\Local\{B520E6E4-71A1-4A91-BD2D-774A785E8982}
C:\Users\DH59\AppData\Local\{B5BC318A-F911-4CD9-83DE-96D4DC5F1E88}
C:\Users\DH59\AppData\Local\{B6110837-46DA-409D-86AD-5B5161BEC6AC}
C:\Users\DH59\AppData\Local\{B6210DD3-A7FA-4CC8-A688-95E2A47107C8}
C:\Users\DH59\AppData\Local\{B8A67AFC-DE19-411F-9160-D9232E04DF63}
C:\Users\DH59\AppData\Local\{BD3ED079-D2BE-42E2-B9B2-EABD0D327370}
C:\Users\DH59\AppData\Local\{BDDB70E8-68CE-45CB-A012-0587C46884C2}
C:\Users\DH59\AppData\Local\{BE481DF5-2B59-4FBB-A92A-2DF35368D5C1}
C:\Users\DH59\AppData\Local\{BE9CA9FF-3131-4694-9114-1417FDDC2399}
C:\Users\DH59\AppData\Local\{BF6D45D0-86F3-4A86-9409-6C2F2EEAD01B}
C:\Users\DH59\AppData\Local\{C055DF66-BDF2-4B3F-A07C-D992FB93DB09}
C:\Users\DH59\AppData\Local\{C36C5076-8C3E-410F-B980-74D940F72655}
C:\Users\DH59\AppData\Local\{C3857465-3DBE-48F0-B140-B61446DF2C98}
C:\Users\DH59\AppData\Local\{C685B8CF-D0AD-4B14-A95C-36DA82FCDFD7}
C:\Users\DH59\AppData\Local\{C72208E1-0740-4559-A5F3-4F0BA692A23A}
C:\Users\DH59\AppData\Local\{C72AB9B5-F23A-4E73-9DE7-F79CBCB8A42E}
C:\Users\DH59\AppData\Local\{C762A0A2-8974-49CB-AC7C-DE647F518B7C}
C:\Users\DH59\AppData\Local\{C8100D7B-9BF2-4990-A72E-BC462D3AB912}
C:\Users\DH59\AppData\Local\{C9566483-AB6D-4B12-9A85-C11641DE41F2}
C:\Users\DH59\AppData\Local\{C975FDD5-3816-4B84-8BB6-3ACB75237A06}
C:\Users\DH59\AppData\Local\{C988EA22-5ACC-48D8-8F46-3E50F6CC4987}
C:\Users\DH59\AppData\Local\{CC3F0DD8-7ECE-428F-9F57-A813CB3FA8BE}
C:\Users\DH59\AppData\Local\{CC79EDA2-1F6E-4413-8C0E-43E562305556}
C:\Users\DH59\AppData\Local\{CDE6BB7E-ED45-4903-8E48-4B79A350D19C}
C:\Users\DH59\AppData\Local\{CDE780E0-9147-4158-9B88-B3A8D00612BE}
C:\Users\DH59\AppData\Local\{CF4AB0F2-9F7D-4E78-B8A9-61677AA3F1A3}
C:\Users\DH59\AppData\Local\{CF62F818-7F85-48FA-AFE3-205E95AC8313}
C:\Users\DH59\AppData\Local\{D0E35E41-6455-4E13-8602-471B6647C08A}
C:\Users\DH59\AppData\Local\{D3079FB2-3FCB-4716-9720-CFFDE8EE3E27}
C:\Users\DH59\AppData\Local\{D3959200-1E06-4377-919B-37DDD8075BC4}
C:\Users\DH59\AppData\Local\{D84C50E8-C023-4ACA-B6FD-EFF5334FAB9B}
C:\Users\DH59\AppData\Local\{DB257E52-465D-4D2A-A57E-BC4572E80A8F}
C:\Users\DH59\AppData\Local\{DD159ECE-D4CB-491E-983E-3C87BC516D5B}
C:\Users\DH59\AppData\Local\{DE430351-FB2A-4A93-9D96-157312E38D03}
C:\Users\DH59\AppData\Local\{DED61BC1-C19F-414B-9518-C3240841ED62}
C:\Users\DH59\AppData\Local\{E00CE970-CF6F-4F6B-870C-0F5B73A38C33}
C:\Users\DH59\AppData\Local\{E0A47F39-CBE6-4B44-B058-B8872B9D56CD}
C:\Users\DH59\AppData\Local\{E1387CD7-66C0-43A6-AEB6-A898B9D74829}
C:\Users\DH59\AppData\Local\{E3D27EF8-2183-4025-9FB6-3681EC63FB15}
C:\Users\DH59\AppData\Local\{E3E09E61-F58D-4F4A-8B8A-744AA2136C31}
C:\Users\DH59\AppData\Local\{E4A9BC30-02B1-426F-8B92-5880AC294294}
C:\Users\DH59\AppData\Local\{E52848E0-3856-431E-8D9F-1A4C7B1B6D22}
C:\Users\DH59\AppData\Local\{E5FF9F9A-7006-4BF4-994F-F616FD2EC983}
C:\Users\DH59\AppData\Local\{E6E36544-A3BB-4F8F-8173-B59ADFEFED4A}
C:\Users\DH59\AppData\Local\{E8E3284D-E8E4-4EEC-8248-623CB8DA6C98}
C:\Users\DH59\AppData\Local\{E936BF4A-6737-45A8-8161-F6688E4274C3}
C:\Users\DH59\AppData\Local\{E9673173-1567-40D8-BEF7-9EE51937F7B2}
C:\Users\DH59\AppData\Local\{E9E83325-D6F1-4CC3-9DE6-842D45E761B1}
C:\Users\DH59\AppData\Local\{EA84C98E-FEE5-4031-A1E5-656D950DA3ED}
C:\Users\DH59\AppData\Local\{ED00B62A-A826-4ED5-B01C-C0B1517BF226}
C:\Users\DH59\AppData\Local\{EE7EF67A-734B-4B1C-BF05-55EF78E799DA}
C:\Users\DH59\AppData\Local\{EEE3291C-83F1-4336-8A1C-EC6381A9D140}
C:\Users\DH59\AppData\Local\{F00F589F-3713-4CA9-BAFD-13AF13E124D7}
C:\Users\DH59\AppData\Local\{F101BCF6-772E-401D-8716-1A31D38ADCF9}
C:\Users\DH59\AppData\Local\{F293BBC4-ECAF-4F5B-87BA-B3C0C9714C53}
C:\Users\DH59\AppData\Local\{F32966CD-4B01-4293-8223-FC3354FAE0D0}
C:\Users\DH59\AppData\Local\{F399CD85-30AD-49E2-B57A-100230AA3F33}
C:\Users\DH59\AppData\Local\{F4C9C95C-43DE-4172-B467-482871120F6F}
C:\Users\DH59\AppData\Local\{F52FB878-73D6-45FC-9519-8DBFC7640584}
C:\Users\DH59\AppData\Local\{F5445622-0365-438D-A0CF-4052D950763E}
C:\Users\DH59\AppData\Local\{F618AF7E-DF77-4722-AA9E-A7DB0DEAA4B0}
C:\Users\DH59\AppData\Local\{F6DBAE28-6EBB-48D6-888C-01C7D10688B5}
C:\Users\DH59\AppData\Local\{F874704D-8D34-49DC-B729-B75EA142EA1D}
C:\Users\DH59\AppData\Local\{F882B9AC-26DC-4CF4-845E-65ADF7B1B167}
C:\Users\DH59\AppData\Local\{F9CD6147-4778-41E0-A254-E4E9B03C3FE7}
C:\Users\DH59\AppData\Local\{F9E2712E-D21F-41C1-82BB-C26E19433A49}
C:\Users\DH59\AppData\Local\{FA7DD277-B7FB-449E-9BAA-1849648A3D03}
C:\Users\DH59\AppData\Local\{FC1BB05D-A612-4AC1-A523-58E58ADEB11D}
C:\Users\DH59\AppData\Local\{FF9C1178-3132-448E-8A28-1D7F77C22E1F}
C:\Users\DH59\AppData\Local\{FFB2B528-5FF8-4AA0-A7BE-890398A783DD}

File::
C:\ProgramData\NFEfaQHjF2nSdk
C:\ProgramData\~NFEfaQHjF2nSdk
C:\ProgramData\~NFEfaQHjF2nSdkr
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6


    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Nov 21, 2011
    #5
  6. Digibirder

    Digibirder Private First Class

    Thanks Kestrel,

    I've done all you asked, except that I forgot to uninstall the old Java before running the ComboFix script bit. I did that immediately afterwards, then installed the new version before running the remainder of the scans. Hope that it doesn't affect the results. If I need to do it again let me know.

    Anyway, after running all the scans, I've opened a couple of programs,which seems fine. I've also opened an Explorer window and when I'm in my User folder, there are several added folder icons with shortcut arrows, which when clicked say: c:\users\name\foldername is not accessible. Access is denied. The icons are dimmed in colour, as if they are system or hidden files or something. For example, there is an Application Data folder, further down is a Cookies folder, also a Local Settings folder, an extra My Documents folder, Nethood, Printhood, Recent, SendTo, Start Menu, Templates. Are these connected with Windows XP? I am on Win 7 64bit.

    The other thing that happened between me posting my original logs and getting your reply is that I had been using the computer fairly normally, although not extensively, and have logged into a couple of sites I belong to. This morning I found an email from Facebook that someone has logged into my account using an unrecognised device. I had to log in (on a different computer) and change my password. The account was logged into from east coast USA on a mobile device, which I do not use and I am in the UK!. I've now been onto the other sites I've used and changed passwords there as well. So if you can see anything that looks like a keylogger or whether it has been zapped now, let me know.

    Log files attached.

    Many thanks.
    Diane
     

    Attached Files:

    Digibirder, Nov 22, 2011
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Folder::
c:\users\DH59\AppData\Roaming\0391B56F
C:\Users\DH59\AppData\Local\{00543EE5-7A26-40A7-894F-CADA848A9839}
C:\Users\DH59\AppData\Local\{009A1AF2-0CB1-4673-BBE8-EB481402677A}
C:\Users\DH59\AppData\Local\{00EFB309-53BC-4C72-BBD2-BC5487F8B938}
C:\Users\DH59\AppData\Local\{02959E74-32CA-4C03-8784-A594981CD4FC}
C:\Users\DH59\AppData\Local\{04311736-B3BA-4EF7-895D-5A0870AEA287}
C:\Users\DH59\AppData\Local\{04C30CA5-97E4-4F7B-8542-0BB56B94017F}
C:\Users\DH59\AppData\Local\{081D6D62-10E9-4C66-B031-65B24CC3B474}
C:\Users\DH59\AppData\Local\{08FAC172-915B-4D46-8ACF-14BDB2A8DC65}
C:\Users\DH59\AppData\Local\{0906DB16-5E2C-4940-818A-1EC439B7C137}
C:\Users\DH59\AppData\Local\{09152F16-E230-45A5-B916-D6B93FD933A7}
C:\Users\DH59\AppData\Local\{095BDD97-78FC-44A0-A5C7-60BEAD573BA1}
C:\Users\DH59\AppData\Local\{0A0C2A98-DA00-4EAB-B3F3-5E2BAF92C859}
C:\Users\DH59\AppData\Local\{0A5BA5ED-958F-42DF-82C4-AA2696BBA337}
C:\Users\DH59\AppData\Local\{0AFAC927-0138-470D-BB61-004EDAA5D0FF}
C:\Users\DH59\AppData\Local\{0B4E54E0-0EC1-483F-BF09-4C07E4A31D2C}
C:\Users\DH59\AppData\Local\{0BABDCC9-1EB5-482E-95E7-CC5769B69032}
C:\Users\DH59\AppData\Local\{0E48F159-AA2E-4B1F-9A52-7268FF00957D}
C:\Users\DH59\AppData\Local\{0F9A4C93-9B52-4D99-BA02-4C2A4FEF6202}
C:\Users\DH59\AppData\Local\{11364A6D-74DF-48BF-B337-9DF2F682A5A6}
C:\Users\DH59\AppData\Local\{12417334-D0DF-4C49-9D3E-675B1F00EC9E}
C:\Users\DH59\AppData\Local\{1272EFA5-A6B5-47DE-A22B-74AF7F9BF80F}
C:\Users\DH59\AppData\Local\{136B0406-47DA-4F7C-8E92-9DBB0B8E9FF7}
C:\Users\DH59\AppData\Local\{14774ECC-06DB-4593-922E-2B5D68F2C0D6}
C:\Users\DH59\AppData\Local\{15A2A583-8671-451A-AB69-F5ABF5063832}
C:\Users\DH59\AppData\Local\{1696EF72-E829-4C27-9EE8-D234D9CCB3A4}
C:\Users\DH59\AppData\Local\{16A22FEF-5CD3-4D29-86B0-FBE52AF1846A}
C:\Users\DH59\AppData\Local\{18388F67-3CAB-4297-A349-B33A699805E9}
C:\Users\DH59\AppData\Local\{193C6946-2099-4FE0-BD22-713E415AC790}
C:\Users\DH59\AppData\Local\{1BF9AEF3-9120-411A-9D07-C74386901525}
C:\Users\DH59\AppData\Local\{1E8FA899-AC1A-4CCC-B488-C62708567958}
C:\Users\DH59\AppData\Local\{2060F573-412F-4185-AA3B-8376B9CBB5FB}
C:\Users\DH59\AppData\Local\{20F3E75E-FF92-4750-B703-0562F5A95566}
C:\Users\DH59\AppData\Local\{2402159E-3E0A-480C-BB51-A4E7257D479D}
C:\Users\DH59\AppData\Local\{274FAEAA-6B3F-4A63-809F-10BA800FCA28}
C:\Users\DH59\AppData\Local\{27ECEAE3-5AFB-4049-BA21-9CBD802B46FC}
C:\Users\DH59\AppData\Local\{27EDB8F4-46B1-44F6-AE6A-311FD411DA9F}
C:\Users\DH59\AppData\Local\{28D03E38-B32D-42A7-82B4-5F6EA7F8FA31}
C:\Users\DH59\AppData\Local\{2ADC3B7A-3AD2-45A6-8501-70A99CB21FB7}
C:\Users\DH59\AppData\Local\{2DCE0188-C929-43C9-B08F-442518ABEFCD}
C:\Users\DH59\AppData\Local\{2DD82B39-5343-4066-8722-F457EDDCCE31}
C:\Users\DH59\AppData\Local\{2DD9A855-BCF1-4998-8D19-2F0FDCF2E8B5}
C:\Users\DH59\AppData\Local\{2E50226A-17CE-451E-B460-60A67B420C65}
C:\Users\DH59\AppData\Local\{2E784BF8-3BFD-4A0B-937E-78F44724C9B5}
C:\Users\DH59\AppData\Local\{316770AD-4A71-4EC6-8E10-0BAD207A97C4}
C:\Users\DH59\AppData\Local\{31D67856-81E2-43E2-BD97-876EFB4F5E7D}
C:\Users\DH59\AppData\Local\{331B072D-7CD9-4F5D-9439-F47BCE38BA18}
C:\Users\DH59\AppData\Local\{3456CEE1-3A9F-4950-A84B-099A7358B9D7}
C:\Users\DH59\AppData\Local\{3508947F-9EAA-4A82-BEFF-D0725ABB2F21}
C:\Users\DH59\AppData\Local\{35B9F018-2973-4BA5-929E-0489227056B4}
C:\Users\DH59\AppData\Local\{368BB98E-F2B1-4E53-9F2D-CEA5E1EAC779}
C:\Users\DH59\AppData\Local\{371B1546-642A-4F2F-9493-86D28C0CD99E}
C:\Users\DH59\AppData\Local\{3763CF2D-09BC-40D7-BFE2-2F2CA5B3E133}
C:\Users\DH59\AppData\Local\{3821A77D-CB75-4B91-90B1-7FDD7B725767}
C:\Users\DH59\AppData\Local\{3900E809-5B41-4AAD-AC7F-C361EFD5C1A9}
C:\Users\DH59\AppData\Local\{3B2D6310-2BB2-4B23-991F-6ACAF2B5E19E}
C:\Users\DH59\AppData\Local\{3D293E5E-39A1-4EF4-9AEF-C514AB2B41ED}
C:\Users\DH59\AppData\Local\{3D532E64-EA43-4388-87A0-A920D1577471}
C:\Users\DH59\AppData\Local\{3DDD4AA3-DD4C-4C0E-BAC9-995ADCAB563B}
C:\Users\DH59\AppData\Local\{3DF6767A-3005-4007-BEB2-E37354D28365}
C:\Users\DH59\AppData\Local\{3EDBBEFF-276D-4297-BC51-999542DD06BA}
C:\Users\DH59\AppData\Local\{4200245B-6ECC-4C6D-AF4F-1E720D54BBD9}
C:\Users\DH59\AppData\Local\{424B85B6-D659-44CF-9315-172056F9A948}
C:\Users\DH59\AppData\Local\{4260CE9D-A42F-4A4F-AE48-E82AD99DF7AE}
C:\Users\DH59\AppData\Local\{44B32EE2-8FE8-438D-8903-210CA913017E}
C:\Users\DH59\AppData\Local\{45206838-1DC8-454E-9F1E-10C8B2A8D3E1}
C:\Users\DH59\AppData\Local\{458B271E-4548-4CBD-9CE3-D1DE4A0B14DD}
C:\Users\DH59\AppData\Local\{46348C05-BFFB-47B8-BDE3-BCB7699133E8}
C:\Users\DH59\AppData\Local\{469541F1-6A3B-4C31-B322-06E08B9A39C6}
C:\Users\DH59\AppData\Local\{46CC3178-5C8E-4C27-9FDC-FE618EEEE7CD}
C:\Users\DH59\AppData\Local\{47101685-17B9-4967-B89A-9BF30B243727}
C:\Users\DH59\AppData\Local\{4729211B-6A20-4411-8A9B-9A9233FA0173}
C:\Users\DH59\AppData\Local\{490C84A7-26AC-46ED-9FDD-2B3EC425B6FE}
C:\Users\DH59\AppData\Local\{49354548-AA22-4DAE-9EFD-A2996CA14E53}
C:\Users\DH59\AppData\Local\{49490511-BB3E-47D2-9A6B-DC5BF2591FC9}
C:\Users\DH59\AppData\Local\{4BA493F7-3D3F-4981-B7E7-4BBFB858023E}
C:\Users\DH59\AppData\Local\{4D29E7DD-1EE5-4482-BB00-B9B1A6304CFF}
C:\Users\DH59\AppData\Local\{4DA9998D-849A-41FC-A881-B5D6F9EE4CFF}
C:\Users\DH59\AppData\Local\{4DE339DC-1E77-4B7D-B0AE-37F7A5CB905E}
C:\Users\DH59\AppData\Local\{4E2D4D68-A240-4AB4-A657-46DE4F8AF571}
C:\Users\DH59\AppData\Local\{4E3CB9DD-325E-40BF-94B1-9332311B4A0C}
C:\Users\DH59\AppData\Local\{4E733A45-3923-4304-B5A3-87CAFACF1EEB}
C:\Users\DH59\AppData\Local\{4EA71977-34D7-4616-991A-EDBF317C88CA}
C:\Users\DH59\AppData\Local\{4F6444FC-CA1E-4D99-A38D-070896C25C57}
C:\Users\DH59\AppData\Local\{501F002B-3A66-4C30-BE02-58A0DF7E01D9}
C:\Users\DH59\AppData\Local\{53A74D29-3875-4D38-95CC-5AF4C2BE27C0}
C:\Users\DH59\AppData\Local\{53B75A9E-6854-47DF-AA27-B322D426B96F}
C:\Users\DH59\AppData\Local\{56E8F51F-2066-47E6-A0EA-EDA3A4630397}
C:\Users\DH59\AppData\Local\{57CCECA3-93AF-46B2-8B1B-161806D7B02A}
C:\Users\DH59\AppData\Local\{5B2DA1EC-BC19-46C9-937D-8319D78CA4D8}
C:\Users\DH59\AppData\Local\{5B31BD07-C1EB-4528-9A50-BD8F2F3DDE52}
C:\Users\DH59\AppData\Local\{5F000C98-4976-452E-B8A9-380595AEA679}
C:\Users\DH59\AppData\Local\{5F472303-10F2-40E4-AF7C-9673CFF15D67}
C:\Users\DH59\AppData\Local\{5FB3EB13-6B8E-4EFF-9BE1-7432A0B3E09E}
C:\Users\DH59\AppData\Local\{614B70F1-B6EF-4813-A3B6-74DA2CA19F49}
C:\Users\DH59\AppData\Local\{619C8D80-9D32-47B2-9096-5EC556ECD7E2}
C:\Users\DH59\AppData\Local\{62A8026E-A559-4B26-8B50-1FF3C4C9B4FC}
C:\Users\DH59\AppData\Local\{639F1E1B-1D6A-469C-AA79-98731EC0A460}
C:\Users\DH59\AppData\Local\{63FA3F95-9BCB-49E9-8743-E39A3A3699C4}
C:\Users\DH59\AppData\Local\{64744EBD-FEB9-4870-AC45-B6E067C09090}
C:\Users\DH59\AppData\Local\{65216D3E-40D1-4E10-85E5-D0B053E8BCA4}
C:\Users\DH59\AppData\Local\{690C7422-371D-48CC-837F-A3EEF496805D}
C:\Users\DH59\AppData\Local\{69D4B947-508A-43C6-9CC5-814D9F88993D}
C:\Users\DH59\AppData\Local\{6A3BDD4A-D265-4F96-9708-724457C2039B}
C:\Users\DH59\AppData\Local\{6B615800-BADA-4CD3-9037-7636A42E2021}
C:\Users\DH59\AppData\Local\{72A2D785-4481-4348-A598-DFB71BFBF260}
C:\Users\DH59\AppData\Local\{72AE5058-DE05-49B6-97C7-8B058C22C1B9}
C:\Users\DH59\AppData\Local\{755AA260-8AA4-410C-8D2D-97FE357FEBDE}
C:\Users\DH59\AppData\Local\{77F94A68-106F-4E75-9D84-B09465EDC665}
C:\Users\DH59\AppData\Local\{7FB29C64-E0CB-4826-B00D-E654E639B84A}
C:\Users\DH59\AppData\Local\{82DD5C70-ED38-40AE-A984-8E958D946D46}
C:\Users\DH59\AppData\Local\{830580EA-0C13-48A4-BB20-2CCF64BB22AF}
C:\Users\DH59\AppData\Local\{84654ABC-83AC-4207-A490-C4AE9FC433EB}
C:\Users\DH59\AppData\Local\{855966A1-27D0-4613-BD12-B6F485F3B958}
C:\Users\DH59\AppData\Local\{8565323D-6E21-4F99-91B0-F00AA8EFBEB9}
C:\Users\DH59\AppData\Local\{894DD858-D443-42DA-97A9-6A924AC75540}
C:\Users\DH59\AppData\Local\{898E5919-6375-49CC-9A91-03B0785C33B9}
C:\Users\DH59\AppData\Local\{8A2F83FD-507A-44A2-AE49-C07DDEACBA6F}
C:\Users\DH59\AppData\Local\{8AE07C42-273D-473B-87DB-E69A23819FEB}
C:\Users\DH59\AppData\Local\{8C426ED3-226F-413C-888E-C906322629EA}
C:\Users\DH59\AppData\Local\{8C57BFCA-AC6E-4478-9578-337C0176D29D}
C:\Users\DH59\AppData\Local\{8CE8DB12-96C8-437C-9ACD-CB42DC06EC1A}
C:\Users\DH59\AppData\Local\{8DCAB75E-8AD9-473F-A744-893DF761B292}
C:\Users\DH59\AppData\Local\{8F299B74-6324-47C6-929B-38A644594918}
C:\Users\DH59\AppData\Local\{8F8492B7-A527-4E3F-B6F8-C9F9D05265F9}
C:\Users\DH59\AppData\Local\{8FAB76D6-6E57-4110-83D0-8A9F7D193C01}
C:\Users\DH59\AppData\Local\{8FC0D13E-962E-4858-BAE6-0188368BCD9B}
C:\Users\DH59\AppData\Local\{90B73D36-4B3F-4002-8160-B706F1D927DA}
C:\Users\DH59\AppData\Local\{915953CE-882E-4233-AAB8-60A95032A16D}
C:\Users\DH59\AppData\Local\{92EF1C20-D4C2-4DEC-883C-E151AC204AE5}
C:\Users\DH59\AppData\Local\{933ED5F9-29AA-4F39-85E8-15DA3BBF53A6}
C:\Users\DH59\AppData\Local\{944C17B6-E869-4A15-ABF3-0E81E09AE005}
C:\Users\DH59\AppData\Local\{95769B2E-A1A6-4A9A-8499-BB539AF2315C}
C:\Users\DH59\AppData\Local\{9B86829D-B4C0-4CF0-9982-02F6F03B1CFB}
C:\Users\DH59\AppData\Local\{A0E099A7-0E9E-4CB1-8104-0B1B8F5630C7}
C:\Users\DH59\AppData\Local\{A17FE89E-1FC3-408A-A8F3-AD8E64DF9881}
C:\Users\DH59\AppData\Local\{A1ADBD9A-C705-4658-A6E4-6692503D10C9}
C:\Users\DH59\AppData\Local\{A2560AE6-2040-4549-A1BB-FA83AC5A47D0}
C:\Users\DH59\AppData\Local\{A3097EE2-C50C-4DFC-A297-90A0BF375FD2}
C:\Users\DH59\AppData\Local\{AADCC5E6-E2B7-41AB-AF9C-19968F6AA637}
C:\Users\DH59\AppData\Local\{AD4249BD-6D82-4F99-9DAC-8E05EE7F08A8}
C:\Users\DH59\AppData\Local\{ADF112BD-7B55-4586-BC43-8B6A64C6C3B0}
C:\Users\DH59\AppData\Local\{B12645A5-DE2C-4B35-A49F-599211D11A28}
C:\Users\DH59\AppData\Local\{B1FF4C84-54EA-4D41-8503-54483D15C7B2}
C:\Users\DH59\AppData\Local\{B3E61BF0-CC65-4A39-8F47-F14BF00FE18C}
C:\Users\DH59\AppData\Local\{B412F3D0-9BA8-4AAA-9A00-F1579267F6EC}
C:\Users\DH59\AppData\Local\{B481C38A-030F-4D12-8624-00BEDDB0EDB8}
C:\Users\DH59\AppData\Local\{B4A2F1DB-D7C8-44C2-AA5C-6FCB106702A2}
C:\Users\DH59\AppData\Local\{B520E6E4-71A1-4A91-BD2D-774A785E8982}
C:\Users\DH59\AppData\Local\{B5BC318A-F911-4CD9-83DE-96D4DC5F1E88}
C:\Users\DH59\AppData\Local\{B6110837-46DA-409D-86AD-5B5161BEC6AC}
C:\Users\DH59\AppData\Local\{B6210DD3-A7FA-4CC8-A688-95E2A47107C8}
C:\Users\DH59\AppData\Local\{B8A67AFC-DE19-411F-9160-D9232E04DF63}
C:\Users\DH59\AppData\Local\{BD3ED079-D2BE-42E2-B9B2-EABD0D327370}
C:\Users\DH59\AppData\Local\{BDDB70E8-68CE-45CB-A012-0587C46884C2}
C:\Users\DH59\AppData\Local\{BE481DF5-2B59-4FBB-A92A-2DF35368D5C1}
C:\Users\DH59\AppData\Local\{BE9CA9FF-3131-4694-9114-1417FDDC2399}
C:\Users\DH59\AppData\Local\{BF6D45D0-86F3-4A86-9409-6C2F2EEAD01B}
C:\Users\DH59\AppData\Local\{C055DF66-BDF2-4B3F-A07C-D992FB93DB09}
C:\Users\DH59\AppData\Local\{C36C5076-8C3E-410F-B980-74D940F72655}
C:\Users\DH59\AppData\Local\{C3857465-3DBE-48F0-B140-B61446DF2C98}
C:\Users\DH59\AppData\Local\{C685B8CF-D0AD-4B14-A95C-36DA82FCDFD7}
C:\Users\DH59\AppData\Local\{C72208E1-0740-4559-A5F3-4F0BA692A23A}
C:\Users\DH59\AppData\Local\{C72AB9B5-F23A-4E73-9DE7-F79CBCB8A42E}
C:\Users\DH59\AppData\Local\{C762A0A2-8974-49CB-AC7C-DE647F518B7C}
C:\Users\DH59\AppData\Local\{C8100D7B-9BF2-4990-A72E-BC462D3AB912}
C:\Users\DH59\AppData\Local\{C9566483-AB6D-4B12-9A85-C11641DE41F2}
C:\Users\DH59\AppData\Local\{C975FDD5-3816-4B84-8BB6-3ACB75237A06}
C:\Users\DH59\AppData\Local\{C988EA22-5ACC-48D8-8F46-3E50F6CC4987}
C:\Users\DH59\AppData\Local\{CC3F0DD8-7ECE-428F-9F57-A813CB3FA8BE}
C:\Users\DH59\AppData\Local\{CC79EDA2-1F6E-4413-8C0E-43E562305556}
C:\Users\DH59\AppData\Local\{CDE6BB7E-ED45-4903-8E48-4B79A350D19C}
C:\Users\DH59\AppData\Local\{CDE780E0-9147-4158-9B88-B3A8D00612BE}
C:\Users\DH59\AppData\Local\{CF4AB0F2-9F7D-4E78-B8A9-61677AA3F1A3}
C:\Users\DH59\AppData\Local\{CF62F818-7F85-48FA-AFE3-205E95AC8313}
C:\Users\DH59\AppData\Local\{D0E35E41-6455-4E13-8602-471B6647C08A}
C:\Users\DH59\AppData\Local\{D3079FB2-3FCB-4716-9720-CFFDE8EE3E27}
C:\Users\DH59\AppData\Local\{D3959200-1E06-4377-919B-37DDD8075BC4}
C:\Users\DH59\AppData\Local\{D84C50E8-C023-4ACA-B6FD-EFF5334FAB9B}
C:\Users\DH59\AppData\Local\{DB257E52-465D-4D2A-A57E-BC4572E80A8F}
C:\Users\DH59\AppData\Local\{DD159ECE-D4CB-491E-983E-3C87BC516D5B}
C:\Users\DH59\AppData\Local\{DE430351-FB2A-4A93-9D96-157312E38D03}
C:\Users\DH59\AppData\Local\{DED61BC1-C19F-414B-9518-C3240841ED62}
C:\Users\DH59\AppData\Local\{E00CE970-CF6F-4F6B-870C-0F5B73A38C33}
C:\Users\DH59\AppData\Local\{E0A47F39-CBE6-4B44-B058-B8872B9D56CD}
C:\Users\DH59\AppData\Local\{E1387CD7-66C0-43A6-AEB6-A898B9D74829}
C:\Users\DH59\AppData\Local\{E3D27EF8-2183-4025-9FB6-3681EC63FB15}
C:\Users\DH59\AppData\Local\{E3E09E61-F58D-4F4A-8B8A-744AA2136C31}
C:\Users\DH59\AppData\Local\{E4A9BC30-02B1-426F-8B92-5880AC294294}
C:\Users\DH59\AppData\Local\{E52848E0-3856-431E-8D9F-1A4C7B1B6D22}
C:\Users\DH59\AppData\Local\{E5FF9F9A-7006-4BF4-994F-F616FD2EC983}
C:\Users\DH59\AppData\Local\{E6E36544-A3BB-4F8F-8173-B59ADFEFED4A}
C:\Users\DH59\AppData\Local\{E8E3284D-E8E4-4EEC-8248-623CB8DA6C98}
C:\Users\DH59\AppData\Local\{E936BF4A-6737-45A8-8161-F6688E4274C3}
C:\Users\DH59\AppData\Local\{E9673173-1567-40D8-BEF7-9EE51937F7B2}
C:\Users\DH59\AppData\Local\{E9E83325-D6F1-4CC3-9DE6-842D45E761B1}
C:\Users\DH59\AppData\Local\{EA84C98E-FEE5-4031-A1E5-656D950DA3ED}
C:\Users\DH59\AppData\Local\{ED00B62A-A826-4ED5-B01C-C0B1517BF226}
C:\Users\DH59\AppData\Local\{EE7EF67A-734B-4B1C-BF05-55EF78E799DA}
C:\Users\DH59\AppData\Local\{EEE3291C-83F1-4336-8A1C-EC6381A9D140}
C:\Users\DH59\AppData\Local\{F00F589F-3713-4CA9-BAFD-13AF13E124D7}
C:\Users\DH59\AppData\Local\{F101BCF6-772E-401D-8716-1A31D38ADCF9}
C:\Users\DH59\AppData\Local\{F293BBC4-ECAF-4F5B-87BA-B3C0C9714C53}
C:\Users\DH59\AppData\Local\{F32966CD-4B01-4293-8223-FC3354FAE0D0}
C:\Users\DH59\AppData\Local\{F399CD85-30AD-49E2-B57A-100230AA3F33}
C:\Users\DH59\AppData\Local\{F4C9C95C-43DE-4172-B467-482871120F6F}
C:\Users\DH59\AppData\Local\{F52FB878-73D6-45FC-9519-8DBFC7640584}
C:\Users\DH59\AppData\Local\{F5445622-0365-438D-A0CF-4052D950763E}
C:\Users\DH59\AppData\Local\{F618AF7E-DF77-4722-AA9E-A7DB0DEAA4B0}
C:\Users\DH59\AppData\Local\{F6DBAE28-6EBB-48D6-888C-01C7D10688B5}
C:\Users\DH59\AppData\Local\{F874704D-8D34-49DC-B729-B75EA142EA1D}
C:\Users\DH59\AppData\Local\{F882B9AC-26DC-4CF4-845E-65ADF7B1B167}
C:\Users\DH59\AppData\Local\{F9CD6147-4778-41E0-A254-E4E9B03C3FE7}
C:\Users\DH59\AppData\Local\{F9E2712E-D21F-41C1-82BB-C26E19433A49}
C:\Users\DH59\AppData\Local\{FA7DD277-B7FB-449E-9BAA-1849648A3D03}
C:\Users\DH59\AppData\Local\{FC1BB05D-A612-4AC1-A523-58E58ADEB11D}
C:\Users\DH59\AppData\Local\{FF9C1178-3132-448E-8A28-1D7F77C22E1F}
C:\Users\DH59\AppData\Local\{FFB2B528-5FF8-4AA0-A7BE-890398A783DD}
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Nov 22, 2011
    #7
  8. Digibirder

    Digibirder Private First Class

    Kestrel,

    Have done the two procedures above, and the two logs are attached.

    After ComboFix I did have to reboot after the 'illegal operation' warning due to the programs not opening.

    Also, while running the GetLogs.bat file, a warning popped up saying that a program called SteelWerXWhoamI had to close. I accepted the OK and it carried on, so I don't know what that was about.

    Thanks again. Hope this thing can be cleared once and for all. I am a little concerned as this machine did not come with the Windows installation CD, should I have to go back to formatting the drive. There is a recovery partition on the hard drive. Not ideal, but I didn't have time to build my own PC.
     

    Attached Files:

    Digibirder, Nov 22, 2011
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Delete these folders if they are all empty which I suspect that they are.

    C:\Users\DH59\AppData\Local\{401E6269-9E91-4595-97D6-E67CFA779F9D}
    C:\Users\DH59\AppData\Local\{536AA28E-6C97-4B8C-A97E-C4108C0ACD08}
    C:\Users\DH59\AppData\Local\{6B19C97B-3674-4D16-BEFF-4F2C7EF3BBAE}
    C:\Users\DH59\AppData\Local\{6CE14A58-18A0-49DC-BD14-7FAEB42EEBB9}
    C:\Users\DH59\AppData\Local\{7FD27821-5178-4447-A547-7D0BE6B4134E}
    C:\Users\DH59\AppData\Local\{97CA51DF-17A3-4E1C-8D9B-27B5C8E3F3EF}
    C:\Users\DH59\AppData\Local\{9CC60BE7-2987-4709-898A-AE3810EFA9D8}
    C:\Users\DH59\AppData\Local\{A99F70C2-D4CA-4A71-8D45-07C77B3A9625}
    C:\Users\DH59\AppData\Local\{B13E9A08-B460-41DC-BDF2-36C788058678}
    C:\Users\DH59\AppData\Local\{CBE72D61-F916-4A4E-BB72-6AF00B292986}
    C:\Users\DH59\AppData\Local\{D710E130-8B7C-46F9-B0AA-4488EE0EB536}
    C:\Users\DH59\AppData\Local\{FEF2F578-8402-40AF-B694-BAB8E06522FC}

    Do any actual malware problems remain now?
     
    Kestrel13!, Nov 22, 2011
    #9
  10. Digibirder

    Digibirder Private First Class

    Deleted the folders, as instructed. There are a couple more similar empty folders that were modified/created on 11/22/2011. Are they OK to leave?
    {D0D224C8-EBB0-4604-B035-4C15BBA94F14}
    {F0A278E6-818D-4331-96F3-C6236C7FC470}

    I'm not sure if there is anything else happening. I've had no further warnings or errors, but the main thing I'm concerned about now is the rogue login to my Facebook account, as mentioned in post #6. I don't want to visit any sites where I have to enter a password unless I'm sure that there is no keylogger installed. I did visit a few sites while waiting for your first response, so I've changed passwords to all those sites (using a different computer), but I am wary about logging into anywhere on that computer now.

    I'm not sure if that's how my FB login details were obtained, or whether it was a matter of FB being unsecure, but I have had secure browsing turned on for ages, and have the https: in the address bar when logged into FB, so I am at a loss as to how they did it unless there is a keylogger present.

    There's also the matter of the extra shortcut folders that appeared, as I also mentioned in that post.

    Can you also please explain what the 'SteelWerXWhoamI' thing I mentioned in post #8 is? Was this something sinister that has now been removed? Or is it something connected with running the GetLogs.bat procedure?
     
    Digibirder, Nov 23, 2011
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes.
    If they are empty then yes, delete them.
    I am certainly not seeing signs of one being present. I think SAS and MBAM dealt with most crap that was there. The only other things we have removed since are those empty folders.
    It's a win7 thing, I am on win 7 too and as you can see, access is denied for me also. (see attached pic)

    One more thing we can have you do to cover all angles before I give you final steps.


    Run this and attach the results.

    Using ESET's Online Scanner
     

    Attached Files:

    Kestrel13!, Nov 23, 2011
    #11
  12. Digibirder

    Digibirder Private First Class

    OK. I'll assume I don't have a keylogger then, although I thought they were a bit clever and could hide from detection.

    Right, thanks. I hadn't noticed those folders before and thought they'd just appeared.

    Just running the scan now, and will post the results as soon as it's done. It's at 28% at the moment, but it's found 3 threats already: the one indicated on the how to use page regarding the Win32/PrcView MGtools file, and two that say a 'variant of Win32/HiddenStart.A application'.

    Be back soon.
     
    Digibirder, Nov 23, 2011
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    From the average users detection yes, but in most cases, they are easily spotted by someone with a trained eye. Keep going with the ESET scan and attach the end results. We might even try an anti rootkit scanner to REALLY cover all angles... :)
     
    Kestrel13!, Nov 23, 2011
    #13
  14. Digibirder

    Digibirder Private First Class

    OK, took some time, but here is the result of the scan.
     

    Attached Files:

    Digibirder, Nov 23, 2011
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Nov 23, 2011
    #15
  16. Digibirder

    Digibirder Private First Class

    OK, running now.

    Nothing untoward with previous scan? Didn't look much, although there were a couple of files associated with the Dell system.
     
    Digibirder, Nov 23, 2011
    #16
  17. Digibirder

    Digibirder Private First Class

    Here's the GMER scan log.
     

    Attached Files:

    Digibirder, Nov 23, 2011
    #17
  18. Digibirder

    Digibirder Private First Class

    I notice you have now gone offline, but I have just had another issue similar to something that happened a couple of weeks ago.

    I was editing some images in Lightroom and Comodo flashed up a warning that a malicious item had been detected. The file was indicated as Malware@#1vdnb4mdin24. I selected Clean and it went away. It happened about 6 times, and did not happen again once I had closed Lightroom.

    Tonight, I opened LR and a few minutes later this warning came up again. The file has been quarantined. It then came up again a few minutes ago.

    In the quarantine list, the location is stated as AppData\Local\Microsoft\Windows\Temp Internet Files\Content.IE5\lettersandnumbers\photocreative365[1].com. Although I use Firefox.

    The first time this happened I only had LR open - nothing else at all, no email, no browser, so how it's appeared to come from this website I don't know. I do subscribe to the site's RSS feed but as I say, I did not have the email open for the feeds to download (I use Windows Live Mail for feeds).
     
    Digibirder, Nov 23, 2011
    #18
  19. Digibirder

    Digibirder Private First Class

    OK, well this warning has just popped up again, and this time I was not in Lightroom.

    I was actually just deleting this website's feed from Live Mail, and then going through the Temp Internet Files looking for any references to this website.

    Actually, I browsed to the file path in my previous post, but in Temporary Internet Files, I do not have a Content.IE5 folder, just the files themselves. I have deleted everything in the Temp Internet Files folder.
     
    Last edited: Nov 23, 2011
    Digibirder, Nov 23, 2011
    #19
  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Sounds like Comodo is doing a good job.

    Download Cleano 0.61

    Download it to your desktop, Right click the cleano.exe file and run as admin > and place check marks in the boxes as follows (click on link below to see image)

    View attachment 148092
    Click clean now and exit the program.


    • Now click Start > Run and type in cmd
    • Click OK.
    • This will open a command prompt.
    • Type or copy and paste the following line in the command window:
    • ipconfig /flushdns
    • Hit Enter
    • Exit the command window

    Now let's flush the Java Cache
    • Click Start > Settings > Control Panel
    • Double click the Java icon (be patient, it may take a while to open)
    • Now click the General tab and under the Temporary Internet File area
    • Click the Settings button and then click the Delete Files... button.
    • In the next popup click OK.

    If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.


    Now let's flush the FireFox Cache
    To flush your FireFox Cache


    Now let's flush the Internet Explorer Cache
    To flush your Internet Explorer Cache:
    • click Tools
    • Internet Options
    • Now on the General tab and click Delete Files and select Delete all Offline content too
    • Click OK.
    • When it finishes Click OK.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Nov 23, 2011
    #20
  21. Digibirder

    Digibirder Private First Class

    Ah you're back! Thanks K.

    I wondered whether intially it was a corrupt image file, as it was only happening in LR, but now it's happened when LR is closed, that's when I had a closer look at the quarantine files and noticed the website reference.

    Anyway, I think I'll tackle this in the morning - it's getting past my bedtime now, and I don't think my brain is up to it!
     
    Digibirder, Nov 23, 2011
    #21
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No problem. Safe surfing! :)
     
    Kestrel13!, Nov 23, 2011
    #22
  23. Digibirder

    Digibirder Private First Class

    Right, I've completed most of the steps below. No logs to post this time though.

    Cleano procedure seemed to go OK.
    Flushing Java OK as far as I could tell.
    Flushed Firefox cache, although I surf in private mode, so nothing is saved anyway.
    Don't use IE, but flushed that cache anyway.

    Also somewhere along the way, a desktop.ini file appeared on my desktop which wasn't there before. Can I get rid of this?

    For the final section:
    1) You say to keep SuperAntiSpyware and Malwarebytes, but on the How To Protect page it recommends using only one realtime blocker, so should I keep both or one only? Which one?

    2) Combofix uninstalled successfully.

    3) Disk emulation not applicable.

    4) Not sure how to uninstall the likes of tdsskiller, mbrcheck, GMER, and Cleano, as they are not in programs. Do I just delete the appropriate desktop items or the folders from C: drive, where applicable.

    5) Not applicable.

    6) Running Win7, and I enabled UAC through the User Accounts rather than with the MGTools. But I did this a couple of days ago anyway.

    7) No HijackThis installed.

    8) Ran MGclean.bat file - should I now delete the other folders on the C: drive relating to this tool?

    9) Regarding toggling system restore, it says to wait a few days to make sure things are OK, but should I do this now? It also says that if no malware was found this step can be skipped, so was there any malware or was I OK?

    10) Reading and digesting the information on this page!

    Thank you again. You are brill!

    PS: I contacted the guy whose website appeared to be causing Comodo to flash up a warning, and his website is actually down at the moment and the webhosts are looking into a problem. Strange, as some of his RSS feeds were still coming through into LiveMail, so this was obviously the issue. But I did think it strange that it initially only happened when I had Lightroom open!
     
    Digibirder, Nov 24, 2011
    #23
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Are hidden files and folders still set to show?
    None of them offer real time protection unless you pay for the PRO versions. So nothing to worry about there.
    Yes you can just delete them.
    What remains?
    You can wait a couple days if you like. You asked if there was any malware....yes, malware was removed by SAS and MBAM.
    You are welcome. :)

    Glad you got it sorted. ;)
     
    Kestrel13!, Nov 24, 2011
    #24
  25. Digibirder

    Digibirder Private First Class

    Yes, I usually have that setting turned on anyway, but the desktop.ini file has never been there before.

    Ah, so you were talking about keeping both free ones! I was considering purchasing one of them in order to have the protection. I was just confused that you said to keep both, but the recommendation page says to only use one of this type of program (if that's what it was referring to). Is there any one of them that you would prefer over the other?

    There's an MGTools folder containing all the .bat and .exe files.

    Thank again, I feel more confident now to use this computer (I hate typing on laptop keyboards). I've been hesitant to do anything where I have to enter any passwords, but as long as it's clear now, I am happy.

    PS: Those extra shortcut folders I mentioned earlier have disappeared from the username folder!
     
    Digibirder, Nov 25, 2011
    #25
  26. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I really would not worry about it, I have two of them on my desktop.

    I have not tried either paid for version, so no idea. Toss a coin, they are both as good as each other IMO.
    Just delete it then. :)
     
    Kestrel13!, Nov 25, 2011
    #26
  27. Digibirder

    Digibirder Private First Class

    OK, just an update:

    Regarding the desktop.ini file - it disappeared on its own. Not sure why, but that's now gone.

    I've now deleted all the malware detection and scanning tools I downloaded, but I did not yet toggle system restore.

    However, today Comodo Internet Security flagged up the malware file again that I mentioned in an earlier post. I was watching an online video on YouTube, which I've had no problem with before.

    As I mentioned before, I have had this message appear when doing various things, including just using Lightroom with no Internet use at all.

    I selected Clean, and when I look at the log, it tells me that this file was detected at: C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\lettersandnumbers\photocreative365[1].com - same as on previous occasions.

    I had been subscribed to this site's RSS feed, but after the first time I reported this on here, I unsubscribed and cleared out the files from the Temp Int Files folder.

    One weird thing, though, is that last time I looked at this path, when I got to Temp Internet Files folder, there was no Content.IE5 folder within it, as indicated in the above path. This time, I've looked for the folder again, and on this occasion I get to the Windows folder and now there is no Temp Internet Files folder in that folder! And in any case, I use Firefox.

    I've Googled this malware warning and I cannot find any information at all about it.
     
    Digibirder, Nov 30, 2011
    #27
  28. Digibirder

    Digibirder Private First Class

    Another update (as I can't edit my previous post):

    Just discovered why I couldn't see Temporary Internet Files folder - my system had somehow been set to hide protected system files. Probably as a result of one of the tools I used last week to rid my system of the malware.

    Having now found access to this folder, I discovered that somehow a file connected with the offending site had been added back into to the folder, even though I unsubscribed from the feed and deleted all traces of the site from my Temp Internet Files a few days ago.

    Looking at the files in this folder, it appears they are as a result of the feeds and the fact that I use Windows Live Mail, as I use Firefox, not Internet Explorer, so this malware warning is obviously connected with the feed I had from this site.

    I am quite curious as to how the new file got added though, as I've not even visited his website, even though it's apparently now back online following some 'issues' he was having.
     
    Digibirder, Nov 30, 2011
    #28
  29. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I have no idea I'm afraid. I would just advise you to run a temp file cleaner every now and again like you are. :) Cheers.
     
    Kestrel13!, Nov 30, 2011
    #29
  30. Digibirder

    Digibirder Private First Class

    Well, it's a bit of an ongoing mystery.

    The malware warning came up again, and checking in Temp Internet Files folder, there is another entry for the Photocreative site's feed, and in the Type column, it is indicated as an MS-DOS Application.

    I cleared the whole Temp Internet Files out last night, but this entry has appeared again, even though I have unsubscribed to the feed a couple of weeks ago.

    Oh, and as a result of unhiding protected system files, which must have been hidden with one of the previous tools I ran, the desktop.ini file and the shortcut files in the user folder have reapeared, but I am not too concerned about those, just this malware warning that keeps popping up. Unless it's a false error report by Comodo and there's nothing really wrong with the file.
     
    Digibirder, Dec 1, 2011
    #30
  31. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Perhaps this is something you could ask about in the software forum, or even in the Comodo forums. ;) Thanks.
     
    Kestrel13!, Dec 1, 2011
    #31

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds