Help! Malware has taken my computer

Discussion in 'Malware Help (A Specialist Will Reply)' started by MaryLou, Sep 9, 2006.

  1. MaryLou

    MaryLou Private E-2

    I've invested at least 30 hours over the summer with little to show as far as getting rid of viruses. My daughter's computer goes directly to internet explorer via iesettingsupdate and begins downloading popups. (Also see warnings of Tagasaurus and Adfirstsolutions.)

    I've followed all the steps in Read and Run This First (over the course of a couple of weeks) and have downloaded and unzipped GetRunKey.bat and ShowNew.bat, but have been unable to find the txt files they created.

    My bitdefender file is too large to attach, so I attached part of it here, and
    my Panda Scan and HJT log.

    Please help. I give up.

    Mary Lou
     

    Attached Files:

    MaryLou, Sep 9, 2006
    #1
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi Mary Lou,

    The two resulting .txt files from GetRunKeys and ShowNew will both be located in the root of your hard drive in this location C:\runkeys.txt and C:\newfiles.txt
     
    DavidGP, Sep 9, 2006
    #2
  3. MaryLou

    MaryLou Private E-2

    I finally got the batch files to run so that the txt files are now actually on my c:\ drive.

    They are both attached here.

    I've been reading about backdoor remote access trojans and rootkits and am wondering if my computer has any. They sound very nasty with the only option being to reformat.

    Should I take this step. Since my computer is refurbished, it does not have separate disks for reformatting. All software came loaded and reformat is launched from the hard drive. Could these trojans even affect the reformatting, so that is compromised and may reinfect my computer after I reformat?

    If I'm going to have to reformat, I'd like to get it over with ASAP, unless this step will be fruitless anyway What are my options?

    Thanks much for the help.

    Mary Lou
     

    Attached Files:

    MaryLou, Sep 9, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    MaryLou,

    You are not extracting ALL the files from the GetRunKey.zip and ShowNew.zip files into a folder. You must extract all files and you must not try to run the .bat files from inside the ZIP file. That's what it appears like you are doing. Either that or you could be getting the error mentioned in the download links.

    Please download the NEW versions of both tools (they were updated just yesterday) and follow the directions again for running them and attach new logs.

    I really need these logs before we start! You have a load of bad stuff that we need to remove and these logs will help us find all the hidden components.

    Don't worry....we will get your PC all cleaned up! :)
     
    Last edited: Sep 11, 2006
    chaslang, Sep 10, 2006
    #4
  5. MaryLou

    MaryLou Private E-2

    Here are my new logs. I did not run from inside the zip files.

    I hope they are right.

    Does this mean I won't have to reformat? No backdoor remote access trojans or rootkits?

    Please say "yes."

    MaryLou:eek:
     

    Attached Files:

    MaryLou, Sep 11, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This PC is loaded with malware! Let's get started with the fixes.

    First install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox

    Then uninstall the below software:
    J2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.0_01
    Morpheus 5.0 (remove only) <--- this contains bundled malware and is a probably source of many of your problems!
    Mozilla Firefox (1.0.1)
    Search Bar



    Start by downloading - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\kybrdff_17.exe
    C:\dfndrff_14.exe
    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\ms064201-93354.exe
    C:\PROGRA~1\CROSOF~1.NET\dllhost.exe
    C:\Documents and Settings\Owner\My Documents\??sembly\NPDB~1.EXE


    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R3 - URLSearchHook: (no name) - {F4ABC2DA-2337-2FBF-1075-59F078CD6AC6} - C:\WINDOWS\system32\nvnew.dll
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
    O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
    O2 - BHO: (no name) - {F4ABC2DA-2337-2FBF-1075-59F078CD6AC6} - C:\WINDOWS\system32\nvnew.dll
    O3 - Toolbar: (no name) - {3D782BB3-F2A5-11D3-BF4C-000000000000} - (no file)
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_17.exe
    O4 - HKLM\..\Run: [iiq83a0d] RUNDLL32.EXE w08473f5.dll,n 00183a0c0000000308473f5
    O4 - HKLM\..\Run: [ecqnbofA] C:\WINDOWS\ecqnbofA.exe
    O4 - HKLM\..\Run: [defender] C:\\dfndrff_14.exe
    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
    O4 - HKLM\..\Run: [ms064201-93354] C:\WINDOWS\ms064201-93354.exe
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
    O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\CROSOF~1.NET\dllhost.exe" -vt yazr
    O4 - HKCU\..\Run: [Xfsb] C:\DOCUME~1\Owner\MYDOCU~1\SEMBLY~1\NPDB~1.EXE
    O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
    O15 - Trusted Zone: *.elitemediagroup.net
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab


    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Owner\My Documents\??sembly\NPDB~1.EXE
    c:\progra~1\crosof~1.net\dllhost.exe
    C:\Program Files\Deskbar\deskbar.dll
    C:\Program Files\System Files\System.exe
    C:\asdf.txt
    C:\deskbar3.exe
    C:\dfndrff_18.exe
    C:\dfndrff_14.exe
    C:\dist13.exe
    C:\kybrdff_17.exe
    C:\kybrdff_18.exe
    C:\kybrdff_14.exe
    C:\siteError.exe
    C:\visfx500.exe
    C:\visfx500new.exe
    C:\WINDOWS\876056.exe
    C:\WINDOWS\chadch.exe
    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\ecqnbofA.exe
    C:\WINDOWS\elpp100drop.exe
    C:\WINDOWS\gqqjitje.exe
    C:\WINDOWS\system32\irssyncd.exe
    c:\windows\keyboard1.dat
    c:\windows\sepsd.bin
    C:\WINDOWS\media_motor_bundle.exe
    C:\WINDOWS\ms064201-93354.exe
    C:\WINDOWS\system32bez6n4r21.exe
    C:\WINDOWS\sys01933544201-.exe
    C:\WINDOWS\win3210-933544201.exe
    C:\WINDOWS\YazzleBundle-1119.exe
    c:\windows\system32\adrotate.dll
    C:\WINDOWS\system32\icon_mediamotor.exe
    C:\WINDOWS\system32\ts_mediamotor.exe
    C:\WINDOWS\system32\wapicc.exe
    C:\WINDOWS\system32\wfxqhv.exe
    C:\WINDOWS\system32\zqskw.exe
    C:\WINDOWS\system32\dkptlj.dll
    C:\WINDOWS\system32\nvnew.dll
    C:\WINDOWS\system32\guard.tmp_tobedeleted
    C:\WINDOWS\system32\safe.tlb
    C:\WINDOWS\system32\iiq83a0d.ini
    C:\WINDOWS\system32\w08473f5.dll


    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folders and delete them if found:
    C:\Program Files\Deskbar
    C:\Program Files\MemoryWatcher
    C:\Program Files\System Files
    C:\Program Files\Common Files\ofik
    C:\Program Files\elticons

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Owner\Local Settings\Temp



    Now attach the below new logs:
    - GetRunKey
    - ShowNew
    - HJT

    Make sure you tell me how things are working now!
     
    chaslang, Sep 13, 2006
    #6
  7. MaryLou

    MaryLou Private E-2

    OK. I have completed all the steps from your last post. Many thanks for your help.

    In the kill processes, two of my strings were slightly different, but I killed them anyway. The string with keyboard had 18.exe instead of 17.exe at the end and the string with defender had e2.exe at the end instead of 14.exe. I found no files in the temp folders to delete.

    I am still getting popups, but not as fast, so maybe some of them have been blocked. Adfirstsolutions is popping up and so is smashhits.

    Making progress is a good thing. I hope I can reclaim this machine and teach my teenager how to safeguard against future infection.

    Many thanks,

    MaryLou
     

    Attached Files:

    MaryLou, Sep 14, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's because many of the items I asked you to fix in my previous message did not get fixed. And this caused new problems to show up too. This could be due to your missing some or due to something getting in our way. It is possible that Windows Defender was getting in our way. So to make sure this does not happen again, uninstall Windows Defender now before you continue. Then also shutdown ALL (even your antivirus) other applications before starting the below steps. When doing these steps, it is possible that you will notice that C:\kybrdff_18.exe and C:\dfndrff_18.exe have changed to different numbers again. So just look for the new versions.

    You did not reinstall the new Sun Java or FireFox. You need to reinstall them as stated in my previous message. Please don't skip steps!!!

    Start by going the the C:\!Killbox folder and delete all files in it.
    Then empty your Recycle Bin.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\sys0233544201-9.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:



    R3 - URLSearchHook: (no name) - {EA1BEC8B-053D-55B8-1280-73E299737495} - C:\WINDOWS\system32\dkptlj.dll (file missing)
    R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
    O2 - BHO: (no name) - {EA1BEC8B-053D-55B8-1280-73E299737495} - C:\WINDOWS\system32\dkptlj.dll (file missing)
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_18.exe
    O4 - HKLM\..\Run: [iiq83a0d] RUNDLL32.EXE w08473f5.dll,n 00183a0c0000000308473f5
    O4 - HKLM\..\Run: [ecqnbofA] C:\WINDOWS\ecqnbofA.exe
    O4 - HKLM\..\Run: [defender] C:\\dfndrff_18.exe
    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
    O4 - HKLM\..\Run: [sys0233544201-9] C:\WINDOWS\sys0233544201-9.exe
    O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\CROSOF~1.NET\dllhost.exe" -vt yazr
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

    After clicking Fix, exit HJT.


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\dkptlj.dll
    C:\WINDOWS\system32\w08473f5.dll
    C:WINDOWS\ecqnbofA.exe
    C:\kybrdff_18.exe
    C:\dfndrff_18.exe
    C:\dfndrff_e2.exe
    C:\PROGRA~1\CROSOF~1.NET\dllhost.exe" -vt yazr
    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\sys0233544201-9.exe
    C:\WINDOWS\win32091-93354420.exe

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.


    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).C:\WINDOWS\Temp
    C:\Documents and Settings\Owner\Local Settings\Temp
    Now attach the below new logs:
    - GetRunKey
    - ShowNew
    - HJT

    Make sure you tell me how things are working now!

    Now look for (only LOOK) the below folders and tell me what you find.
    Code:
    C:\Program Files\
CROSOF~1.NET  Jun 27 2006              "??crosoft.NET"
MCROSO~1      Jul 22 2006              "M?crosoft"
MCROSO~1.NET  Aug 20 2006              "M?crosoft.NET"
YMANTE~1      Sep  7 2006              "?ymantec"
ASKS~1        Sep 11 2006              "?asks"
    The question marks are due to illegal characters being packed into the filename. Malware does this to hide from you and to make the filename look like it is something that it is not. For example ??crosoft.NET may look just like Microsoft.NET but it may not be. Do you see multiple folders with similar names? Look at the date and times in the ones I list above. That is what you are looking for.
     
    chaslang, Sep 14, 2006
    #8
  9. MaryLou

    MaryLou Private E-2

    Sorry about not installing Mozilla Firefox and the new Sun Java. I downloaded the files but did not install them. Not too swift.

    Now they are installed. :)

    The new logs are also attached. I did not see any of the folders you listed at the bottom of your reply. I hope that is good news. I also had nothing in my temp folders except today's log.

    Seems like the popups are not coming as fast and furious.

    A couple that just popped up are winantivirus and ileadtrackit.

    Let me know what to do next, and thank you so much for all your help.

    It is much appreciated. I would not know which lines of code to kill or which software to use without your help.

    Thanks again,

    Mary Lou
     

    Attached Files:

    MaryLou, Sep 18, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    You need to answer my question about those folders with the dates shown. I need to know what you found. You may even find multiple folders with what looks like the same name!

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\WINDOWS\win32064201-93354.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [win32064201-93354] C:\WINDOWS\win32064201-93354.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\win32064201-93354.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.


    Now I want to search for a file!

    Click Start and select Search
    Now Select "All files and folders"
    Enter the userinit.exe in the "All or part of the file name:" box
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    • Search system folders
    • Search hidden files and folders
    • Search subfolders
    Then click the Search button.

    Tell me exactly where you find matches for this! DO NOT DO ANYTHING other than report to me what you find!
     
    chaslang, Sep 19, 2006
    #10
  11. MaryLou

    MaryLou Private E-2

    Things are working much better. :)

    I only got an adyieldmanager popup and one from adfirstsolutions that said Registry Cleaner Recommended. Another one just popped up from winantivirus and from try.starware.

    I ran through all the steps you suggested and my HJT log is posted below. I searched for userinit.exe. and found 3 in
    C:Windows\$NHServicePackUninstall$
    C:Windows\system32
    C:Windows\ServicePackFiles\i386

    and one called USERINIT.EXE-0743FDA9.pf in
    C:Windows\Preftech.

    I also found the following files as dated
    Microsoft July 22, 2006
    Microsoft.NET August 20, 2006
    Tasks September 11, 2006

    This is great progress. Thanks again for your help.

    Good night,

    Mary Lou
     

    Attached Files:

    MaryLou, Sep 19, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You don't seem to be getting to the root problems. I'm wondering if in between your posting your logs and me posting a fix if things are mutating and changing names. You are not giving me any feed back on the fixes. Last time I asked you to kill a process named C:\WINDOWS\win32064201-93354.exe and then to fix the below line in HJT

    O4 - HKLM\..\Run: [win32064201-93354] C:\WINDOWS\win32064201-93354.exe

    Then I said to delete the file.

    Did you actually find this process running?
    Did the O4 line exist in HJT?
    Did you find the file and delete it?

    I would guess the answer is no because in the last log you posted, the problem is still there but it has renamed itself and it added back an old process we previously fixed too:

    Process Names to kill:
    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\ms0544201-9335.exe

    HijackThis lines to fix:
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
    O4 - HKLM\..\Run: [ms0544201-9335] C:\WINDOWS\ms0544201-9335.exe


    Files to find and delete:
    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\ms0544201-9335.exe

    Do what I suggest above but NOTE, the file & process names may have changed. You must locate the new names if they have and subsititute.

    After you finish, attach new logs from ShowNew and HJT BUT DO NOT REBOOT AT THIS POINT. This way what you post in your new log should still be there when I give you the next fixes. This kind of problems typically rename at reboots and power downs.

    You said you found the below:
    What about the other folders dated June 27 2006 and Sep 7 2006? ​
     
    chaslang, Sep 21, 2006
    #12
  13. MaryLou

    MaryLou Private E-2

    I killed the process C:\WINDOWS\win32064201-93354.exe
    as you asked, fixed the line in HJT and then deleted the file.

    I also just killed again Duce6.exe and ms0544201-9335.exe, fixed the lines in HJT and deleted the files. (There were two similar ms lines in HJT and I fixed them both.

    My logs are attached below.

    I did not find files dated Jun 27, 2006 or Sep 7 2006.

    Hope this helps. Sorry to be so difficul.

    Mary Lou
     

    Attached Files:

    MaryLou, Sep 22, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay your logs are now clean!

    But these folders do exist. They show in your latest ShowNew log. Are you sure that you enabled viewing of hidden and system files and folders as instructed in step 2 of the READ ME. Double check to make sure.

    Below is what is in your ShowNew log:
    Code:
    "C:\Program Files\"
CROSOF~1.NET  Jun 27 2006              "??crosoft.NET"
firefo~1.exe  Sep 14 2006     5127800  "firefoxsetup1.5.0.7.exe"
killbox.exe   Sep 14 2006       92672  "killbox.exe"
MCROSO~1      Jul 22 2006              "M?crosoft"
MCROSO~1.NET  Aug 20 2006              "M?crosoft.NET"
PARTYP~1      Jun 27 2006              "PartyPoker"
PSHOPE        Jul 18 2006              "PSHope"
SPYWAR~1      Jul 22 2006              "SpywareTools"
YMANTE~1      Sep  7 2006              "?ymantec"
ASKS~1        Sep 11 2006              "?asks"
     
    chaslang, Sep 23, 2006
    #14
  15. MaryLou

    MaryLou Private E-2

    OK, I've found them all. These are all in the Program Files folder:

    MCROSO~1 Jul 22 2006 "M?crosoft"
    MCROSO~1.NET Aug 20 2006 "M?crosoft.NET"
    YMANTE~1 Sep 7 2006 "?ymantec"
    ASKS~1 Sep 11 2006 "?asks"

    This one
    CROSOF~1.NET Jun 27 2006 "??crosoft.NET"
    is one level down in a folder called Microsoft.NET. The Microsoft.NEt folder has a date created of June 27 2006 and the CROSOF~1.Net folder has a date created of August 20, 2006.

    What do I need to do with these folders?

    Also in my haste in typing in majorgeeks I brought up a site called majogeeks and another one called majorggeks. I hope these are not the source of mor infections. Yikes!

    Please let me know what to do to innoculate my computer against future invasions or direct me to the thread that helps with this. My Norton AntiVirus expired in August. Should I resubscribe or are freeware alternatives just as good.

    Thanks so much for all your help!

    Mary Lou
     
    MaryLou, Sep 23, 2006
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download the attach ShowPRF.zip to your PC someplace you can locate it. Then extract all the files from the ZIP into the same folder where you previously extracted ShowNew.zip.

    Use Windows Explorer to locate the ShowPRF.bat file and double click on it to run it. ( Do not attempt to run the program from inside the ZIP file or by using Winzip. It will not work properly. ) It will create a file named prffiles.txt in the root of drive C: (C:\newfiles.txt) . This log will also popup in a notepad window which your can just close.

    Upload the prffiles.txt file here as an attachment.
     

    Attached Files:

    chaslang, Sep 24, 2006
    #16
  17. MaryLou

    MaryLou Private E-2

    Here's the prffiles.txt attachment. I hope I did this right.

    Mary Lou
     

    Attached Files:

    MaryLou, Sep 24, 2006
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well that did not show me everything I wanted to see!

    Can you tell me what you see under each of those folders and if there are more folders in them, tell me what is in each of the subfolders. Tell me what you find based on the below list and use the dates to locate the folders:
    Code:
    "C:\Program Files\"
CROSOF~1.NET  Jun 27 2006              "??crosoft.NET"
MCROSO~1      Jul 22 2006              "M?crosoft"
MCROSO~1.NET  Aug 20 2006              "M?crosoft.NET"
YMANTE~1      Sep  7 2006              "?ymantec"
ASKS~1        Sep 11 2006              "?asks"
    Note you should delete the two below files from the C:\Program Files folder. They do not belong here:
    firefoxsetup1.5.0.7.exe
    killbox.exe
     
    chaslang, Sep 25, 2006
    #18
  19. MaryLou

    MaryLou Private E-2

    I deleted the firefoxsetup.exe and killbox.exe.

    Here's what I can find under program files:

    C:\Program Files
    A filed named CROSOF~1 dated Aug 20 2006
    inside a file named Microsoft.NET dated June 27, 2006
    another file named Microsoft.NET dated Aug 20 2006
    a filed named MICROSOFT dated Jul 22 2006
    a file named Symantec dated Sep 7 2006
    a file named Tasks dated Sep 11 2006

    Except for the CROSOF~1 file inside the Microsoft.NET file, all the other files appear to be empty.

    What to do next?

    My daughter has been back on her computer. Should I keep her off until these hidden files are fixed? Or is it safe for her to surf? (As much as it is ever safe!)

    Mary Lou
     
    MaryLou, Sep 26, 2006
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Delete all the folders (they are folders not files) that appear to be empty!

    Then attach another ShowNew log.
     
    chaslang, Sep 27, 2006
    #20
  21. MaryLou

    MaryLou Private E-2

    Here is my newfiles.txt. How are we doing?

    It looks pretty good to me. But I am clearly not the expert!

    Please advise what thread I should follow to install an antivirus program and keep my daughter's pc safe in the future.

    Many thanks,

    Mary Lou
     

    Attached Files:

    MaryLou, Sep 27, 2006
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay things look good! Now let's do some final cleanup.

    Run Pocket Killbox and select File, Cleanup, Delete All Backups!

    Also the fixme.reg file from your Desktop.


    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link. This link also contains a list of some free antivirus programs that work very well. Since you want to remove Norton, you should download one of these first (but don't install yet). Then you should uninstall all of Norton's stuff and reboot. After reboot, install the new antivirus program and get all updates.

    How to Protect yourself from malware!
     
    chaslang, Sep 28, 2006
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds