Testimonial to Read Me and Run first

...with just a bit of 'everything *looks* clean, can you check logs when you get a chance?' thrown in at the end.

My first post here and I hope that it's within operating procedure. I tried to post this earlier and it failed oddly. I will try to add logs to a reply to this...

This is Saturday afternoon, 4/19/08...on Thursday (4/17) around noon, I was reading archived comics at GUcomics. The archive shows the current picture centered and a smaller version to the left and right having comics for the previous and next days. I clicked on the one to the right (somewhere in August of 2003) and I saw the Java updater icon pop up in my task bar. Odd, I thought...and then I got an alert from AVG saying threat detected...maybe. I've since read that certain spyware pops up fake alerts but this sure looked right. I told it to quarantine/remove...five times. I became concerned at this point and decided to shut down the browser and run Spybot since that seemed a harsh interlude there.

After the scan, it gave me a Smitfraud indicator with the core.cache.dsk as the file in question. I told it to remove it and then rebooted.

Opened IE...few seconds later, a new window popped. Uhoh. I started Firefox...few seconds later a new IE window popped with ads.

*sigh* Then began The Quest. I looked at a lot of places, did a lot of things...felt pretty hopeless and finally stumbled in the door here.

I checked it out...felt a little comfy, started looking at the procedures...

GOOD GOD! I thought...this is going to take forever!

But, I was *this* close to doing a restore...one that would likely not have solved the problem...so I bit the bullet and started plugging away last night.

It took a long time, I will not lie...lots of files...lots of scanning...lots of reboots.

But I followed the Read & Run Me First instructions step by step. SuperAntiSpyware caught a lot of things that AVG and Spybot and Microtrend's website scan had not. It removed scary sounding things from scary sounding places...CHKDSK ran on the reboot from that. CHKDSK's message was "Deleting corrupt attribute record 128," from file record segment 182600 (during verifying files stage).

I was scared at this point...no one wants to see CHKDSK running on a reboot.

Next it was onto Spybot, which I removed and reinstalled just in case. When I looked for the current version here...NO POPPING WINDOWS! Huzzah!

But...let's ride this through, I said.

Spybot catches nothing. But that's to be expected as it was not seeing the original bits, but it's a darn fine program in general.

I ran Malwarebytes. It caught MORE stuff!

I ran ComboFix. I'm not terribly sure what it did, but I was determined now. Oh, and remember this about CF...it can take a REALLY long time (at least it feels like it) after the reboot. Be patient. I also messed up starting this and didn't shut down AVG and such...but it did do it on its own. However, it did NOT reset my clock from 24 hour...don't know if that means anything.

Then MGTools...it was fast...I have no idea what it did. But that's okay because I think it's well killed by now...the things I had.

Then I went and installed Online Armor...nice setup on that program.

Everything appears okay. But just in case, I wanted to attach my logs and ask someone to take a gander when they have the time. You guys are REALLY busy, I am stunned at how much work you do here.

You guys rock!

:major DO THE READ ME AND RUN FIRST! DO IT! It takes a while, but it works.


(How did I get it, you ask? Might have been some infected picture at the webcomic, but I will grudgingly admit to visiting a certain adult site that has movies on it from time to time...likely the number one suspect (I will avoid it from now on...pr0n is bad for the 'puter, mkay?). Also, used Windows Firewall...something I've now remedied.)

 

Attempting to add my logs...

It said last time I tried this that I already attached to a different thread. Maybe moderators have to okay a post...sorry, being a newb sucks

 

...and the MGTools log. That is, if I followed the directions for finding that one correctly.

 

I *did* have a rogue ctfmon.exe show up on trying to reinstall itself into the startup routine. Spybot blocked it, but it worries me.

 

On reboot, Teatimer pops and says:

Spybot has detected an important registry entry that has been changed.
Category: System startup user entry
Change: Value added
Entry: ctfmon.exe
New data: C:\Windows\system32\ctfmon.exe

I was concerned by this because of this page: http://www.sysinfo.org/startuplist.php?filter=ctfmon.exe

But, rereading it, it seems that that Raidys trojan looks just like the valid one in registry and I've since re-run SuperAntiSpyware, Spybot and AVG spyware scanners and they're not coming up with anything.

So, I'm *thinking* that that's the valid ctfmon.exe trying to come back since I can't seem to find the place to disable it in my control panel. I'll just keep telling Spybot to not let it, just to make me feel better.

Now...if I can figure out how to configure Online Armor to not make WoW and LotRO lag like crazy...I like the firewall so far, except for that. Lag = death.

Thank you again for your time. Let me know if you think I need to take any more action.

 

Okie doke, thank you very much! I have posted at OA's forum asking them for advice first. If they can't help over there, I'll trundle to the software forum here. I greatly appreciate the help!