[My Infected Computer]

Here are a few other things you must do once you are completely clean:

1. Time for some housekeeping

• Click START then RUN

• Now type (or Copy/Paste) Combofix /u in the runbox and click OK

2. Now Set a New Restore Point to prevent possible re-infection from an old one.

Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can re-infect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".

• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then go to Start > Run and type: Cleanmgr

• Click "OK"

Select the drive you want to clean usually C:

Click OK

When it completes the scan:

• Click the "More Options" Tab.

• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

3. Defragment your Hard Drive

1.Open My Computer.

2.Right-click the local disk volume that you want to defragment, and then click Properties.

3.On the Tools tab, click Defragment Now.

4.Click Defragment.

And here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update

regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:

To protect your machine, I highly recommend BOClean. It’s FREE and it works. I use it and never get one of these infections.

In order to prevent the installation of Trojans and Malware on your machine:

Download and install: Comodo BOClean

Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected Trojan application. Comodo BOClean currently supports more than 60,000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode.

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.

See Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

And also see Tony Klein's good advice

So how did I get infected in the first place?

Enjoy your clean computer. Any more questions?

Best Regards

[My Infected Computer]

Hey sarahw

You can uninstall VirtuaGirl HD from your Add/Remove Programs in the Control Panel. This will make the dancing girls go away, unless you installed this program and wish to keep it.

I'll post back soon with more information for the future security of your computer.

*so...have i passed?

Best Regards

Also uninstall these programs unless you want them on your PC:

Al Roker Vs. Star Jones Boxing by Outerinfo

pointgo

[My Infected Computer]

Please follow all my instructions accordingly. Read through all of it.

1.

• Start HijackThis.

• Click on Misc Tools.

• Then click Open Uninstall Manager.

• Click Save list...

• Notepad will open with the list.

• Post the list here.

2.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

Also disable your internet connection.

Open Notepad and copy/paste the text in the code box below into it:

Folder::
C:\WINDOWS\system32\iDlo07

Save this as CFScript.txt in the same folder as ComboFix.

Then drag the CFScript.txt into Combo-Fix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt).

Do not click on the ComoboFix window, as it may cause it to stall.

Post a new HijackThis log.

Also turn on the computer and tell me what problems are left.

Best Regards

[My Infected Computer]

Great. Also post a new HijackThis log. What do you mean by not being able to access Virustotal on the computer?

What problems do you have left? The girls are probably still dancing on your desktop, aren't they. Don't worry; they'll be fixed in the next step, after you've posted the virustotal results.

Best Regards

[My Infected Computer]

Hey sarahw

First, I want you to enable the viewing of hidden files.

• Click Start.

• Open My Computer.

• Select the Tools menu and click Folder Options.

• Select the View Tab.

• Under the Hidden files and folders heading select Show hidden files and folders.

• Uncheck the Hide protected operating system files (recommended) option.

• Click Yes to confirm.

• Click OK.

Next, please disable all security programs, such as antiviruses, antispywares, and firewalls.

Also disable your internet connection.

Open Notepad and copy/paste the text in the code box below into it:

File::
C:\WINDOWS\system32\tupdfim.dll
C:\WINDOWS\system32\papdfim.dll
C:\Documents and Settings\Family Computer\Desktop\New Folder\winstrse.exe
C:\WINDOWS\system32\teytgohg.tmp
C:\WINDOWS\Installer\{d2ad16e3-fa3a-4c0b-9b24-22018764cc8b}\zip.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIALWORKERSTARTER"=-

Save this as CFScript.txt in the same folder as ComboFix.

Then drag the CFScript.txt into Combo-Fix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt).

Do not click on the ComoboFix window, as it may cause it to stall.

After that, please locate the following files:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\b7a36ed3.sys
C:\WINDOWS\system32\iDlo07\iDlo071084.exe
C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

Upload each of these files to VirusTotal.com, and post the results here.

Also post a fresh HijackThis log.

Any more problems with your computer?

Best Regards

[My Infected Computer]

Wonderful. I have all the information I need. There are still a few malware files remaining on your computer, and Malwarebytes will fix them. I will answer all your questions later.

It seems that you used to have Malwarebytes. If you have already uninstalled it, please follow the instructions regarding downloading and installing it..

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.

• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

• If an update is found, it will download and install the latest version.

• Once the program has loaded, select Perform full scan, then click Scan.

• When the scan is complete, click OK, then Show Results to view the results.

• Be sure that everything is checked, and click Remove Selected. << Do Not Forget This!!

• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

• Please post contents of that file in your next reply.

Best Regards

PS: Sorry if I'm dragging this too long... I just wanted to be sure of the malware's behavior. As for installing the recovery console, I didn't think that was necessary.

[My Infected Computer]

Hey sarahw

Please note that running programs is what will fix this problem. To fix it manually will take a long time.

Just do this one more step: run SuperAntispyware in safe mode again, and then post the log here. It seems that some of the malware still remains stuck on your computer, and I need to know which. This will allow for the most thorough cleanup of your computer, instead of directly fixing using online scanners and such.

Best Regards

[My Infected Computer]

Hey sarahw

Please boot into safe mode and run Combo-Fix.exe from there once more. Post the ComboFix log here.

After that, try doing a scan with SuperAntispyware in safe mode again. If it still doesn't work, do it in normal mode. Post the log here.

Best Regards

[My Infected Computer]

Hey sarahw

Delete your previous version of SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer into Safe Mode by doing the following:

• Restart your computer

• After pressing the power button, repeatedly tap the F8 key.

• Instead of Windows loading as normal, the Advanced Options Menu should appear;

• Select the first option, to run Windows in Safe Mode, then press Enter.

• Choose the administrator's account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.

• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

• Press any Key and it will restart the PC.

• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

• Once the desktop icons load, the SDFix report will open on screen and will also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on the forum)

• Finally paste the contents of the Report.txt here.

Best Regards

[My Infected Computer]

Hey sarahw

Please download Superantispyware Free and install it. Follow the prompts and reboot if required.

Launch Superantispyware Free either by running C:\Program Files\SUPERANTISPYWARE.exe or right-click on the SuperAntispyware icon in your task bar (it looks like a bug) and click on Scan for Spyware, Adware, Malware...

Configuring SuperAntispyware

• Click on Preferences.

• In the tab General and Startup, make sure the box Start SuperAntispyware when Windows starts is unchecked. This will prevent SuperAntispyware from starting everytime, because it may interfere with other fixes that may be run.

• Navigate to the tab Scanning Control.

• Make sure only these boxes are checked:

Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining
Scan Alternate Data Streams
Use Kernel Direct File Access (recommended)
Use Kernel Direct Registry Access (recommended)
Use Direct Disk Access (recommended)

• Click on Close.

Updating SuperAntispyware

• At the main window, click on Check for Updates....

• Wait for SuperAntispyware to be fully updated.

Scanning Time

• Boot into safe mode by repeatedly pressing the F8 key after you press the power button. If safe mode does not work, tell me and do the scan in normal mode.

• Launch SuperAntispyware.

• At the main window, click on Scan your Computer....

• Make sure all drives (excluding CD drives) are checked, select Perform Complete Scan, and then click on Next.

• Wait for the scan to complete, and then click on Next>. This will quarantine and remove all detected items.

• Reboot your computer.

Post A Log

• Launch SuperAntispyware

• Click on Preferences

• Navigate to the tab Statistics/Logs.

• Choose the latest scan log, and the click on View Log....

• Copy and paste the contents of the log here in your next post.

Looking good. The malware's retreating. After that, post a new HijackThis log as well.

Best Regards

Edit: You didn't follow completely my previous instructions.

[My Infected Computer]

Hey sarahw

Before I can continue to more drastic measures, I will need more analysis.

1. Are you running as Administrator?

2. Please download EXE File Association Fix, unzip the file, and run the .reg file. When a prompt pops up, click on Yes.

After that, reboot, and try running Combo-Fix.exe again.

Best Regards

[My Infected Computer]

Hey sarahw

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

• Open the extracted SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.

• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

• Press any Key and it will restart the PC.

• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

• Once the desktop icons load, the SDFix report will open on screen and will also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on the forum)

• Finally paste the contents of the Report.txt here.

Best Regards

[My Infected Computer]

Hey sarahw

Thanks for the detailed report. Let's mix it up a little.

Follow the instructions in my second post, reboot, and then run Combo-Fix.exe.

Best Regards

[My Infected Computer]

Please run HijackThis.

• Click on the button which says Main Menu, then Do a system scan only.

• Please wait for the scan to be completed.

• After the scan has completed, check the following entries only if they are still there. If they are not there, ignore them.

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~1.CPL
O2 - BHO: (no name) - {C1414B47-C261-4695-B157-3867F6649E93} - C:\WINDOWS\system32\geBtTMec.dll
O3 - Toolbar: The retnsrp - {941FB260-9D22-480E-84D6-10DB7849180E} - C:\WINDOWS\retnsrp.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Family Computer\Desktop\New Folder\install_sbd_en.exe
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\wind32.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [runwinlogon] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00F20E0.dat
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O21 - SSODL: nopzet - {60DCAB51-486C-43FB-B9B8-01C482802676} - C:\WINDOWS\nopzet.dll
O21 - SSODL: leorop - {A90E3E41-6AF8-4951-AE47-F14237589566} - C:\WINDOWS\leorop.dll
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~1.CPL

Click on the button Fix checked

NOTE:: Close all browsers before fixing anything.

Next, open Notepad. Type in the following:

@echo off 
sc stop Schedule
sc delete Schedule
exit

Click on File > Save As....

In the File Name box, type in fix.bat

In the Save as type box, select All Files from the drop-down list.

Click Save and save it to your Desktop.

Double click on fix.bat. A Command Prompt window will open and close quickly. That is normal.

After that, reboot.

What problems do you have left?

Best Regards

[My Infected Computer]

Hey SarahW

Nice collection of malware there. Let's clean it up.

First, please download ComboFix.

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.

**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.

• Wait for the scan to be completed.

• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

After that, follow the next set of instructions in the next post.

[My Infected Computer]

I'm guessing that you're my test person. Hi

Hi sarahw

Thanks for running HijackThis. However, before we can proceed, I will need you to run HijackThis again with the following instructions for an updated and renamed HijackThis.

Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file.

Rename HijackThis(.exe) to scanner(.exe).

Next, run scanner(.exe). A window will pop up.

• Click on the button which says Main Menu, then Do a system scan and save a logfile.

• Please wait for the scan to be completed.

• After the scan has completed, a text window will pop up. Please post the contents of this window here.

This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved.

NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer.

Best Regards