Well it Is Not a New Topic- Infected Computer

Hi - it was suggested to me that I join here and get some advice.
I am a Granny with little pc expertise.
I have had for 2 days the Macfee ad- then the WindowsPC defender for the last 24 hours.
I would like to remove it- without credit card usage (as anyway The Defender says the Trojan will take my information- and yet they want me to use it ????)
Can anyone help me? (IN ungeek language)

GrannyRob

Hi

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Thank You DragonMaster Jay.
Unfortunately page load error occurs every time I hit 'Here' and try the malwarebytes site. I tried to google Malwarebytes and although the sites were there I could not load.

Your Instructions are very clear by the way!

~GrannyRob

Hi

Sorry for the delay. Many server issues here on the site.

Please download ComboFix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:




Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  
• It is important to rename ComboFix before the download.
  
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
  
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
  

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
  
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" in your next reply.
  

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

c:\documents and settings\All Users\Application Data\0b1d852
c:\documents and settings\All Users\Application Data\0b1d852\4652.mof
c:\documents and settings\All Users\Application Data\0b1d852\BackUp\DESKTOP.INI
c:\documents and settings\All Users\Application Data\0b1d852\BackUp\Digital Line Detect.lnk
c:\documents and settings\All Users\Application Data\0b1d852\BackUp\McAfee Security Scan.lnk
c:\documents and settings\All Users\Application Data\0b1d852\BackUp\Microsoft Office.lnk
c:\documents and settings\All Users\Application Data\0b1d852\mozcrt19.dll
c:\documents and settings\All Users\Application Data\0b1d852\sqlite3.dll
c:\documents and settings\All Users\Application Data\0b1d852\working.log
c:\documents and settings\All Users\Application Data\0b1d852\WP0b1d.exe
c:\documents and settings\All Users\Application Data\0b1d852\WPCD.ico
c:\documents and settings\All Users\Application Data\0b1d852\WPCDSys\vd952342.bd
c:\documents and settings\All Users\Application Data\SalesMonitor
c:\documents and settings\All Users\Application Data\Starware388
c:\documents and settings\All Users\Application Data\Starware388\buttons\FindIt.bmp
c:\documents and settings\All Users\Application Data\Starware388\buttons\FindItHot.bmp
c:\documents and settings\All Users\Application Data\Starware388\buttons\findithotxp.png
c:\documents and settings\All Users\Application Data\Starware388\buttons\finditxp.png
c:\documents and settings\All Users\Application Data\Starware388\buttons\Highlight.bmp
c:\documents and settings\All Users\Application Data\Starware388\buttons\HighlightHot.bmp
c:\documents and settings\All Users\Application Data\Starware388\buttons\highlighthotxp.png
c:\documents and settings\All Users\Application Data\Starware388\buttons\highlightxp.png
c:\documents and settings\All Users\Application Data\Starware388\buttons\Reference.bmp
c:\documents and settings\All Users\Application Data\Starware388\buttons\ReferenceHot.bmp
c:\documents and settings\All Users\Application Data\Starware388\buttons\referencehotxp.png
c:\documents and settings\All Users\Application Data\Starware388\buttons\referencexp.png
c:\documents and settings\All Users\Application Data\Starware388\buttons\screensaver.bmp
c:\documents and settings\All Users\Application Data\Starware388\buttons\starware_toolbar_icon.bmp
c:\documents and settings\All Users\Application Data\Starware388\buttons\Weather.bmp
c:\documents and settings\All Users\Application Data\Starware388\buttons\weatherhotxp.png
c:\documents and settings\All Users\Application Data\Starware388\buttons\weatherxp.png
c:\documents and settings\All Users\Application Data\Starware388\contexts\error.xml
c:\documents and settings\All Users\Application Data\Starware388\contexts\Related.xml
c:\documents and settings\All Users\Application Data\Starware388\contexts\Travel.xml
c:\documents and settings\All Users\Application Data\Starware388\images\walertXP.bmp
c:\documents and settings\All Users\Application Data\Starware388\SimpleUpdate\ProductMessagingConfig.xml
c:\documents and settings\All Users\Application Data\Starware388\SimpleUpdate\ProductMessagingConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware388\SimpleUpdate\SimpleUpdateConfig.xml
c:\documents and settings\All Users\Application Data\Starware388\SimpleUpdate\SimpleUpdateConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware388\SimpleUpdate\TimerManagerConfig.xml
c:\documents and settings\All Users\Application Data\Starware388\SimpleUpdate\TimerManagerConfig.xml.backup
c:\documents and settings\All Users\Application Data\WPCDSys
c:\documents and settings\All Users\Application Data\WPCDSys\wpcd.cfg
c:\documents and settings\Rosanne\Application Data\DriveCleaner Freeware
c:\documents and settings\Rosanne\Application Data\DriveCleaner Freeware\Logs\update.log
c:\documents and settings\Rosanne\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows PC Defender.lnk
c:\documents and settings\Rosanne\Application Data\Starware388
c:\documents and settings\Rosanne\Application Data\Starware388\BrowserSearch\BrowserSearch.xml
c:\documents and settings\Rosanne\Application Data\Starware388\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\Configurator\Configurator.xml
c:\documents and settings\Rosanne\Application Data\Starware388\Configurator\Configurator.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\ErrorSearch\ErrorSearchOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\ErrorSearch\ErrorSearchOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\Games\GamesOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\Games\GamesOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\Games\images\active\Games0.bmp
c:\documents and settings\Rosanne\Application Data\Starware388\Layouts\ToolbarLayout.xml
c:\documents and settings\Rosanne\Application Data\Starware388\Layouts\ToolbarLayout.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\Manager\ManagerOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\Manager\ManagerOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\Movies\images\active\Movies0.bmp
c:\documents and settings\Rosanne\Application Data\Starware388\Movies\MoviesOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\Movies\MoviesOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\Reference\ReferenceOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\Reference\ReferenceOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\RelatedSearch\RelatedSearchOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\RelatedSearch\RelatedSearchOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\Screensavers\ScreensaversOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\Screensavers\ScreensaversOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
c:\documents and settings\Rosanne\Application Data\Starware388\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\Toolbar\TBProductsOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\Toolbar\TBProductsOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\ToolbarLogo\ToolbarLogoOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\ToolbarLogo\ToolbarLogoOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\ToolbarSearch\ToolbarSearchOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\ToolbarSearch\ToolbarSearchOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\TravelSearch\TravelSearchOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\TravelSearch\TravelSearchOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Starware388\Weather\AlertArchive.xml
c:\documents and settings\Rosanne\Application Data\Starware388\Weather\WeatherOptions.xml
c:\documents and settings\Rosanne\Application Data\Starware388\Weather\WeatherOptions.xml.backup
c:\documents and settings\Rosanne\Application Data\Windows PC Defender
c:\documents and settings\Rosanne\Application Data\Windows PC Defender\cookies.sqlite
c:\documents and settings\Rosanne\Application Data\Windows PC Defender\Instructions.ini
c:\documents and settings\Rosanne\Desktop\Windows PC Defender.lnk
c:\documents and settings\Rosanne\err.log
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\program files\Starware388
c:\program files\Starware388\brand.bmp
c:\program files\Starware388\icons\star_16.ico
c:\program files\Starware388\Starware388Config.xml
c:\program files\Starware388\Starware388Uninstall.exe
c:\windows\hosts
c:\windows\system32\Ijl11.dll
c:\windows\system32\ntSVc.ocx

.
((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.

2009-10-01 21:17 . 2009-10-02 00:42 -------- d-----w- C:\ADWARE_LOG
2009-09-16 19:36 . 2009-09-16 19:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-13 20:31 . 2009-09-13 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-11 20:20 . 2009-09-11 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-03 12:21 . 2005-08-07 00:19 -------- d-----w- c:\program files\mIRC
2009-10-03 12:20 . 2007-08-21 22:05 -------- d-----w- c:\program files\EPSON
2009-10-03 12:20 . 2004-10-17 11:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-03 12:16 . 2004-10-17 10:57 -------- d-----w- c:\program files\Java
2009-10-03 11:59 . 2005-09-15 02:20 -------- d-----w- c:\program files\Skype
2009-10-03 11:58 . 2007-08-26 01:13 -------- d-----w- c:\program files\IrfanView
2009-10-02 19:52 . 2007-02-24 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-02 03:00 . 2005-09-18 11:10 -------- d-----w- c:\program files\Google
2009-10-02 02:46 . 2005-09-15 02:20 -------- d-----w- c:\documents and settings\Rosanne\Application Data\Skype
2009-09-29 09:34 . 2009-09-02 03:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-29 09:34 . 2005-09-17 12:55 31 ----a-w- c:\windows\popcinfo.dat
2009-09-02 03:33 . 2009-09-02 03:33 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-09-02 03:33 . 2009-09-02 03:33 -------- d-----w- c:\program files\Oberon Media
2005-09-18 11:11 . 2005-09-18 11:11 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-05-16 23:28 . 2007-05-16 23:28 135168 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 79224]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [6/24/2008 7:56 AM 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [6/24/2008 7:56 AM 20560]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-10-17 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.nz/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Rosanne\Application Data\Mozilla\Firefox\Profiles\x4dbkrvg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\Rosanne\Application Data\Mozilla\Firefox\Profiles\x4dbkrvg.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 02:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
Completion time: 2009-10-03 2:05
ComboFix-quarantined-files.txt 2009-10-03 13:05

Pre-Run: 22,938,537,984 bytes free
Post-Run: 23,187,431,424 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

190 --- E O F --- 2008-02-08 11:13

It took a while- well longer than the 10 minutes advised. I am very grateful- thank you!
~Granny Rob

Hi

Please download: HijackThis to your Desktop.

• Double Click the HijackThis icon, located on your Desktop.
  
• By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
  It will also create a shortcut on your Desktop.
  
• Accept the license agreement.
  
• Click Do a System Scan and Save a Logfile.
  
• Please post the log in your next reply.