Lost my Post here? Facebook gave me virus.

[ImnoGuru]

Hello and thank you for taking the time to look at my thread.

My daughter loves to get on facebook and did this today from my computer.

She very quickly came out to me to tell me that " A virus program said I had infections and to click here to remove them"!!!!! ( Thinking she was doing a good service for me. )

Now I have quite a severe infection that keeps coming back.

I have run my Microsoft essentials program and that didnt cure it so now I am in the middle of running SAS.

Hmmm some new information... It is called GT7 ..... with the web address of ("www2.pcdefense75.co.cc" ) and with a box saying "Warning your computer is at risk of malware attacks. We recommend you to check your system immediately. Press OK to start process now."

Seems to want to run about every 10 to 15 minutes.

I have some photo's of what comes up on the screen when the interference occurs if you are interested. ( Photos are somewhat blurred because of the speed that they came up sorry. )
Oops if you leave it for a bit it goes to a page on Internet Explorer that says " Internet Explorer cannot display the page." and a "Diagnose Connection Problems" icon.
Well thats no good. The file is too large and timed out. (That doesnt sound right)
Ok no photo's yet then.

Can some one guide me as to whether I am following the right process for removing this please?

Thank you
ImnoGuru.

[Allan]

http://www.computerhope.com/forum/index.php/topic,46313.0.html

[ImnoGuru]

Thanks Allan for your reply. I have read it and am currently following the process.

My post has actually a double meaning;

1 is that I didn't know if I should post a log for the SAS HJT and Malware Bytes Logs when they come up.

&

2 was to let others know about this, if it were a new virus and what it looks like. (There isn't a lot about it when I googled it.)

Thank you
ImnoGuru.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Don't worry about the second part. Please just run the scans and post the logs.

[ImnoGuru]

Hi SuperDave, sorry about not being able to get back to you till now.
I don't get all that much time to get on the computer right now.
I'm on my laptop right now. So I don't have the logs available from here.

I ran Malwarebytes, Superantispyware and HJT. I have since installed the PC Tools Firewall Plus.

The GT7 virus that I was infected with, went away after running all three of these processes and all seems to be going well.

I realize that just because there are no symptoms that it doesn't mean I don't have an infection and I also know that you are all very busy helping other people.

Do you want me to post the logs to confirm my potentially clean status of my home computer?

Thank you ImnoGuru.

[SuperDave]

Yes, please post the logs and we may have to run a couple more scans.

[ImnoGuru]

Superdave Thank you for your patience. I have had a very busy time and haven't been able to even get near using my computer at home.

I am back now for a short while and can re run all the scans and logs if that is ok with you?

Thank you ImnoGuru.

[SuperDave]

Whenever you're ready.

[ImnoGuru]

Thank you SuperDave for your patience.

I expected a few visitors now that Im back. So I finally had some time to get into these logs. 
Here are my results for Mbam HJT and SAS.

Thank you. ImnoGuru.

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Please run MBAM and this time make sure every infection has a check mark and click "Remove Selected".

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
**************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
**********************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[ImnoGuru]

Thanks Supredave for your help with this process.

I have done the scans you requested and (hopefully) they have been done correctly.
Here is the log for HJT Dell ..10052010 after deleting  02 - BHO  file.

Hmmm just reading through your instructions it seems I might not have done this correctly. 
( See what happens when you have no focus on things. I just woke up and decided it was my best chance to get this done)
I missed out on the copy into instruction, .. (copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel)

If it is not right Superdave I apologize.   
The process as it was happening did say it was attempting to set up a new restore point, so maybe I already have the recovery console initialized.

Thank you ImnoGuru.


[recovering disk space - old attachment deleted by admin]

[SuperDave]

P2P - I see you have P2P software installed on your machine (uTorrent). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
********************************************
Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

• Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  
• Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
• Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
• It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
• Once inside the interface, do not fix anything. Click on the Report tab.
  
• Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  
• It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
• When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

[ImnoGuru]

SuperDave, I think I followed the procedure correctly and got this report from Rootkit Unhooker. 

There is 14 pages when I copied it into MS Office as a word document. Do you want me to post all 14 pages?
Actually I tried to upload it but I was told it wasnt the right format as a DocX.. SuperDave how can I change this format to something that is compatible to upload?
(Last time I changed a log someone said I did it the wrong way! It worked, but I did it wrong. Anyway....  )

Thank You ImnoGuru

[SuperDave]

Take your report and put it in NotePad. Then, you can copy and paste it or attach it.

[ImnoGuru]

Hi SuperDave, I've been tied up with work lately and haven't had time to even get on my computer for a while.
I tried to save the report into word for later and when I try to open it to copy it for you, word tells me that it needs to be encoded into something else.
Maybe I should just run it all again and try it all again then.