Dealing with Malware (Having Followed the Guide)

[SuperDave]

Obviously the malicious IPs are still trying to gain access. What do you suggest I do? And is MBAM blocking the IPs the reason for my Comodo Firewall not notifying me?

Yes, MBAM is blocking them first otherwise, your Firewall would block them.
Could you please try to run ComboFix again. If it won't work, try doing it in Safe Mode.

[LiquidTension]

This is what I got when ComboFix was extracting files. When I clicked on retry the same message came up, and when I clicked on ignore I got another similar message about something else.

[SuperDave]

Ok, let's see if we can get rid of those tracking cookies.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
**************************************
Also please try running the below online scan:

SuperAntiSpyware on-line scan

If you can post the log it created then please do so.

[LiquidTension]

SUPERAntiSpyware was different to how you described it in your instructions.

16 tracking cookies were detected. Once the scan was finished, it gave me the option to view the scan log (below) and remove detected threats. Having ensured everything was checked, I removed the threats from my computer. It didn't prompt me to reboot my computer; after the threats were removed, it just went back to the "home" screen.

Once on the home screen, I checked the "Manage Quarantine" section, where the following were listed. I assume I should just check all 4 and delete?



Here's the log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/14/2013 at 00:03 AM

Application Version : 5.6.1018

Core Rules Database Version : 10394
Trace Rules Database Version: 8206

Scan type       : Quick Scan
Total Scan Time : 00:07:59

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned      : 749
Memory threats detected   : 0
Registry items scanned    : 63428
Registry threats detected : 0
File items scanned        : 21475
File threats detected     : 16

Adware.Tracking Cookie
   accounts.youtube.com [ C:\USERS\SHIRLEY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I7FFKC4L.DEFAULT\COOKIES.SQLITE ]
   accounts.google.com [ C:\USERS\SHIRLEY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I7FFKC4L.DEFAULT\COOKIES.SQLITE ]
   accounts.google.com [ C:\USERS\SHIRLEY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I7FFKC4L.DEFAULT\COOKIES.SQLITE ]
   .imrworldwide.com [ C:\USERS\SHIRLEY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I7FFKC4L.DEFAULT\COOKIES.SQLITE ]
   .imrworldwide.com [ C:\USERS\SHIRLEY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I7FFKC4L.DEFAULT\COOKIES.SQLITE ]
   .trackalyzer.com [ C:\USERS\SHIRLEY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I7FFKC4L.DEFAULT\COOKIES.SQLITE ]
   .s.clickability.com [ C:\USERS\SHIRLEY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I7FFKC4L.DEFAULT\COOKIES.SQLITE ]
   .s.clickability.com [ C:\USERS\SHIRLEY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I7FFKC4L.DEFAULT\COOKIES.SQLITE ]
   C:\Users\Shirley\AppData\Roaming\Microsoft\Windows\Cookies\1ST8EC77.txt [ /c.atdmt.com ]
   C:\Users\Shirley\AppData\Roaming\Microsoft\Windows\Cookies\GGV9FZ8O.txt [ /serving-sys.com ]
   C:\USERS\SHIRLEY\Cookies\1ST8EC77.txt [ Cookie:[email protected]/ ]
   C:\USERS\SHIRLEY\Cookies\GGV9FZ8O.txt [ Cookie:[email protected]/ ]
   .invitemedia.com [ C:\USERS\SHIRLEY\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
   .invitemedia.com [ C:\USERS\SHIRLEY\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
   accounts.google.com [ C:\USERS\SHIRLEY\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
   accounts.google.com [ C:\USERS\SHIRLEY\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]

[LiquidTension]

I tried running the online scan but it didn't work. I downloaded the scanner, clicked 'yes' to the security warning - but nothing happened afterwards. No alert from my antivirus, so I don't think that was blocking it. Do you know of any reason why this is the case?

[SuperDave]

SUPERAntiSpyware was different to how you described it in your instructions.

That's possible. It's been some time since I've used it.

Once on the home screen, I checked the "Manage Quarantine" section, where the following were listed. I assume I should just check all 4 and delete?

Yes, please do that.

Do you know of any reason why this is the case?

This is the first time I've tried this scanner. I'll have to test it to see what's happening.

Have you noticed any activity from MBAM?

[LiquidTension]

Okay, I deleted the 4 files. I've also ran a second scan (this is ~2 hours after the first) and a few more adware tracking cookies were found. I've deleted these as well. Does this mean these files were added to my computer in the 2 hours between doing the two scans? 2 of the newly found files were labelled "imrworldwide.com" - is this particularly malicious? I also haven't visited this site, so I'm guessing it's very common on a lot of other websites?

Have you noticed any activity from MBAM?

No activity - MBAM scans continue to come back with no threats found, and I haven't received any notifications of malicious IPs trying to gain access. I think this is due to the uninstalling (and then reinstalling) of Google Chrome. Once I did this, I haven't received any further notifications from MBAM. I will continue to monitor this and update you in the next couple of days.

In the meantime, are there any further checks I should be carrying out?

I run daily anti-virus and MBAM scans. Out of all the various different scans I've done since first starting this thread, which (if any) do you recommend I do at least once a day?

[LiquidTension]

I've just ran another scan and 13 new threats have popped up - all similar tracking cookies to the ones I've already deleted.

Why do they keep coming back, and how can I stop this happening?

[SuperDave]

Does this mean these files were added to my computer in the 2 hours between doing the two scans? 2 of the newly found files were labelled "imrworldwide.com" - is this particularly malicious? I

That's possible to acquire those cookies.
imrworldwide.com

In the meantime, are there any further checks I should be carrying out?

Not at the moment.

I run daily anti-virus and MBAM scans. Out of all the various different scans I've done since first starting this thread, which (if any) do you recommend I do at least once a day?

It shouldn't be necessary to do that every day.

Why do they keep coming back, and how can I stop this happening?

What browser are you using?

[LiquidTension]

What browser are you using?

I use Google Chrome and Firefox. I'd use Firefox for everything, but I prefer Chrome's layout + some sites run slowly on Firefox, but fine on Chrome.

Is the issue using Google Chrome?

[SuperDave]

I use Google Chrome and Firefox. I'd use Firefox for everything, but I prefer Chrome's layout + some sites run slowly on Firefox, but fine on Chrome.

Is the issue using Google Chrome?

Yes, it could be a security issue with Chrome. Check the options to raise the security level.

[LiquidTension]

Yes, it could be a security issue with Chrome. Check the options to raise the security level.

I've set it to block any websites from setting data/cookies. Do you think this should the tracking cookies from being added?

Where do you suggest I go from here? You mentioned clean up a couple of days ago?

[SuperDave]

I've set it to block any websites from setting data/cookies. Do you think this should the tracking cookies from being added?

That should do it. Let's do some cleanup in the meantime.

Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
*********************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

[LiquidTension]

Okay, thanks very much Dave. I've done the clean up as instructed above. I really appreciate all the help you've given me.

[SuperDave]

Okay, thanks very much Dave. I've done the clean up as instructed above. I really appreciate all the help you've given me.

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.