Help with deleting infections

[argorok]

            As requested by carbon I am making a new thread.

            Basically the situation is when I scanned spybot s and d it would scan all the programs and let the horrid ones slide, it wouldn't detect anyone yet I watched the names and was shocked.

             My computer isn't acting up yet I see such programs with casino in the name, weird viruses that I googled, and even items with the word keylogger in its name -.-. Here are the 3 logs, I'm adding a 4th log because I had to end SAS early sadly. If it also helps I have a dell desktop computer, I can give model if needed.

[attachment deleted by admin]

[Briguy]

Did you set your scanners with these settings before you scanned? You'll want to do them like that and do a complete full scan of your drive(s).

<snip>

Do not ask users to run Combofix unless you are trained to use it. EF

Make sure that you aren't running non essential programs while it's running.

[attachment deleted by admin]

[evilfantasy]

This does not appear to be a malware issue. Are you still having problems after running the scans from the guide?

[evilfantasy]

I don't have a problem... yet.

See the other post.

[argorok]

it seems fine and up to date, as long as my computer is clean I'm happy. Btw fantasy there was never a problem, it was just that I personally saw those infections. I'm going to run spybot s and d (need to re-download it, deleted it because of tea timer) and see if any of the names come back up

edit: does it look like there is any infections?

[evilfantasy]

Be sure to get the new version. http://filehippo.com/download_spybot_search_destroy/

When removing malware you need to turn Tea Timer OFF. It will prevent some tools including itself from removing malware. I personally won't use Tea Timer.

[argorok]

wouldn't it be best to download from the home site? And ok on the tea timer, I'll see if I can turn it off. Btw do the logs looks look clean?

[evilfantasy]

I didn't see anything in the logs to worry about. That's not to say your computer is malware free. If it's acting up we can look closer.

Yes you can get Spybot from the site. It can be confusing to find for some people so I link to FileHippo which is a safe download site.

During the install you can choose to NOT activate Tea Timer. It can be heavy on resources and a pain at times so many choose to not use it. Do use the Resident Protection and always Immunize after updating Spybot.

[argorok]

ok, I'll just download from hippo, last question, I'm a "newb" when it comes to computers, what does immunizing do, how do I use it, and when should I? Thank you for all the help so far btw.

[evilfantasy]

Always do the Immunize after checking for updates in Spybot. I check for updates and Immunize about every two weeks or so. Immunize is adding known bad sites to your Hosts file so if you happen onto a bad web site your browser won't be attacked by malware.

Look here to see how to Immunize. The guide is a little dated but you should be able to still figure it out. http://www.it.northwestern.edu/security/spyware/win-spybot-immunize.html

Let me know if Spybot is still finding anything and try to let me know exactly what it finds. It might just be cookies which really aren't a threat.

[argorok]

Ok, thanks, about downloading spybot, it's asking to use internet explorer protection(sdhelper). Should I use it or leave it off like the tea timer below it?

[evilfantasy]

Yes use the sdhelper but not Tea Timer.

[argorok]

Don't think I'm clean, In the first 2 mins I seen alot of weird products and some include Zango, coolWWWsearch,fakealert.mhg, a bunch of things with spy in there name and alot of files involving smitfraud-c. Do't know what to do seeing as spybot did nothing or even detected them 

[evilfantasy]

Are you sure they aren't just Cookies?

Get me a log from Spybot once it's finished.

Go into Spybot > Mode > Advanced mode > Tools > View Reports > View report > Export.

Save it to your desktop as a txt file.

It will be too big for the forums so upload it to FileDropper.

Upload the file to File Dropper

Click Upload
Locate the file and double click it.
Copy the download link and post it back here.

[argorok]

ok, I ended the search so let me restart it and get you a log, I'll see how big the first log is first.

[argorok]

Sorry for double post, if you can delete the previous post, do it. Here is about 30% of a complete scan and involves all the above said names

[attachment deleted by admin]

[evilfantasy]

Download Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the Desktop.

----------

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

[argorok]

Here ya go.

[attachment deleted by admin]

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[argorok]

I turned off mcafee, what about spybot, I can't find an option to turn it off?

edit: tea timer was never installed btw

[evilfantasy]

You don't need to do anything with Spybot.

[argorok]

Here is the log, btw is it normal that a blue command window came up and did the actions? just seemed weird.

[attachment deleted by admin]

[evilfantasy]

btw is it normal that a blue command window came up and did the actions? just seemed weird.

Yes that's how it runs.

You should change all of your passwords to include those used for banking, email, eBay, forums and so on. once we get the computer clean. You were infected by Trojan-Spy.Gamania!sd5

Trojan-Spy.Gamania!sd5 is a malicious application that attempts to steal passwords, login details, and other confidential information.

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

• Double-click Lop S&D.exe
  
• Choose the language by typing of the corresponding letter and press Enter
• Click OK at the informative window
  
• Type 1, to choose Option 1 (Search) then press Enter
  
• Wait until the end of the scan
• A report will be generated, post the contents of it in your next reply.

A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt

[argorok]

Did it, here ya go. Btw the last scan, combo fix, the mcafee firewall was on by accident. It was off for this scan though. If that matters I can re scan with combofix

[attachment deleted by admin]

[evilfantasy]

No as long as ComboFix ran it's OK. Some AV's and firewalls will try to block it from running.

I don't know what Spybot is hitting on. I don't see anything in the logs other than what ComboFix removed. I didn't see anything in the Spybot log.

Let's clean up some and then see if Spybot is still finding anything. If it does try to get a screenshot for me to see what is being found,


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

Next: Set a New Restore Point to prevent possible reinfection from an old one.

Please go to: Start -> All Programs -> Accessories -> System Tools -> System Restore -> System Restore Settings
Click to add a check mark beside Turn off System Restore and click Apply
When you are warned that all existing Restore Points will be deleted, click Yes to continue and wait a few moments to let System Restore clear.
Uncheck "Turn off System Restore"
Click "Apply," and then click "OK".
.
----------

Now try Spybot again.

[argorok]

Ok, I'll do that but spybot never found any of those things. When it is scanning the files and giving the numbers I see the names and they just pass on by. Nothing is being detected, I just watch the file names. Does that make sense?

edit: did it, I can attempt spybot and see if anything is found but as said above, the names just keep on rolling without spybot doing anything about them

[evilfantasy]

Yes and I know what you are talking about now.

When Spybot scans it shows what it is looking for in the lower part of the window. Spybot works through a database of known spyware. If it finds something it will mark it for deletion. All your seeing is what it's looking for, not what it's finding.

That's why updates for all software is so important.

[argorok]

Oh! So your saying when I see smitfraud or a casino name then it just looked for that, and seeing as nothing is popping up then that means it isn't there? Btw what about the trojan, did the log show it being removed?

[evilfantasy]

ComboFix removed the trojan. It was this. c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

Here is a screenshot of the lower part of the Spybot window when it's scanning and is OK to see it. If it finds something it will give you the option to remove it when the scan stops.

It looks like the attachment right?

[attachment deleted by admin]

[argorok]

Correct, I'll scan now

[evilfantasy]

It might find some cookies but I'm pretty sure it won't find anything dangerous. I only use Spybot for the Immunize feature, nothing more. MalwareBytes and SUPERAntiSpyware are the best for scanning/removing malware.

[argorok]

It found a double click and right media which are both "1 entries in browsing". Looks clean! Thank you so much, but before this fix section is finished, can you explain immunize a little more. I read the report and don't completely understand it. Basically what does it actually do, and when should I implement it?

[evilfantasy]

It works silently. Once you click the Immunize button it ads known malicious web sites to your Hosts file which protects your browser from malware. It works with Internet Explorer and Firefox.

See here Interesting Facts About Spybot's Immunize Feature. Thi sarticle is a little old but is still relevant. It now works with Firefox also.

Here are a few more suggestions.

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[argorok]

Ok I'll have to check it out, thanks for everything  . Btw for the immunize feature should I keep it on at all times or what? And if I on;y go to safe websites anymore and don't torrent or download games, would I need any of this?

[evilfantasy]

You never know when you might stumble on to a bad web site.

You don't turn on or off the Immunize feature. It just customizes your Hosts file. It doesn't run. Be sure to Immunize whenever you update Spybot.

[argorok]

Ok, thank you for everything. I hope other people are as lucky as me to have you fixing there computer. Once again, thanks.

[evilfantasy]

Your welcome.

Safe surfing...