Bugs eating background, background changed to blue with spyware warning ...

[evilfantasy]

The log for Combofix came!!

I need to see it...

[ComputerTired]

Here it is:

[recovering space - attachment deleted by admin]

[evilfantasy]

A few more appeared but we are getting there.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
  
• Type notepad.exe in the Run Box.
  

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

KillAll::

File::
C:\WINDOWS\System32\cnxocan.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\DqoB.exe"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\2e790fdd-3996-497e-a3ab-29a954949d29]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

[ComputerTired]

 

Here's the new combofix log:



[recovering space - attachment deleted by admin]

[evilfantasy]

This next scan will take a while but it is needed to make sure everything is OK.

You may need to wait until you know for sure you'll be at the PC for at least an hour, maybe longer so you can be sure to get the log it produces.

Use the Kaspersky Online Scanner

• Click Accept.
  
• Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
  
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
  • Extended
• Scan Options:
• Scan Archives
  
• Scan Mail Bases

• Click OK & have it scan My Computer

When the scan is done, in the Scan is complete window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As...

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area, use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Please copy and paste the Kaspersky Online Scanner Report in your next post.
[/list]

[ComputerTired]

Hmm, alright. Thanks for all the immediate responses and your help !!

Is it okay to run the scan through the night and get the logs in the morning when I wake up or should I just do everything all at once?

Sorry if this may seem like a silly question.

=\

[evilfantasy]

You can do that and it should be OK. If something happens you can always run it again tomorrow when you have more time to babysit the PC. I mention it because I have has a few people run it over night and then had to re-run it to get the log.

It's worth a try to run it over night I would say.

Things are better now?

[ComputerTired]

Okay, I'll do the scan over night and see what happens in the morning.

And yes ... things have been going VERY smoothly so far. No bugs devouring my screen or that blue/yellow warning anymore.

You're a GENIUS!!

 

[evilfantasy]

Cool, we should be able to finish up fairly quick tomorrow.

See ya then......

[ComputerTired]

Okie dokie. Here's the Kaspersky log:

[recovering space - attachment deleted by admin]

[evilfantasy]

OK, lets attack this one at a time. I want to do some clean up first to get rid of any false positives.

1. Empty the aSquared quarantined files.

2.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

3.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
4. This mp3 is infected and needs to be deleted. If you play it then the infection will spread again.

Day 26 - Co Star.mp3

It's location is C:\Documents and Settings\Brittany Horton\Shared\Day 26 - Co Star.mp3

5. These files have been patched in order to load one malware. There are not dangerous anymore but still patched. It is your choice if you like to uninstall and re-install corresponding programs.

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\hpwuschd.exe
C:\Program Files\Dell\Media Experience\pcmservice.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

6. Download OTMoveIt2 by OldTimer

• Save it to your desktop.

• Double-click OTMoveIt2.exe to run it.
  
• Copy the lines in the codebox below.

Code: [Select]

C:\WINDOWS\addit.exe

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
  
• Close OTMoveIt2

[ComputerTired]

I've performed all the steps up until number 5.

I just want a better understanding of what you mean by patched. Does that mean they're all linked together somehow and they can trigger the spread of malware?

 

[evilfantasy]

At some point your antivirus cleaned them from whatever infection they had. They work the same but have been patched (virus removed). So now they show up as infected by Kaspersky because of the modifications made to them.

[ComputerTired]

Oh ok. Thanks for that info.

Continuing the process ...

[ComputerTired]

I'm sorry, I have one more question, lol.

Should I go to my C drive and delete the file or uninstall it?

Would deleting the file be the same as uninstalling?


...sorry if these sound like silly questions, just trying to better understand things.