HELP! Something just took control of my computer and ITS NOT ME!!

[oldman]

Hi, let's deal with this one at a time.

The icon diasappearing seems to be quite common after using combofix. Usually a repair of avast fixes it.

Go to add/remove programs, click on avast
Click uninstall/remove
On the next screen, scroll down to repair
Click repair.

You may have to reboot. Let me know if the icon is back.

BTW, avast is running.

I don't know what the small box that appears in the upper left corner is. You will have to try to catch it if it appears again.

Describe your desktop. What is different? Right click on a blank portion of your desktop and click properties. On the screen that appears is Windows XP selected?

Next, click the start button, click run

In the run box that appears, copy and paste the following lines. one at a time, hitting enter after each

sc stop fipss
sc delete fipss

Answer these and we will carry on.

[sasysusie]

Sorry I was late getting to the computer tonight.  Ok I wil try to answer these one at a time and without going around too big a bush.. which is not easy for me!

I did the repair on avast and yes the icon is back

As for the  small box.. its more like a window that is opening but its just a very small rectangular size and its only like a tiny piece of the top toll bar of it.. It appears for only a portion of a second so fast even when im looking right there for it i cannot read any portion of it or grab it.  It seems to me that I had that same thing back when i had that grandaddy of all Trojans hiding way away in my computer but i could be mistaken.

Ok thirdly as for my main screen looking different.. well it looks the same as it always used to now... the screen itself had the picture we were using as wallpaper but it was on stretch mode instead of centered like it was before the whole virus hit.  My daughter came along today without really knowing all that had been going on with the computer and changed the picture back to centered so now my screen looks like it did before the virus. So actually when i right click on windows since my daughter has a picture for our background screen it does not read windows xp it reads windows classic modified.

I did this next step... In the run box that appears, copy and paste the following lines. one at a time, hitting enter after each
sc stop fipss
sc delete fipss
So with that step being complete as well I think I am up to where you wanted me to be and i hope i answered all your questions that you had for me.

You are a treasure and ty again for all your time.
Susie

[oldman]

Hi
All right. I think the icon issue and the desktop issue are resolved. Windows XP is the default, but if you are using classic, that's fine. Just as long as it has returned to normal.

Let's see if there are any stragglers.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Note: your computer may boot a little slower the first couple of times after using ATF.


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[sasysusie]

Hi.. ok this next check list is complete.. Ran the ATF Cleaner and did the Malwarebytes and have attached that log.
Let me know how you think things are looking..The computer seems be be running much happier. I honestly do not know how I could have done this to my computer again. I have my avast and I am using Comodo.  All I know is I am so grateful for your help. You are truely amazing!
Thanks
Susie

[oldman]

Hi sasy. The time/date of the files/folders we removed would indicate some of this came from a utorrent download.

Keep malwarebytes and use it as a backup on demand scanner.

1. Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

2. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

3.  Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

4. Go to  http://java.sun.com/javase/downloads/index.jsp

 Scroll down to "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

Select the platform (Windows, in your case), mutli language.
Accept the license agreement, click continue.

You do not have to install the Java Web Start ActiveX Control

Scroll down and click on Windows Offline Installation,
Save the file jre-6u6-windows-i586-p.exe to your desktop;
Do not select Run . Do not install it yet.

When the download is complete, close your browser.

Open Control Panel > Add/Remove Programs:

Uninstall the old versions of Sun Java, Java JRE, or similar.
Do not uninstall Java TM 6 Update 6 if found!

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found.
 Delete any subfolders it may contain.

Do NOT delete jre1.6.0_06 if found!
Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.
Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.

5. You should also uninstall Adobe Reader 6 and replace it with version 8.1.2 . Instructions can be found here.
http://kb.adobe.com/selfservice/viewContent.do?externalId=327675

Be sure to move any documents you have saved in Program Files\Adobe\Acrobat 6.0\Reader to another folder before you uninstall the program

Download the new version from  http://www.adobe.com/go/getreader

The google tool bar is optional, uncheck it if you don't want it.

6. I think you should add a resident antispyware scanner to your defences. Use either of these

Winpatrol
Windows Defender

7. Maybe even consider this Spyware Blaster to help immunize your computer.

will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.


Take care and keep safe.

[sasysusie]

I think i might be in a bit of trouble... I completed all the steps you gave me to this point.... under item #4 Reboot your computer. Double-click on the saved file to install the update.
At that point 2 things happened...
1. when i rebooted I got this error message "Updates from HP is unable to access it data directory.  It is eithre invalid or unreachable, or there is another program accessing it."
2. when i double click on the java update i saved to my desck top I am getting this message from windows " windows cannot open this file:
File: 1213290065220 - intregrated jave - 6u6.jnlp
to open this file, windowsa needs to know what program created it.  Windows can go online to look it up automatically, or you can manually select from list of programs on your computer. Wat do I want to do?
I tried to use "use the web service to find the appropriate program" option to find it but for some reason i have been having trouble with my internet explorer as well.  When i try to use it thru clicking on the option here... or even when i try to click on download sited you ahve given me the windows explorer stays a white page with no address in the address bar. If i put the address in maually the internet explorer will work fine.. So for that reason the option of letting the computer find it did not work for me.. so i am kinda at a stand still I think until i hear back from you.. I will not proceed with 5 until you tell me what i need to do to complete all of step 4.
grrrr frustrating!
thank you for you help
Susie and not always so sasy!!

[oldman]

I'm not sure where you got this file 6u6.jnlp from. The file name should be jre-6u6-windows-i586-p-s.exe

The link, for some reason doesn't work for me either.

Use this one
http://www.java.com/en/download/manual.jsp

Then start here and do any steps you need to. It looks like you are up to the install. So please download the correct file and see what happens.

Scroll down and click on Windows Offline Installation,
Save the file jre-6u6-windows-i586-p-s.exe to your desktop;
Do not select Run . Do not install it yet.





The HP update error could be several small things, such as it tries to get the updates before an internet connection is established or the firewall blocks it. Is this ongoing, occasional, new?

[sasysusie]

Hi Oldman,
1. Ok I did the java updates with the new address you gave me and it worked fine.
2. As to the hp update error i spoke of that was the first time i have seen it, but when i just now rebooted when i removed the Adobe Reader 6 as you instructed in thred #19 item list #5... i did not get that message again.. so maybe it was an isolated incident.
3. but... a problem im having,  n thread #19 list of things for me to do #5.. the address you gave me for version 8.1.2  to replace my adobe 6..
http://kb.adobe.com/selfservice/viewConten...ternalId=327675. I get this page cannot be displayed... is there another address i could use for that?
4. I am still having trouble with my microsoft Internet explorer. An example is then i click on the avast ball,  about Avast, user forum: http://forum.avast.com, i get a page but it is blank and the adress line is blank.. but at the top it says Mircorsoft Internet Explorer..there have been several cases when i click on a given address it won't come up.. its making me go to a new window and paste the address in there and then it will go to the site.. this is a problem I did not have before the new virus hit me.. do you think it is related and is there anything I can do about it.. I hope how i eplained it made any sense at all to you.
5. you said in thread #19 that you could tell from the time and date of the files we removed that it looked my my trojans came from a utorrent download.  What is that exactly so i don't do it again!
Ill wait to hear back from you so I can see if i can get an address i can use for the adobe update.. right now i have the old one uninstalled.. i did that before i knew i would not be able to access the address for the new one you gave me.
Ok Ill watch for a post. Take care and ty once again
SasySusie

[oldman]

http://www.adobe.com/go/getreader

Hi, the link above is working. I'm going to check the other links I posted for you and see what's going on with them. Work on the adobe, I'll post back later.

edit to add:
Ok, the problem was with my links. They are all working now. This should eliminate that problem with your browser.

Utorrent is P2P program for downloading things. These are the lines from your combofix log.


2008-06-07 20:07 . 2008-06-07 20:06   30,728   --a------   C:\WINDOWS\444.470
2008-06-07 20:06 . 2008-06-07 20:06   <DIR>   d--------   C:\WINDOWS\system32\xrem
2008-06-07 20:06 . 2008-06-07 20:06   <DIR>   d--------   C:\WINDOWS\system32\vntiho06
2008-06-07 20:06 . 2008-06-08 07:32   <DIR>   d--------   C:\WINDOWS\system32\inet2
2008-06-07 20:06 . 2008-06-07 20:06   <DIR>   d--------   C:\WINDOWS\system32\expo
2008-06-07 20:06 . 2008-06-07 20:06   <DIR>   d--------   C:\WINDOWS\system32\btz
2008-06-07 20:06 . 2008-06-07 20:06   <DIR>   d--------   C:\WINDOWS\system32\105772
2008-06-07 20:06 . 2008-06-07 20:06   369,284   --a------   C:\Temp\ndcdll2.exe

2008-06-07 20:04 . 2008-06-07 20:04   <DIR>   d--------   C:\Program Files\uTorrent
2008-06-07 20:04 . 2008-06-08 13:46   <DIR>   d--------   C:\Documents and Settings\HP_Owner\Application Data\uTorrent

The first group where what we removed. The time stamp is 2 minutes after utorrent. This is why I think it may be something you downloaded.

[sasysusie]

Thank you for your help... most things are back to normal other than Im still having troubles with Microsoft Internet Explorer.  But I can work around that if there isn't anything else i can do.
Ill try to keep out of trouble but I am not sure what I even did this time ugh! I did  download Winpatrol and Spywareblaster.. Hope fully it will help me.
Let me know if there is anything you think I need to do.. other wise take care and ty for being so kind and helpful.
Hugs
Sasysusie

[rdmaloyjr]

To keep you out of trouble I recommend:

Make Opera your default browser.

Use OpenDNS.  OpenDNS protects millions of people a day across hundreds of thousands of schools, businesses and homes. We block phishing sites, give you the power to filter out adult sites and proxies among more than 50 categories, and provide the precision to block individual domains.

Use Spyware Terminator or SUPERAntiSpyware Pro.

Use ZoneAlarm Free or ZoneAlarm Pro

Use RUBotted

Use SpywareBlaster

Use WinPatrol

Use Windows Defender.  Windows Defender won't conflict with other antispywares because it runs as a service.

Happy Safe Surfing!

[oldman]

Explain a little more of the problem you are having with IE. Do the links I posted now work properly and is it just the avast link from "About Avast" that is not working?

[sasysusie]

Hi Oldman,
For the most part all seems to be working fine except I am still having touble with IE.  The links you gave me the second time did all work.  I still am having trouble with the About Avast.. when i click on that nothing comes up but an empty adress..are others having the same trouble? When i tpye the actual adress in the bar I get here just fine.  My computer is running a bit slower but I am figuring that could be from some the extra protection you had to add to my computer and if it keeps me safe then I don't mind slow at all.
Was there anything else I needed to do.. i thought we were pretty much all done. Sorry I did not get back to you sooner but life has been crazy busy the last few weeks.
Thanks for your time once again
Susie

[oldman]

Hi, I just tried the link from "About avast!", it works for me, I get the avast homepage.

Which programs did you install? And when did you notice the slow down?

[DavidR]

The link works for me, opens the avast home page in my default browser (firefox 3.0).

However my firewall did chime in asking if it was OK for ashDisp.exe to do this, so perhaps you need to check your firewall and see if it is blocking ashDisp.exe from launching other applications with a URL, etc.