Unauthorised SCAN activated.

[nicla]

OK, David.......the scan is finished.  I imagine I go ahead, close all my other applications and evict the invaders according to the instructions on the report.  I will await your confirmation on this as I am not sure whether viewing the results is  necessary to this clean up process.

Also reading back over your original post I can see that I have one step left to go - the SuperAntiSpyware. 

[DavidR]

Before you do that copy and paste the report so we can have a look at what you have found.

[nicla]

David,  I am sure that there is a better way to copy the results to here but I don't know what it is -- so I saved it to notepad then copied and pasted it here (in its entirety)

Malwarebytes' Anti-Malware 1.24
Database version: 1047
Windows 6.0.6000

13:40:07 13/08/2008
anti malware results  mbam-log-8-13-2008 (13-38-35)

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 197674
Time elapsed: 2 hour(s), 24 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{9869efa6-18e9-11d3-a837-00104b9e30b5} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9869efb4-18e9-11d3-a837-00104b9e30b5} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Nicola\AppData\Local\Temp\CmdLineExt02.dll (Trojan.Agent) -> No action taken.

[DavidR]

Wow that took some time, very thorough.

You can run it again, just a Perform quick scan, should cover the areas where infection was found. In the report there are boxes which are checked and you can right click on the entrie and select Quarantine, etc. so let MBAM deal with all three.

However, before you do that, add this file CmdLineExt02.dll to the User Files section of the Chest it can do no harm there. Then we/you can send it to avast for analysis, but lets not worry about sending it just yet, having got a copy into the chest proceed with the MBAM actions.

[nicla]

David, whoa.  The first paragraph I reckon I can manage but the second needs a good second, third and mmmmmmore looking!!!!   

Firstly I accidently closed the application after copying the stuff and I then ran a scan on the C drive only.  The results are exactly the same as those for the full scan.

[nicla]

Before I posted the last post I had a look for the "chest" you were talking about but I drew a blank.   I am sorry I need clearer instuctions on how to add  "CmdLineExt02.dll to the User Files section of the Chest."

Just for your amusement I should say why things are taking a bit of time    in a nutshell it is my kids.   I had to play a game with them just before  and soon it will be bath time tea time and bed time which is going to ensure that this saga continues tomorrow!!!!

[DavidR]

I though it would be closed or that you took no action, both would require you to run it again. Seeing the areas reported as infected I knew those would be found with the quick scan saving you a couple of hours. That is why I suggested it

First Open the avast chest, right click the avast icon, select Start avast antivirus.
Once the memory scan is done the simple user interface is opened, right click in the middle of it.
Select Virus Chest.
Click the User Files section.
At the top of the window you will see File, click that.
From the drop down list select add.
From the Explorer like pop-up navigate to the location of the C:\Users\Nicola\AppData\Local\Temp\CmdLineExt02.dll file.
Highlight (select) the file and click Open (this doesn't actually run or open the file) but will copy the file to the chest.
Ignore the avast pop-up and Close (button) the window.

You should now see the file copied into the user files section of the chest.

MBAM
You should have your report screen in front of you (scanner tab of MBAM), I'm trying to do this in the dark as I have only ever had to do it once before. All of the detected, infected items will be listed (and the box to the left ticked).

When you right click on one of the entries you should get a list of options, Quarantine, etc. that is by far the best option, select that.

That should hopefully get rid of those items.

[nicla]

OK,  just letting you know that I am at my best in the mornings and all that you posted just now will better serve me if I am fresh.  So please bear with me some more and I will be on line again tomorrow.

Good night!!!   

[nicla]

Hello David,  super clear instructions, thanks, but guess what I am snagged again.  I can't locate the Cmd file.  In fact I can't locate the AppData folder.  I even ran an advanced search with the exact name and the tag (which I presume is .dll) NOTHING.  I ran a search on AppData ..  still nothing.  Not that I think it matters but my computer OS is Vista and the harddrive is partititioned (c&e).

[DavidR]

You start of using windows Explorer and navigate step through the path (C:\Users\Nicola\AppData\Local\Temp\CmdLineExt02.dll) from the C:\ Drive/folder, then Users, then Nicola, then AppData, then Local, then Temp, then find the file CmdLineExt02.dll in the Temp folder.

Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.

[nicla]

Apologies for the delay but I got called away.  After I set the folder view it all was easy peasy until I looke for the blessed Cmd....dll file.  I couldn't find it  .  I even started another post with the bad news but I couldn't believe that it wasn't there so back I went and looked again and glory be there it was.

The file is now sitting in the avast! chest.

Just going to perform MBAM action now.

[nicla]

Back again -- right clicking gives the following options with "quarantine" not present

add to ignore list
jump to location
check all items
uncheck all items
check all items from this vendor
uncheck all items from this vendor
vendor information

There is a "remove Selected" button at bottom left and a quarantine tab which is not available whilst the scanner report is up. 

[DavidR]

Yes as I said I was working in the dark as I couldn't recall it from the one time I had any results after a scam

Well I hacked around and created something that would trigger MBAM and there is no Quarantine option, but the entries you wish to take any action on, must be checked (box to the left of entries) I think they are all checked by default.

There are two buttons they are Remove Selected (as you found) or Ignore, in your case we are only going to use the Remove Selected (so ensure they are all selected/checked).

By clicking that button it should I believe actually quarantine it then the Quarantine tab would become active, though I don't know for sure (if it deletes it not problem you have the copy in the chest).

That should be you done for now, we can look at sending the file to avast later today (it is 2:40 a.m. here) as I'm about to call it a night.

[nicla]

For general information the following box popped up once I pressed the "remove selected" button.
-----------------------
Certain items could not be removed! The first few are listed below.  All items that could not be removed have been added to the delete on reboot list.  Please restart your computer now.  A logfile was saved to the logs folder.

C:\Users\Nicola\AppData\Local\Temp\CmdLineExt02.dll

Your computer needs to be restarted to complete the removal process.  Would you like to continue?
-----------------------

[wyrmrider]

the
C:\Users\Nicola\AppData\Local\Temp\CmdLineExt02.dll
is the command to take action on reboot
so reboot
then post up the log
It's only 7:30 here in So Cal
I think that DavidR wanted to try Superantispy next
so either that or an on line anti virus scan (I tend to alternate between Anti spyware and anti-virus)
but if you are up to it you could get at it
good luck
With SAS - it's been awhile but I think update and then select/ configure the depth of scan
hint- go for it

Wyrmrider