Solved

Windows Diagnostic Virus Removal

Posted on 2011-03-22
71
1,382 Views
Last Modified: 2012-05-11
OK...how to I get rid of the "Windows Diagnostic" Virus???  Could run no Malware Scans, in normal or safe mode.  Pulled Drive and Stopzilla got rid of several.  Computer is so messed up...don't know if I can see no programs because of the virus or they are gone.  No desktop either, will not allow access to a flash drive.
SZEventLog.txt
0
Comment
Question by:MagsMcKinley14
  • 32
  • 11
  • 9
  • +4
71 Comments
 
LVL 3

Expert Comment

by:quinks
ID: 35195821
Put the HDD into another computer temporarily, then copy this onto it, or do so using a bootable Linux distro:

ComboFix, then SmitFraudFix, but rename the names of the EXEs before running them. Afterwards, install Malwarebytes' software.

If all this fails, do a repair install, if that fails a clean install.
0
 

Author Comment

by:MagsMcKinley14
ID: 35195840
Can I attach via USB...it is a laptop.
0
 
LVL 3

Expert Comment

by:quinks
ID: 35195856
Nope, you'd have to take the disk out - sorry. It looks like either Safe Mode, or a bootable Windows or Linux CD/DVD are required here.
0
 

Author Comment

by:MagsMcKinley14
ID: 35195861
I have it taken out...I was going to attach it to another computer.
0
 

Author Comment

by:MagsMcKinley14
ID: 35195901
Doing a Malwarebytes scan...need to head to bed and restart in the morning.

Thanks for your assistance...I will check back bright and early.
0
 
LVL 6

Expert Comment

by:camacho_marco
ID: 35195996
run msconfig and try to restore to an early point.... before you notice the problems.

Cheers
0
 
LVL 23

Accepted Solution

by:
phototropic earned 300 total points
ID: 35196894
Do not bother with SmitfraudFix - it has not been updated for a very long time.  Earliest date I can find for the latest version is  27 Jun 2009. If it is this old, it will be useless against contemporary virii.

Combofix should be downloaded from the following site:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

There are rogue sites offering downloads.  

If Mbam cleans the drive sufficiently to let it boot to Windows, I would recommend running TDSSKiller:

http://support.kaspersky.com/viruses/solutions?qid=208280684

and Hitman Pro:

http://www.surfright.nl/en/hitmanpro

If they still will not run, try running Rogue Killer:

http://www.geekstogo.com/forum/files/file/413-roguekiller/

Good article here:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html

If still no go, try booting to Startup Repair with your Windows DVD:

http://www.bleepingcomputer.com/tutorials/tutorial148.html

Then run TDSSKiller from a flash drive via a command prompt.  You can only get so far slaving the drive...
0
 
LVL 23

Expert Comment

by:phototropic
ID: 35196903
@camacho_marco,

How can you "...restore to an early point.... " via msconfig?
0
 
LVL 23

Expert Comment

by:edbedb
ID: 35197191
@thesslstore - Have you used that to correct any malware? It looks to me like just another free to scan, pay to fix scams.
0
 

Author Comment

by:MagsMcKinley14
ID: 35198110
Hitman Pro has found plenty when the drive was in her computer but could not delete...I went as far as purchasing (I have used it before on her machine and her subscription expired), since they have gotten me out of so much trouble in the past I don't mind supporting them.  However the activation code when added won't stick.  Is there a way to run it hooked up to another machine?  Looks like it only will can the primary drive.

phototropic: Which program that you have mentioned can be run with the drive externally hooked up to another computer?  Ran Malwarbyes on her partitions and it found nothing!  If they can be run with her drive in her computer, it does boot into windows, how can I fool the virus to let the run? Will running from a flash drive via a command prompt be an option?  I have never done that before.

Hi thesslstore:, we have worked together before!  I ran STOPzilla, paid $9.95 which I will ask for a refund, and it did not get rid of the virus as promised.  As edbedb: asked have you used this program before to actually fix scams?
0
 

Author Comment

by:MagsMcKinley14
ID: 35201229
Can I run Combofix with the hard drive hooked up to another machine or do I need to reinstall and run?
0
 
LVL 6

Expert Comment

by:camacho_marco
ID: 35201251
Hi,

  If you have Vista follow this link

http://pcsupport.about.com/od/fixtheproblem/ht/system-restore-vista.htm

If you Have XP follow this one.

http://www.tech-recipes.com/rx/1729/xp_how_to_restore_point/

Let us know how you do...

Cheers
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 300 total points
ID: 35201660
"... it does boot into windows, how can I fool the virus to let the run?..."

Try running rKill:

http://www.bleepingcomputer.com/download/anti-virus/rkill

There are 7 seperate downloads - each a different name and/or file extension.  Download them to a
flash drive, then try each one in turn until you get lucky.

Also try Rogue Killer, as I linked to above.  

"...Will running from a flash drive via a command prompt be an option?  I have never done that before..."

Download TDSSKiller to a flash drive, open an elevated command prompt, then navigate to the drive and run the exe file from there.

Ifr rKill will run and terminate the viral process(es), try Hitman Pro again.  Or Mbam.

Please post any logs.



 
0
 

Author Comment

by:MagsMcKinley14
ID: 35201884
phototropic:  I just ran Hitman...may or may not repair but it is showing Rogue Killer that I downloaded from above which is on my Flash Drive ( her computer now will access it) as a Trojan!!  Help!!  What do you think?

I will try rkill now.  Thanks
0
 

Author Comment

by:MagsMcKinley14
ID: 35202369
phototropic: Things are looking better...I can not disable virus protection to run Combofix since I cannot see any programs etc...what am I to do??  Should I run anyway??  i'll run Rogue Killer while I wait...hopefully it is not a trojan!!
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 300 total points
ID: 35202481
That's right. Both rKill and Rogue Killer are legit programs when downloaded from the links I posted.
McAfee will delete rkill routinely, saying it is a trojan...Trust me, both those apps are safe and will hopefully restore permisions on the pc so that you can run some malware scans.

"...Should I run anyway?? ..."  No.  Combofix is a very powerful tool, and you must follow the directions to run it.  
What av software are you running?  Combofix will demand that AVG be uninstalled - most other av products must be shut down.

If you can get a version of rKill to run, then follow up with a scan using TDSSKiller and Hitman Pro.

Post scan results here.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 50 total points
ID: 35202715
All,
I don't like jumping into strings that are already developed, but there is some really bad advice being posted here.

As mentioned, "SmitFraudFix" hasn't been a valid recommendation for many years - ignore it.
"ComboFix" is a great tool - but there are several things to try before resorting to it.
"bootable Linux distro" will have no effect on this variant, nor will 'slaving' your HDD off another computer.
"raname...EXEs" is another false suggestion - you have to use the "Save As" function and rename the executables before they ever touch the infected system - or save them to a clean computer and then rename them.

The entire post at http:#a35195821 is a cause for great concern.

The post at http:#a35195996 is baffling, because it doesn't mean anything and the post at http:#a35197133 looks like a commercial for some product I have never heard of.

The list of suggestions here (http:#a35196894) makes sense and lists all trusted and current malware tools (just hold off on ComboFix unless/until it is needed.



0
 
LVL 38

Expert Comment

by:younghv
ID: 35202771
phototropic already mentioned every tool in the link below and I am only posting this link to support his suggestion (in other words, no points for this post).

Detailed instructions for this variant can be found here:
http://www.bleepingcomputer.com/virus-removal/remove-windows-diagnostic
0
 

Author Comment

by:MagsMcKinley14
ID: 35204443
Thanks everyone, younghv: very astute suggestions...thanks for reading the posts.  I will continue in the morning...MST as this is not the only infected computer I am dealing with and I am exhausted!  Again...I truly appreciate all you help!!
0
 

Author Comment

by:MagsMcKinley14
ID: 35209150
I can not delete or reinstall Malwarebytes...help please!
0
 
LVL 38

Expert Comment

by:younghv
ID: 35209396
MagsMcKinley14,

What actions are you are actually trying to take and what are the results?

Keep in mind that you need to use explicit phrases to help us understand what you are seeing on your screen.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 35209639
"...I can not delete or reinstall Malwarebytes..."

Why do you need to delete it?

Did you run rkill?  Did you run Rogue Killer?

Have you run TDSSKiller?  How about Hitman Pro?

Mbam should address your problem.  Will it run?

If any of the above have been run, please post the results here.
0
 

Author Comment

by:MagsMcKinley14
ID: 35211684
Just fooled...I hope...the computer to run Malwarebytes.  It would not download so when I was reinstalling it I simply renamed it.  Keeping my fingers crossed...it is running now.

Ran rkill, TDSSKiller, Rogue Killer (Which really helped the desktop and programs reappeared but I still can't see the programs when I look in the C: drive and open the Program Files except the Malwarebytes File that I loaded under a different name.

Hitman Pro is a different story...it runs but even when I enter the activation code and it says it is activated it does so it will not finish running.  Got rid of the viruses with the other programs that it was finding.


rkill.log
TDSSKiller.2.4.21.0-22.03.2011-1.txt
QuarantineReport.txt
0
 

Author Comment

by:MagsMcKinley14
ID: 35211799
Does anyone know anything about Dial-a-fix?  It did an amazing job repairing a computer that was badly infected with a Bootkit.TDDS virus amongst others.  Should I consider using it on this computer?
0
 
LVL 23

Expert Comment

by:edbedb
ID: 35211833
I got to tell you. If the Program Files directory is empty, I wouldn't expect that anything is going to repair this system other than a clean re-installation.
0
 

Author Comment

by:MagsMcKinley14
ID: 35211879
But the program files are there and the programs run...many things looked like they were gone until I started having luck with running programs...especially after I ran Rogue Killer.  When I check "show hidden files" they appear in C:/Program Files as hidden files.  Her desktop and other files which were hidden are not now.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 35211910
So the computer is working properly now except that the program folders in the Program Files directory are hidden?
0
 

Author Comment

by:MagsMcKinley14
ID: 35211935
No hardly...there is still something causing virus scans not to work properly without fooling it...Malwarebytes is running and has found 2 problems so far.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 35211962
If Malwarebytes doesn't do it, then I think it's time to give ComboFix a try. Please follow the instructions carefully and include the ComboFix log in your next post.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See if you can use this AVG clean-up tool to remove AVG
http://www.avg.com/us-en/download-tools
0
 

Author Comment

by:MagsMcKinley14
ID: 35212645
I am confused as to why you want AVG Cleaned up...it is not her protection.  Currently she has MSE, which is not showing up except that Combofix sees it, and Trend Micro Client/Server Security Agent.  Yes, I know there should only be 1 virus program securiting her system...which would you choose???
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 150 total points
ID: 35212775
MBAM scan or other good scanners should've already taken care of the infection.
The folders and files are still there just unhide them.
 
In my XP:
Start > Control Panel > Tools > Folder Options

Click on the View Tab and check the radio button "show hidden files and folders" and press OK.

Once you're able to see all of the hidden files and folders on your computer.
You can right click on the hidden folder > Properties and uncheck the hidden box and apply the changes.


OR:
At the command prompt, run the following commands.

cd c:\
attrib c:\*.* /d /s -h
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35212795
If the infection is still there, make sure you update MBAM before running a quick scan.

"Her desktop and other files which were hidden are not now. "

Sorry I'm behind, so files are not hidden now? then just a good scan needs to be done?
0
 
LVL 23

Expert Comment

by:edbedb
ID: 35213522
"I am confused as to why you want AVG Cleaned up"

Sorry, I have been monitoring this question from the beginning and I thought I read that AVG was installed.
0
 

Author Comment

by:MagsMcKinley14
ID: 35219658
Making progress...great help...thanks everyone.
.rpggamergirl: Thanks for your assistance...I knew about how to show hidden folders but great tip about unchecking the box...have no idea why they were all hidden.

Error message while scanning with SuperAnti Spyware..."Cannot create file "C:\ProgramData\Skype\Plugins\pxml.xml"  Access denied.  May just be the virus removal.  In removing viruses from another computer an Experts Exchange Expert mentioned that Skype useres were prone to a recent deluge of Fake AV.  Can I update Skype without her losing any of her information?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 38

Expert Comment

by:younghv
ID: 35219857
Mags,
SAS is nowhere in the list of tools you need to fix this.
I gave you a specific link to the instructions that will fix this for you.

I has a computer with a "Windows Diagnostic" infection today and it was in and out in less than an hour.

ComboFix is a great tool, but (IMO) not needed for this problem.
0
 

Author Comment

by:MagsMcKinley14
ID: 35219880
Yes, I just got done running it and i found viruses.  I am now running Malwarebytes.  Thanks younghv: for the reminder post...it was on my list!
0
 
LVL 23

Expert Comment

by:edbedb
ID: 35219922
I have seen all types of fake security malware but I have never seen one to change the file attributes. I think she might have something more serious going on there.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35219934
edbedb,
Please feel free to read the instructions at the link I posted.
That is exactly one of the symptoms of this malware.

"To further make it seem like your computer is not operating correctly, Windows Diagnostic will also make it so that certain folders on your computer display no contents."

http://www.bleepingcomputer.com/virus-removal/remove-windows-diagnostic

This is really not a very serious malware variant and no need for any kind of exotic tools.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 35219984
@younghv - I stand corrected. I have been monitoring this question and I only check links that I suspect might be bad advice like the one earlier by thesslstore. I don't worry about yours so I did not see that.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 35220008
"...This is really not a very serious malware variant and no need for any kind of exotic tools..."

That is what is so puzzling.  Initially, the problem was that no tools would run.  After some initial confusion, Rogue Killer and Rkill fixed that up.  But now after runninhg TDSSKiller, Hitman Pro,  Mbam, and (apparently) SAS, the infection remains.

MagsMcKinley14,

Please could you post the most recent Mbam scan log.  Thanks.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35220010
np - :)
I find that 'Grinler' is almost as good as our own 'rpg'.
0
 

Author Comment

by:MagsMcKinley14
ID: 35220386
Ran SAS, eliminated viruses (will attach log next post), Mbam found no viruses, ran rkill, running SAS again.
0
 

Author Comment

by:MagsMcKinley14
ID: 35220670
ok...here are some scans...cross your fingers...I think I've slayed the dragon...with your help!!
mbam-log-2011-03-25--18-34-59-.txt
SUPERAntiSpyware-Scan-Log---03-2.log
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 300 total points
ID: 35221461
OK.  Mbam found two instances of MyWebSearch.  This is a venerable piece of adware which turns up on a very large number of pcs.  Mbam or SAS should remove it.  Take a look in Add/Remove Programs.  Uninstall anything with a name like the following:

My Web Search
My Fun Cards
Cursor Mania
Smiley Central
FunWeb Products

But Mbam and/or SAS should get rid of it.

SAS found seven tracking cookies.  These are not a threat as such.  Think of getting rid of them as being like hoovering up house dust.  It also found an instance of MyWebSearch, and Trojan.Agent/Gen-FakeAlert which was found in some camera software.  It seems likely that this last one is a false positive, given the amount of scanning you have already done on this pc.  However, to be sure, I would upload the file to SAS for a second opinion.  Proceedure is here:

http://www.superantispyware.com/supportfaqdisplay.html?faq=28

Or you could upload the file to virustotal:

http://www.virustotal.com/

This will confirm whether the file is flagged as malicious or not by many other databases.

Be sure to update SAS and Mbam before you run them ("...running SAS again...").  It looks like the pc is back on track.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 150 total points
ID: 35221661
The hidden folders/files were hidden by these nasties as younghv already pointed out in his link.
Even though the infection was already removed, the user still need to unhide the folders himself.


The MyWebSearch entries MBAM found are just registry values, as already suggested check if it's listed in Add/Remove and uninstall it there and also look if the corresponding folders are still present, if so delete them also.

C:\Program Files\MyWebSearch
c:\program files\FunWebProducts


The MYFINEPIX STUDIO folder is legit but it's not uncommon to have a malicious executable hiding in legit folders especially under unknown CLSID and an "update" folder.

As already mentioned good idea to have it scanned.
{CCEF81FD-5BA9-4F0C-8538-B889DBFC141A}\UPDATE\OPD_JP2.EXE


@ younghv:
Sweet... I'm not even good enough to be in the same room as Grinler, :)
0
 

Author Comment

by:MagsMcKinley14
ID: 35229402
OK...I deleted an old Trend product and MSE which do not show up as protecting her computer any longer.  It was so strange that MSE would show up as running but I could never find it.  MSE will also not reload due to an error so I loaded Avast Free in the meantime, ran a scan that came out clean.

What do you think is the best free anti-virus out there right now?

Do I need to activate rkill before each scan??

I unhid all folders that should be showing...thanks for the tip.

I can not set up remote access with GoToAssist...bumps me off.  Reinstalled Java, deleting all old versions and update IE.  Got the error message "Installer: Wrapper.CreateFile failed with error5: Access is denied."  Java verified that the correct version is installed.  GoToAssist still won't work.

Other than that it seems to be working fine.  What do you think??

0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 300 total points
ID: 35229675
"...so I loaded Avast Free in the meantime, ran a scan that came out clean..."

Good.  I take it that the FinePix trojan detected by SAS was a false positive?

"...Do I need to activate rkill before each scan??..."   No, you shouldn't have to do that if the pc is clean.  If Mbam and SAS and Avast will run normally, there's no further need for rkill.

"...Got the error message "Installer: Wrapper.CreateFile failed with error5: Access is denied."  Java verified that the correct version is installed..."  So Java is instaled correctly?  If so, your pc sounds good to go.

"...What do you think is the best free anti-virus out there right now?..."

This question gets asked a lot here at ee.  You will get all sorts of answers to it - but MSE and Avast are usually near the top of the list.

"...I can not set up remote access with GoToAssist...bumps me off..."  I have had very little experience with that software, so I can't really help you with that.  Often after a malware infection, some software apps may need to be uninstalled/reinstalled.

"...Other than that it seems to be working fine.  What do you think??..."

Sounds like the pc is back on track.  If you want to be doubly sure, you could run an online scan with eset:

http://www.eset.com/us/online-scanner/run

If that comes up clean, you're done.



 
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35230667
>>"OK...I deleted an old Trend product and MSE which do not show up as protecting her computer any longer.  It was so strange that MSE would show up as running but I could never find it"<<<

With regards to MSE still showing up as running:
That's because even though it's been uninstalled, the corresponding info is still present in the root\securitycenter WMI namespace and that's where ComboFix gets its info from. The offending program, in this case Microsoft Security Essentials' entry needs to be deleted from there either by using ComboFix script or by wbemtest.exe


Click on Start menu > Run > type in:

wbemtest

Click OK

Connect to root\SecurityCenter

You would need to change the root\default to root\securitycenter
Click on "Query" tab
Type in SELECT * FROM AntivirusProduct (If it's an AV entry you're trying to remove)

Click on Apply

In the Query result window, highlight the offending antivirus and click Delete.

Check my article with screenshots how to remove an entry:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2088-Can't-Install-an-Antivirus-Windows-Security-Center-still-detects-previous-AV.html
0
 

Author Comment

by:MagsMcKinley14
ID: 35234034
optoma:Hi Vic,
Could you run autoruns (dont make any changes within autoruns)
Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Within Autoruns,select the file tab and select save(Ctrl+S)
Right click autoruns.arn and rename to autoruns.txt to attach here

Also run process explorer and get a screenshot of the entire processes running
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
0
 

Author Comment

by:MagsMcKinley14
ID: 35234077
rpggamergirl:  Above link was sent prematurely.  I followed the above from your link.  Attached are my results.

I apologize if I was not clear...MSE does not show up on my computer...I ran wbemtest to be sure.

phototropic: I am running the online scanner...so far it has come up with 1 threat "Win32/PrcView application"
0
 
LVL 38

Expert Comment

by:younghv
ID: 35234082
Mags -
Did you post in the wrong question?

For the record, my name is "Vic", but please don't confuse me with that other name you have posted.
0
 

Author Comment

by:MagsMcKinley14
ID: 35234336
Hey Vic...Sorry for the confusion...question posed in ID: 35234034 was sent prematurely.  Included it to let rpggamergirl: know what I had done.  This was a post from her article above in ID: 35230667.

rpggamergirl:  Sorry I forgot to attach the files...Auto run and Process Explorer
AutoRuns.txt
Process-Explorer-page-1.jpg
Process-Explorer-page-2.jpg
Process-Explorer-page-3.jpg
0
 

Author Comment

by:MagsMcKinley14
ID: 35235919
phototropic: Here is the log from the Eset Scan...Looks like if found another program it thought was a virus - MGTools.  Looks like she is clean...

If she is now running Avast I assume Windows Defender should not be running...correct.

Still having issues with GoToAssist...may have to forget about it.
Eset-Online-Scanner-Log.txt
0
 
LVL 23

Expert Comment

by:phototropic
ID: 35236872
MGTools is not software that I have any experience with. However, it seems to crop up as a false positive a lot:

http://forum.kaspersky.com/index.php?showtopic=123143
http://forums.majorgeeks.com/showthread.php?t=160902

So, if that is all the eset scan found, then I think we can give your pc a clean bill of health.

How is it running now?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35237049
It's because of the "process.exe" that MGTools use.... which is a legit file used by many legit tools to stop system processes.

An antivirus can't distinguish between "good" and "malicious" use of such file that's why it flags it as bad.
0
 

Author Comment

by:MagsMcKinley14
ID: 35237138
Thanks everyone...Running well...trying to reload GoToAssit after speaking with the Tech dept...will close session tonight.
0
 

Author Comment

by:MagsMcKinley14
ID: 35241322
HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Thought I was good to go...Scans coming clean until...
Avast asked if I wanted to run a boot-time scan so I did.  Woke up this morning with 2 virus detections and some corrupt files.
Java:Agent-DR
Java:Agent-DU
Deleted both...not suprised since it has been Java that has not allowed me to run my remote access software GoToAssist.

Should I delete Java and then go into the registry, search and delete all Java entries?

Then when I logged on I got a message:  Window Activation - Activation was successful, saying that Windows Vista is genuine BUT after I closed that window in the lower right corner is says, "Windows Vista (TM), Build 6002, This copy of Windows is not genuine."  What is going on??

Please assist ASAP my client needs her computer back...this has been a nightmare...I really appreciate all your help....wish I could give 5000 points!!!
0
 

Author Comment

by:MagsMcKinley14
ID: 35242331
Googled Window activation...solved.

Still need your advise on Java!!!  Please!!!!
0
 
LVL 38

Expert Comment

by:younghv
ID: 35242349
Mags,
If you check, you will probably find that one (or more) Java updates needs to be loaded on that system.
0
 

Author Comment

by:MagsMcKinley14
ID: 35242780
I deleted all old versions and update to the most recent version of Java and that was before Avast found the Virus.

I backed up the registry and am now deleting anything having to do with Java before I reinstall it.
0
 

Author Comment

by:MagsMcKinley14
ID: 35242921
I'm going to try and run Combofix...I think I can run it now with the Antivirus Programs under control...I will post the log when it is finished.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35243169
Mags,
You say that you love CCleaner, so I suggest that you never manually do any cleaning in your registry.

CCleaner has a 'Registry' function that will remove all of that residue for you.
0
 

Author Comment

by:MagsMcKinley14
ID: 35243548
I do, but it didn't get rid of or correct any faulty Java files or clean up left over GoToAssit Files...because of the viruses is there any reason I can't simply delete anything related to Java???  I'm missing a ski day with my husband so I'm a little frustrated...thanks for letting me vent since I can't vent to my customer.
0
 

Author Comment

by:MagsMcKinley14
ID: 35243588
Here is the ComboFix log.  Thanks for reviewing it.
ComboFix-Log.txt
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 300 total points
ID: 35261762
Combofix appears to have deleted your java install.  Have you replaced it? Download is here:

http://www.java.com/en/download/index.jsp

Looks like you may also ned to reinstall Quicktime.

It has also removed your Citrix GoToAssist, so I guess that will need to be reinstalled too.

The Combofix log looks ok to me, and if, once you do the reinstalation of the software Cf removed, the pc is running well, I think that should do it.

Sorry to hear abgout your missed ski day.  Sometimes work can get in the way like that...

But I'm not qualified to read Combofix logs, so we better wait to see if rpggamergirl checks in to review your cf log.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 150 total points
ID: 35270102
The folder/files that have been deleted can be restored from the quarantine folder. Or you can just download java again.

As phototropic had already analyzed, ComboFix log looks okay.
When having more than one anti-malware installed in the PC, only one should have real-time protection on, the others can just be an on-demand scanner.
0
 

Author Closing Comment

by:MagsMcKinley14
ID: 35282315
Appears the virus is gone.  Computer is runnin well.  Reinstalled Java, still can not use Citrix GoToAssit but it stopped working befor this.
Thank you very much for your time and help!
0
 
LVL 23

Expert Comment

by:phototropic
ID: 35282924
No problem.  Glad to hear everything is back on tracki.

Maybe now would be a good time to go skiing...
0
 

Author Comment

by:MagsMcKinley14
ID: 35283220
phototropic:  Thanks...unfortunately the lifts are closed due to high winds.  I am however clearing off my desk...thankful for slaying the virus dragons, with your patient help.  Then I will be heading up the mountains to a friends for a weekend away from it all!!!

Enjoy...hope you get some time away from it all too...........somewhere I will find balance with my little computer business and taking care of myself.  Sometimes I find it hard to walk away from a computer in trouble even if it means not getting paid for all my time.  Learning time is on me, thanks for an arsenal of tools for fighting viruses!!

I'm sure I will hear from you again on a future thread, especially since you have helped me before!  Take care.

Warm regards,
Mags
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now