Ran Windows Defender Offline, can't boot up computer. Help please!

bsever · 28 Jan 2014

Thanks again, cottonball. You managing in this seesaw weather we're having? It just seems sadistic to give us 60 degree weather on Sunday and 8 degree weather on Monday. Better than the other way around, I guess.

Here's the AdwCleaner logfile as requested:

# AdwCleaner v3.017 - Report created 28/01/2014 at 09:42:09
# Updated 12/01/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : POSTAL - POSTAL-PC
# Running from : C:\Users\POSTAL\Downloads\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****

***** [ Files / Folders ] *****
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Program Files (x86)\Ask.com
Folder Deleted : C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}
Folder Deleted : C:\Users\POSTAL\AppData\Local\apn
Folder Deleted : C:\Users\POSTAL\AppData\LocalLow\AskToolbar
File Deleted : C:\alotserviceruntime.log
File Deleted : C:\Users\Public\Desktop\eBay.lnk
File Deleted : C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar
***** [ Shortcuts ] *****

***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\aaaaojmikegpiepcfdkkjaplodkpfmlo
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner
Key Deleted : [x64] HKLM\SOFTWARE\Description
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.16428

-\\ Google Chrome v32.0.1700.76
[ File : C:\Users\POSTAL\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************
AdwCleaner[R0].txt - [5353 octets] - [28/01/2014 09:39:10]
AdwCleaner[S0].txt - [5191 octets] - [28/01/2014 09:42:09]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5251 octets] ##########

Slartybart · 28 Jan 2014

Is the Ask toolbar coming back? I thought I saw it erradicated earlier in the thread. I could be wrong and only think so because I read a few of the scan logs.

Anyway, I came across this How do I remove the Ask com Toolbar
There is a good video and Ask offers a cleanup utility if the instructions don't completely remove their toolbar. An interesting question posed at the top of that page is: Are you sure it's the Ask toolbar?

You don't have to do anything with this information, I just wanted to put it up somewhere and this seemed like a good place.

Bill

cottonball · 28 Jan 2014

bsever,

Thanks for the report.

Have been living in this area since 1979, and this has to be the coldest Winter I remember. We may have more to come in February!

As far as the Ask Bundle, etc., looks af if AdwCleaner got it.

If you do any scans, and it comes up again, either post back, or give the link Slartybart provided a try.

Don't know if having the fox guarding the henhouse is what it brings, however, removing the Ask Bundle is do-able thru other means.

Need to go thru this thread and see what else needs done. Will be back with you later this PM.

.

cottonball · 28 Jan 2014

Before we wrap up, need to have you use the following...

Please download Security Check:
http://screen317.spywareinfoforum.org/
Save to your Desktop.
Double-click: SecurityCheck.exe
Follow the onscreen instructions inside the black box.

When done, a Notepad report opens automatically, called: checkup.txt

Please post the checkup.txt in your reply.

(Do not take any corrective actions!)

.

bsever · 29 Jan 2014

Ugh, more in February? I'm starting to see the appeal of seasonal migration.

Here's the checkup text report:

Results of screen317's Security Check version 0.99.79
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Symantec Endpoint Protection
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Java(TM) 6 Update 30
Java 7 Update 45
Java version out of Date!
Adobe Reader 10.1.9 Adobe Reader out of Date!
Google Chrome 32.0.1700.102
Google Chrome 32.0.1700.76
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

cottonball · 31 Jan 2014

bsever,

Ever heard of 'white February'?

These are vulnerabilities you cannot afford to have:
>> Java version out of date!

Please verify the version of Java you have installed:
Link > Verify Java Version
If your version of Java is outdated, it needs to be updated:
When done, please uninstall older versions:
Link > How do I uninstall Java on my Windows computer?

>> Adobe Reader out of date!
Please download the latest version of Adobe Reader:
Link > Adobe - Adobe Reader download - All versions
Once installed, launch it, select Help > Check for Updates, and install any updates.
Then, uninstall earlier versions:
Go to Start > Control Panel > Add/Remove Programs, and remove all older versions of Adobe Reader.

On Google Chrome, make sure you are protected by the latest security updates!
Check here:
Link > https://support.google.com/chrome/answer/95414?hl=en

Are you having any more malware problems with Windows 7?

bsever · 31 Jan 2014

I have updated Java and Adobe on this computer and uninstalled old versions as directed. I have also confirmed that Google Chrome is updated as well.

I don't have any more malware problems with Windows 7, and I thank you so much for all that you've done to help me out of a real jam. If I could click the scales of justice anymore to give you additional rep I would.

cottonball · 01 Feb 2014

Thank you. Glad to help!

If you are no longer having problems, you are good to go!

Since the computer had the Alureon RootKit, the types of information that may have been accessed are account IDs and passwords (such as PayPal, Hotmail, gmail, Facebook accounts, etc.), credit card information (PIN numbers, expiration dates and card numbers), and banking information (account numbers, passwords, PINs etc.).

If you conducted any activities or transactions of the nature described above on the infected computer, would strongly recommend you change passwords, IDs, PINs, etc., using another computer.

Let's wrap up, as well as remove the tools used and their reports, since these tools are updated frequently, and it is best to have a new copy.

Please remove:
-FRST, its folder in C:\FRST, and any fixlist or fixlog on the Desktop.
-Security Check, and its report
-TDSSKiller, and its reports

-AdwCleaner > Run the tool, and press: Uninstall

Would use Malwarebytes Anti-Malware, and run it regularly...
If you have USB pendrives or SD cards, connect them to other computers, and then connect them back to your computer, the Perform Full Scan
has the option of selecting which drives you want to scan, and includes removable drives.

Also, make sure your security software is ALL enabled and running!

And, consider doing the following to prevent future infections...
Malware is normally installed through vulnerabilities found in out-dated and insecure programs on a computer.
You can use the Secunia Personal Software Inspector to scan for vulnerable programs:
Free Computer Security - Personal Software Inspector (PSI) - Secunia
A tutorial on how to use the program is found here:
How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector (PSI)

Thanks for following all the instructions and providing the reports!!

Have a great year, bsever!!

bsever · 03 Feb 2014

Thanks cottonball! I will follow your advice and guard myself the best I can.