Malware Fun Moods and Snap.do refuse to go away,

[kuttus]

Please run Ccleaner... Do you try to re install SkyDrive ?

STEP 1: Clean your temporary files to gain more hard drive space and remove the junk files
<ol>
<li>Download Ccleaner from the below link:
CCLEANER DOWNLOAD LINK</a> <em>(This link will automatically download Ccleaner on your computer)</em></li>
<li>Install Ccleaner by following the prompts</li>
<li>Start Ccleaner and the following should be selected by default, if not, please select:
<img src="http://i52.tinypic.com/4l5a4i.png" alt="Posted Image" /></li>
<li>Click <img src="http://i56.tinypic.com/16jox2o.png" alt="Posted Image" /> and choose <img src="http://i40.tinypic.com/5x3nu8.gif" alt="Posted Image" /></li>
<li>Uncheck <img src="http://i51.tinypic.com/amuvj8.gif" alt="Posted Image" /></li>
<li>Then go back to <img src="http://i41.tinypic.com/2jb4qyb.gif" alt="Posted Image" /> and click <img src="http://i25.tinypic.com/nf47ev.gif" alt="Posted Image" /> to run it.</li>
<li>Exit CCleaner.</li>
</ol>

---

 

[MidniteQue]

Hi, Ran Ccleaner and yes I did try to reinstall Sky Drive. It begins to install then stops and sends me the same message to restart or to re install. Today I tried several more times, one from Internet download and the next time from original program. They again did the same as yesterday. I wonder if I should uninstall it then try to reistall. My adminstration account's Sky Drive works fine. I've tried making them both full control, turn on share and making me owner. Results same for all.

Today I did a quick scan with Vipre and it said that I have 2 incidences of a Trojan, Trojan HOSTS_Anti-Adware.exe(Trojan). I left it in C:\programs but think it is dead or something because I re-scanned and Vipre didn't flag the program again.
Last night I installed two pugins both directly from Chrome. Ad Block plus and Picasa. Neither are on Chrome today but Picasa is on desktop. May not be related.
Then I had Malwarebytes do a deep scan. It didn't find the Trojan but did find 2 PUP types. Uploaded the log. In the quarantine window in Malwarebytes it has 154 items with most of them Trojan Agent. Those were quarantined on 11-27-12. There's also a lot are FunMoods and PUP type stuff done in December 2012. I'm thinking I need to delete them.
And I found A file named Policy Cleanup.txt that was created this afternoon. It mentions 2 Trojan Agent that were Quarantined and deleted successfully today.
Vipre doesn't produce a log so I copied what I could of the screen and uploaded it as From Vipre 2-11-13
[attachment=3534]
[attachment=3535]
[attachment=3536]

 

[kuttus]

How many User accounts do you have now? is SkyDrive is working fine in user account?

 

[MidniteQue]

I've never logged in as a user. Just opened them and skydrive isn't in their programs. None of the users have passwords and I never set them up.

Users:This is increasing. Lately I noticed new users. These are
All users, Brenda, Default, Default user, Default.migrated, DefaultAppPool, Public, The Boss, desktop.ini
all the default ones are brand new.

Users folder
everyone ­­­­­­_____full control
SYSTEM________full control
Administrators(New\Note\Administrators)______full contol
Users(NewNote\Users)___full control

NewNote The computer all have full control
Everyone
SYSTEM
Administrators(New\Note\Administrators)
Users(NewNote\Users)

Skydrive
system,
Brenda (new\note\Brenda)
The Boss(NewNote\TheBoss)
Administrators(New\Note\Administrators)

extensions has and all full control
same with addition of
S-1-5-21-549929245-231386884-3884349088-1003

Application Data
Everyone with special permission only
rest are same as first

C:\ProgramFiles(x86)
everyone_____full control
ALL APPLICATION PACKAGES_____read&Execute ______List folder contents_____Read
CREATOR OWNER_________special permissions
SYSTEM________full control
Administrators(New\Note\Administrators)______full control
Users(NewNote\Users)___full control
TrustedInstaller_____-special permissions with a faded check and List folder content which has a solid check

Programs is the same as Program(x86) except the List folder contents wasn't checked but when I went back to it the solid check was in List folder content

 

[kuttus]

Are you able to use SkyDrive from Brenda or from The Boss? In any user account it is working?

 

[MidniteQue]

sky drive works right in the boss account.. I tried changing the ownership over to me.It remained the same as it was. i'd leave it like that except i use administrator account very little.
that Trojan downloader HOSTS_anti-adware_main-exe is active on the computer. It was running in the system tray. They say UNHackme ithe one toke care of it.

 

[kuttus]

Okay. Could you please send me the Screenshots of Trojan downloader HOSTS_anti-adware_main-exe in the System Tray?

 

[MidniteQue]

[attachment=3551]While searching my C drive I found the weird program that has a the files (or program?) on my HD files hidden. File:"Hidden file","C:\Windows\0ùž" This is the one I wrote about in first post.

Last night I went to shut down the process in Hosts_Anti-Adware. It wasn't in uninstall and I couldn't stop it in System Explorer. When I went to directory programs X86 to delete the file I received a warning message that deleting it would make my system very unstable and such.

I am going to send the log from Spybot which found the hidden files. I have included here 2 screen shots of the system tray customize as you can see it is active and there are install and such types in the tray. Also snippings of OUZ Properties Security and Detail. As you can see this program has administrative rights and is owned by administration. Perhaps this is why so many weird things are happening to my computer.

I use MS Paint for screen captures and suddenly it is not on my computer so I used the snipping tool. Because I cannot get a shot of the actual tray without a capture type program I downloaded a program to capture screen, installed it and when I looked for it I couldn't find it. Did a full search of C: drive. Then I got a message from Secunia PSI that new program Screen Capture was patched. That is the program I installed.

Last night I went to shut down the process in Hosts_Anti-Adware. It wasn't in uninstall and I couldn't stop it in System Explorer. When I went to directory programs X86 to delete the program, I received a warning message that deleting it would make my system very unstable and such.

I am going to send the log from Spybot which found the hidden files. I have included here 2 screen shots of the system tray customize as you can see it is active and there are install and such types in the tray. Also snippings of OUZ Properties Security and Detail. This program has administrative rights and is owned by administration. Perhaps this is why so many weird things are happening to my computer.

I use MS Paint for screen captures and suddenly it is not on my computer so I used the snipping tool. Because I cannot get a shot of the actual tray without a capture type program I downloaded a program to capture screen, installed it and when I looked for it I couldn't find it. Did a full search of C: drive. Then I got a message from Secunia PSI that new program Screen Capture was patched. That is the program I installed.
I am trying to upload a file of the root analyzer log of OUZ 's hidden files but when I try there is a real long time uploading and it is short log. Then it never uploads. So I will copy it into txt file and rename it for next post.
[attachment=3551
[attachment=3552]
[attachment=3553]
[attachment=3554]
[attachment=3555]

 

[MidniteQue]

Hopefully this will upload I just changed name of the file to Hope. It is doing the same as the other one. Uploads incredibly slow then when done there is no file. I am going to try and copy then paste in this post.
I finally pasted it but the paste scrolled on for an insane amount of time. I had to crash as the log.txt file began changing from the names of hidden files to repeating this bit I was able to catch. I then shut down the process in system tray and was able to paste this piece. The ends of sentences are missing. Am going to see if I can upload the log now.
No it is still doing the same thing. Cannot upload the log,

// info: Rootkit removal help file

// copyright: (c) 2008-2013 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Hidden file","C:\Windows\0ùž"
File:"No admin in ACL","C:\Users\Brenda"
File:"Invisible to Win32","C:\Users\Default User\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\GameExplorer"
File:"Invisible to Win32","C:\Users\Default User\Local Settings\Applic

 

[kuttus]

Okay. Go to C:\programs X86\ and there you can see Hosts_Anti-Adware folder. Rename it with a name Hosts_Anti-Adware.old and restart the computer. If you got any warning ignore it and press on Ok.


After the restart do the following step...

STEP 1: Run Notification Area Cleaner

<ol>
<li>Download Notification Area Cleaner from this link. After that save it to your computer Desktop...
<li>Extract the notification-area-cleaner-x64.zip and you can see one file NotificationsCleaner.exe inside it.
<li>Right Click on NotificationsCleaner.exe

and Select Run as Administrator
<li>You will be able to see one Black Window as shown below. Press on Clean in that one.

<li>After completing the Clean restart the computer.
</ol>

 

[MidniteQue]

I did all the steps and when I got to the black screen there were no words. I am going to try again but sending this in case things freeze.

 

[kuttus]

Okay..

 

[MidniteQue]

Nothing on the screen this time either. Hosts_anti-adware.exe is in my system tray. Think name is different as it had main before the .exe. Install Hosts_Anti-adware.exe is in there to with the (I believe) changed name. The name with OLD on in programs (x86) is still has the OLD on it.
Also today while checking around my HD I found a program named GFI software in Program Data. When I opened it there was a folder named Adware. I opened that and found a lot of files like History, Logs Errors and so on. I was able to read the files in browser and they were very suspicous. One of the history ones was full of patched for all my antivirus programs.

 

[kuttus]

Okay. Please run the Ccleaner once again.

In the Ccleaner Scan please make sure you put a check mark in the Following Option called Show Notification Cache After that Press on Run Cleaner.... You have to restart the computer after completing the scan... After a restart check if you are able to see Hosts_Anti-Adware.exe

Do one thing Check all the Options in Ccleaner except Saved Passwords.


NOTE : It will remove all the unwanted files from the computer.

 

[MidniteQue]

Just checking back as Ccleaner is wiping my HD (900 gigs of free space) and because of it's size it is going to take a long time. I was suppose to check wipe free space right?

 

[MidniteQue]

I still get just a black screen. I've tried several times.

 

[kuttus]

Not Booting up?

 

[MidniteQue]

I guess I don't have to say that I am very worried, and scared. I've been closing all my bank and credit cards.
Those "invisible to win32" files are an unbelievable amount of them. It is much more than my whole hard drive because some of them just repeat over and over with one number different. I noticed a ton of Crypto\RSA\MachineKeys. The entries that are repeated the most are those keys, games and all the antivirus programs. Guess 5 mg's of words is a lot.
Teamviewer is on my machine as the tech that worked on it and failed to remove Fun Moods left it running. I turned it off several weeks later. Can I uninstall it. Skype too. Also I am trying to find out about what Black Widow is, what it does and how they got it on my computer without going on hacking sites.

 

[MidniteQue]

I'm sorry, I got myself so worked up that I forgot to reboot. I just rebooted and ran notification program. The screen is still black. I disconnected from internet before running it because the HD was running hard and I had all my programs closed. Also I noticed that with my Network connection there is a also mystery one that is called hidden network. It is of the same strength as mine and not secured with a password. I could connect to it if I wanted and I am sure it is coming from my machine.
Yes, Hosts_Anti-Adware.exe is still there along with the install one and there is a Hosts_Anti-Adware_main.exe.
Also when I disconnect my internet the hidden network dies too. And I do remember that a few weeks ago my wifi key began to refuse to shut wifi off.

 

[kuttus]

Are you able to see your Desktop Icons? Or Just a Black Screen only?