BleepingComputer.com: possible eset 2011 infection

im writing this from my other pc. i have found eset 2011 within the last week with malware bytes and it got rid of the file that was found, but could it still be on the sysytem even though i could have found it early enough before it could infect my machine completely. should i run another scanner just to be safe or not worry at all since it was just a single file found by malwarebytes and is now in quyarentine. since that day i havent had any problems with it or had any scarewaree warning popups im still curius to know if its gone. ill send the text file as soon as i get on my other machine. any information as to what i should do would be appreciated thanks.

If you remember the name of the malware program, you can check msconfig to see if it is still trying to autostart when you boot your computer. This may be obvious, but you can also check taskmanager to see if it's running. If you don't remember the name of the file, then I think it's best for you to post your logs in the malware related forum.

Please post the complete results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.

• Click the Logs Tab at the top.
  
• The log will be named by the date of scan in the following format: mbam-log-date(time).txt
  -- If you have previously used MBAM, there may be several logs showing in the list.
  
• Click on the log name to highlight it.
  
• Go to the bottom and click on Open.
  
• The log should automatically open in notepad as a text file.
  
• Go to Edit and choose Select all.
  
• Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  
• Come back to this thread, click Add Reply, then right-click and choose Paste.
  
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd


Please download SUPERAntiSpyware Free and follow these instructions for performing a scan.

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
  
• Be sure to update the definitions before scanning by selecting "Check for Updates".
  If you encounter any problems while downloading the updates, manually download them from here.

• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
• Click Close to exit the program.
  
• Please copy and paste the Scan Log results in your next reply.

-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these instructions for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.

-- Alternatively, you can download and use the SUPERAntiSpyware Portable Scanner or perform a SUPERAntiSpyware Online Safe Scan (both listed under Popular Links) instead. If you cannot download from the infected computer, save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer it. Then double-click on the file to launch the portable version and scan. The file is randomly named to help keep malware from blocking the scanner.


Please perform a scan with Eset Online Anti-virus Scanner.

• If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  
• Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.[/color][/i]

• Click the green button.
  
• Read the End User License Agreement and check the box:
• Check .
  
• Click the button.
  
• Accept any security warnings from your browser and allow the download/installation of any require files.
  
• Under scan settings, check and make sure that the option Remove found threats is NOT checked.
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• Click the Start button.
  
• ESET will install itself, download virus signature database updates, and begin scanning your computer.
  
• The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  
• When the scan completes, push
  
• Push , and save the file to your desktop as ESETScan.txt.
  
• Push the button, then Finish.
  
• Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

ok thanks for the help. ill get to it as soon as i get on my other computer. i only posted from my laptop today because my possibly infected machine was in use at the time. but ill see if eset 2011 rears its ugly head in any scans. most likely im just worried over nothing and its gone, but ill do those scans just to safe.

@josh i do remember what it found, it was just stated in my first post but tthanks for your help anyways.

This post has been edited by Dragonlady24: 26 May 2011 - 06:41 PM

Not a problem.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6630

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/20/2011 10:07:55 PM
mbam-log-2011-05-20 (22-07-55).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 199905
Time elapsed: 23 minute(s), 53 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
c:\documents and settings\Nancy\application data\dwm.exe (Trojan.Downloader) -> 1428 -> Unloaded process successfully.
c:\documents and settings\Nancy\application data\microsoft\conhost.exe (Backdoor.Cycbot.Gen) -> 1560 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Backdoor.Cycbot.Gen) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{E9A27B54-427A-6C68-27E7-E7A031E26B30} (Trojan.Agent) -> Value: {E9A27B54-427A-6C68-27E7-E7A031E26B30} -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Backdoor.Cycbot.Gen) -> Bad: (C:\DOCUME~1\Nancy\LOCALS~1\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.

Folders Infected:
c:\program files\e-set 2011 (Rogue.FakeEset) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Nancy\application data\dwm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Nancy\application data\microsoft\conhost.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\Documents and Settings\Nancy\Local Settings\Temp\csrss.exe (Backdoor.Cycbot.Gen) -> Delete on reboot.
c:\documents and settings\Nancy\application data\Pype\jueft.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP740\A0163973.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP740\A0163974.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP745\A0164007.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP704\A0161501.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP704\A0161509.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP704\A0161500.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP704\A0161503.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP704\A0161504.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP704\A0161505.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP704\A0161506.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP705\A0162487.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{9b490d6c-7874-433a-b6cf-e39e64f13a0f}\RP705\A0162488.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

After completing my previous instructions, rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 6630. Last I checked it was 6686.

i used the safe scanner for sas is that alright. i did what it said to find the log after the computer restarted but the logs box was empty. do i have to wait a few minutes for it to load or did it just not save?
in the log it showed over 500 tracking cookies how do i prevent those without an anti spyware?

This post has been edited by Dragonlady24: 27 May 2011 - 03:13 PM

Ok.

anyways this topic can be closed now. the problem has been taken care of. nice to have a spyware program that can clean old problems from the registry probably part of the reason we have had so many problems, that and the computer needs some serious windows updates.

Quote

Cookies are text string messages given to a Web browser by a Web server. Whenever you visit a web page or navigate different pages with your browser, the web site generates a unique ID number which your browser stores in a text (cookie) file that is sent back to the server each time the browser requests a page from that server. Cookies allow third-party providers such as ad serving networks, spyware or adware providers to track personal information. The main purpose of cookies is to identify users and prepare customized Web pages for them.

• Persistent cookies have expiration dates set by the Web server when it passes the cookie and are stored on a user's hard drive until they expire or are deleted. These types of cookies are used to store information between visits to a site and collect identifying information about the user such as surfing behavior or preferences for a specific web site.

• Session (transient) cookies are not saved to the hard drive, do not collect any information and have no set expiration date. They are used to temporarily hold information in the form of a session identification stored in memory as you browse web pages. These types of cookies are cached only while a user is visiting the Web server issuing the session cookie and are deleted from the cache when the user closes the session.

Cookies can be categorized as:

• Trusted cookies are from sites you trust, use often, and want to be able to identify and personalize content for you.
  
• Nuisance cookies are from those sites you do not recognize or often use but somehow it's put a cookie on your machine.
  
• Bad cookies (i.e. persistent cookies, long term and third party tracking cookies) are those that can be linked to an ad company or something that tracks your movements across the web.

The type of persistent cookie that is a cause for some concern are "tracking cookies" because they can be considered a privacy risk. These types of cookies are used to track your Web browsing habits (your movement from site to site). Ad companies use them to record your activity on all sites where they have placed ads. They can keep count of how many times you visited a web page, store your username and password so you don't have to log in and retain your custom settings. When you visit one of these sites, a cookie is placed on your computer. Each time you visit another site that hosts one of their ads, that same cookie is read, and soon they have assembled a list of which of their sites you have visited and which of their ads that you have clicked on. Cookies are used all over the Internet and advertisement companies often plant them whenever your browser loads one of their banners.

Cookies are NOT a "threat". As text files they cannot be executed to cause any damage. Cookies do not cause any pop ups or install malware and they cannot erase or read information from a computer.

Quote

MS Article ID: 60971 - Description of Cookies

To learn more about Cookies, please refer to:

• Misconceptions about cookies
  
• The Unofficial Cookie FAQ
  
• How Internet Cookies Work
  
• Do "Cookies" Pose any Security Risks?

Flash cookies (or Local Shared Objects) and Evercookies are a newer way of tracking user behavior and surfing habits but they too are not a threat, nor can they harm your computer.

An Evercookie is a Javascript API created and managed persistent cookie which can be used to identify a user even after they have removed standard and Flash cookies. This is accomplished by creating a new cookie and storing the data in as many storage locations (currently eight) as it can find on the local browser. Storage mechanisms range from Standard HTTP and Flash cookies to HTML5's new storage methods. When evercookie finds that other types of cookies have been removed, it recreates them so they can be reused over and over.

• evercookie: the one cookie that you...just...can't...DELETE!
  
• Evercookie, Extremely Persistent Cookies

Flash cookies are cookie-like data stored on a computer and used by all versions of Adobe Flash Player and similar applications. They can store much more information than traditional browser cookies and they are typically stored within each user’s Application Data directory with a ".SOL" extension, under the Macromedia\FlashPlayer\#SharedObjects folder. Unlike traditional cookies, Flash cookies cannot be managed through browser controls so they are more difficult to find and remove. However, they can be viewed, managed and deleted using the Website Storage Settings panel at Macromedia's Support Site. From this panel, you can change storage settings for a website, delete a specific website or delete all sites which erases any information that may have been stored on the computer. To prevent any Flash Cookies from being stored on your computer, go to the Global Storage Settings panel and uncheck the option “Allow third-party Flash content to store data on your computer”. For more information, please refer to:

• Flash Cookies explained
  
• How do I get to the Settings Manager?
  
• How to disable third-party local shared objects
  
• Flash Player security and privacy
  
• Adobe (finally) makes it easier to delete Flash cookies

As long as you surf the Internet, you are going to get cookies and some of your security programs will flag them for removal. However, you can minimize the number of them which are stored on your computer by referring to:

• Blocking & Managing Unwanted Cookies in Internet Explorer 7/Internet Explorer 8
  
• Block Third-Party Cookies in Internet Explorer 7
  
• Block or allow cookies in Internet Explorer 7/Internet Explorer 8
  
• How to Manage Cookies in Internet Explorer 6

• Managing Cookies in Firefox
  
• Blocking cookies in Firefox
  
• Cookie Settings in Firefox
  
• Anonymizer Nevercookie for Firefox to protect against Evercookies

Third party utilities to Manage (view & delete) Cookies:

• IECookiesView
  
• FlashCookiesView
  
• Cookie Info
  
• CookieMonster
  
• Karen's Cookie Viewer
  
• MozillaCookiesView

Quote

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
  
• Go to > Run... and type: Cleanmgr
  
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
  
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  
• Click Yes, then click Ok.
  
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
  
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links:

• Create a New Restore Point in Vista or Windows 7
  
• Disk Cleanup in Vista
  
• Disk Cleanup in Windows 7

Tips to protect yourself against malware and reduce the potential for re-infection:

• Keep Windows and Internet Explorer current with all security updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. When necessary, Microsoft releases security updates on the second Tuesday of each month and publishes Security update bulletins to announce and describe the update. If you're not sure how to install updates, please refer to Updating your computer. Microsoft also recommends Internet 6 and 7 users to upgrade their browsers due to security vulnerabilities which can be exploited by hackers.

• Avoid gaming sites, porn sites, pirated software (warez), cracking tools, and keygens. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some instances an infection may cause so much damage to your system that recovery is not possible and the only option is to wipe your drive, reformat and reinstall the OS.

• Avoid peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, Kontiki, BitTorrent, BitComet, uTorrent, BitLord, BearShare). They too are a security risk which can make your computer susceptible to malware infections. File sharing networks are thoroughly infected and infested with malware according to Senior Virus Analyst, Norman ASA. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

• P2P Software User Advisories
  
• Risks of File-Sharing Technology

• Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs install themselves and spread infections, read How Malware Spreads - How did I get infected.

• Keeping Autorun enabled on flash drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. One in every eight malware attacks occurs via a USB device. Many security experts recommend you disable Autorun as a method of prevention. Microsoft recommends doing the same.

Microsoft’s Autorun update v2.1 now automatically deployed from Windows Update

• Microsoft Security Advisory (967940): Update for Windows Autorun
  
• Microsoft Article ID: 971029: Update to the AutoPlay functionality in Windows

Note: If using Windows 7, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes and improvements to AutoPlay so that it will no longer support the AutoRun functionality for non-optical removable media.

• Always update vulnerable software like browsers, Adobe Reader and Java Runtime Environment (JRE) with the latest security patches. Older versions of these programs have vulnerabilities that malicious sites can use to exploit and infect your system.

• Time to Update Your Adobe Reader
  
• Adobe Security bulletins and advisories
  
• Microsoft: ‘Unprecedented Wave of Java Exploitation’
  
• eight out of every 10 Web browsers are vulnerable to attack by exploits

• Change all passwords: Anytime you encounter a malware infection on your computer, especially if that computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords as a precaution in case an attacker was able to steal your information when the computer was infected. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

• Finally, use common sense, safe computing and safe surfing habits provides the most complete protection.

• Important Tip: Always remember that security begins with personal responsibility.

• Security Resources from Microsoft:

• Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP
  
• Threats and Countermeasures: Security Settings in Windows Server 2008 and Windows Vista
  
• Microsoft Solutions for Security: The Antivirus Defense-in-Depth Guide

• Other Security Resources:

• Simple and easy ways to keep your computer safe and secure on the Internet
  
• Malware Prevention - Preventing Re-infection
  
• Hardening Windows Security - Part 1 & Part 2
  
• How to Stop 11 Hidden Security Threats
  
• Your Guide To Staying Safe Online

• Browser Security Resources:

• Configuring Internet Explorer for Practical Security and Privacy
  
• How to Secure Your Web Browser
  
• Safe Web practices - How to remain safe on the Internet
  
• Use Task Manager to close pop-up messages to safely exit malware attacks