BleepingComputer.com: AVG says searchindexer and searchprotocolhost have Win32/Agent.CB

Hi,

answer 1: You may reinstall the wireless software now.

answer 2: Yep, it ran like expected.

Let me know how the system runs after the software has been reinstalled.

Hi, sorry for the delay: I couldn´t earlier.

I reinstalled Intel PROSET Wireless. I battled a bit, because my network adapter is not Intel and not listed on the Intel download site, but it seems that, as long as you pick the right operating system and type of customer, you're fine.
So Internet connection seems to run fine.

I repeat my question, as I suppose we have to run Combofix again. I know it ran fine, because I interrupted the program to restart, but:
"Question 2: when I run Combofix it normally asks if I want to upgrade. So when I run it WITH A CFSCRIPT, it has to restart after upgrading. Does it respect the Cfscript instructions which I originally gave it?? (Sofar I have interrupted the program to restart with CFscript just to be sure it takes it into account.)"
What I mean is: do I have to interrupt and restart Combofix after updating or not to still have it running WITH THE CFSCRIPT I ordered? Or, in other words: after updating does it run with the Cfscript or does it fall back to a standard run WITHOUT taking into account the Cfscript?

Now I suppose we have to tackle the remaining files that are infected according to ESET (and many other programs). The listed System Restore entries will be handled with by disabling System Restore, I assume.

Thanks again.

Hi,

We don't have to run ComboFix again but if we would and upgrade was offered it would still respect cfscript (if ComboFix was run with one). Those ESET found items will be removed when system restore is reseted and ComboFix is uninstalled.


Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis


Now lets uninstall ComboFix:

• Click START then RUN
  
• Now copy-paste Combofix /uninstall in the runbox and click OK

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.

AVG can be now reinstalled.

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

Hi Blade,

Thanks a lot!!
I am using the machine a bit, to make sure that everything is OK. Then I will perform ALL the actions you were so kind to point out.
DON'T CONSIDER THIS ITEM CLOSED YET, PLEASE!
I will report of course how things went, once I have performed all the actions, but also I need to know, if possible:
1. what kind of virus/trojan it was, as I had a similar problem on my desktop (solved the drastical way) and both seemed to be caused by clicking on an innocuous Google entry, which worries me of course.
2. Furthermore, I had to connect a memory key for the backup before Combofix (and my external drive to my desktop): how are chances those are infected and what do you recommend to run on those to make sure they are clean, given the type of trojan we encountered?
3. I understand very well that you cannot guarantee anything on this, but would you use this machine for financial stuff, etc.?

Thanks again!
Basten

Quote

There was zeroaccess infection and some file patching infection present there. Those likely got in by exploiting vulnerabilities in non up-to-date software.

Quote

You could scan the drives with ESET online scanner.

Quote

Signs look good now. I'd say we've cleaned items that can be cleaned. Naturally reformat is the only method to be totally sure system doesn't have anything hiding.

Hi Blade,

Thanks a lot for your clear answers!

I ran ESET and others on the external devices I mentioned and they appear to be clean.
I also ran ESET and AVG (after reinstalling) on the laptop and they came up clean, fortunately.
I followed your advice, including Secunia (and FileHippo, with care, I know).

To finish, I just need some advice cleaning up:
1. DeFogger: I suppose I should reenable CD Emulation? (Yes or No will do: I have your guide located.) Then should I uninstall by simply deleting Defogger (exe and text file) from my desktop?
2. Dds: Just delete from desktop?
3. SystemLook: Just delete from desktop?
4. Gmer: Just delete from desktop?
5. Do you remember that instance of Internet Explorer (not the shortcut) that appeared on my desktop after running Combofix (I think)? May I delete that now, assuming it is a duplicate?
6. I have a C:\ComboFix folder with a file NimcmdB. May I delete the folder?

Now I have the following in place, combining different sources:
1. An (always updated) antivirus program
2. A firewall (in case of XP, preferably not Windows Firewall)
3. Proper Internet Explorer Security settings
4. Get all (critical) Windows updates
5. Get all (critical) Windows Office updates
6. Keep updated programs like Acrobat Reader, Flash Player, Shockwave Player and Java, with the help of a program like Secunia PSI
7. Install and use SpywareBlaster
8. Install and use Spybot
9. Get Malwarebytes Anti-Malware and run occasional scans
10. Install a safe browsing tool like WOT or AVG LinkScanner
11. Occasionally download, install, run, and uninstall Lavasoft AdAware
12. Obviously be careful which sites to enter, which programs to install, etc.
I am aware there are other and more sophisticated tools out there, but this should do or do I forget something important (apart from going Mac)? It is amazing how many man-hours all over the world are lost because of these malware creating bastards…

Hi,

Ok to questions 1-4. Regarding question 5: do you have two IE related icons on your desktop now? Did you uninstall ComboFix as instructed in my previous post?

Hi,

Yes, I uninstalled Combofix exactly as you instructed. All traces seem to be gone, except for the items mentioned in 5. and 6.
On my desktop I have the normal shortcut to IE, as well as the abnormal item explained in 5.

Thanks again,
Basten

Hi,

Please download and run ComboFix again (having your antivirus protection turned off). Then run uninstall procedure again ensuring antivirus protection is turned off first.

Hi again,

I did as instructed. Related with security, I have AVG 2011 Free, Spybot, SpywareBlaster, Secunia, WOT, MBAM Free, Windows Firewall (and Secunia). According to the guide I only had to disable AVG and Spybot Teatimer (and SDHelper).
Now I no longer have the C\ComboFix folder (point 6.), which is good.

The only thing left is the IE instance still there (point 5.), but we surely can take other measures to get rid of it.

Have a nice day,
Basten

Hi,

It might be that your earlier icon of IE was just a normal shortcut while new one is "proper one". Do both have same appearing (a screenshot might help )? Please check properties for both and post back target information.

This post has been edited by Blade81: 04 August 2011 - 11:40 AM

Hi again,

I never paid attention to the kind of IE presence on desktops. I just assumed blindly they were always shortcuts pointing to a Windows folder. Now I checked on my desktop computer and there is only an icon in my tray left under (none on my desktop), which I always use, and in Windows Explorer it is marked as in my desktop folder as "System folder".
On my Notebook the icon is on the desktop and is the "System folder".
On the laptop computer subject of this thread I always had the shortcut and now also the "System folder". When I looked up the destination of the shortcut, it sent me to the desktop folder, so I suppose I just eliminate the shortcut and keep the IE System folder on my desktop to have the same configuration as on my other computers or just keep everything as it is now. (I don´t know what´s usual and most recommended resourcewise.) Anyway they both function properly and there is no problem whatsoever.

On the other hand, and to possibly conclude: was my list of preventions complete?

Thanks a lot again,
Basten

Hi Basten,

Quote

Yes, that's what should be done

Quote

You should have pretty secure system with that list. Just remember to have PSI running and fix its findings asap when it detects something.

This post has been edited by Blade81: 07 August 2011 - 02:13 AM

Hi Blade,

Well, I guess we are done.
I can't tell you how much I appreciate your help, seriousness and patience. I am really impressed, even more so given the difficulty (impossibility)to find qualified "live" support nearby and the terrible online support offered by, for instance, McAfee.
This forum is really a service to the community (if all are as helpful as you are)!
Despite of this, I hope I will not need your services in the future, for obvious reasons, but if so, I will happily post it on this forum again.

Thanks for all,
Basten

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.