Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I was infected, ran Malwarebytes & seem to be symptom free...


  • Please log in to reply
10 replies to this topic

#1 violettendencies

violettendencies

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 01 January 2009 - 07:39 AM

Hello,

I've spent hours and hours reading through this amazing forum after my computer was infected yesterday.

It started with a pop up alerting me that Windows Security Center had automatic updates turned off. I couldn't turn it back on, then I noticed two flashing shields with an X in my taskbar. Meantime, boxes kept popping up with dire warnings about spyware, malware, etc... and recommended an Antivirus program. I tried to close the box by clicking the X, which I now understand might have launched the program, because I got this fake scan window with a long list of Trojans.

I have McAfee security suite and ran a scan and one thing was detected which it quarantined.

However, when I got on to the internet (I have Windows XP and use Internet Explorer), I kept getting redirected and pop ups for ads kept popping up. Some were impossible to close. I knew I was in trouble.

I used my son's laptop to research the problem and read many posts on this subforum from members experiencing similar symptoms where it was advised they run Malwarebytes.

I got on to my infected computer and was unable to get to the bleepingcomputer website to click on the link for Malwarebytes to uninstall Antivirus2009. I manually typed in the url to get to the instruction page and was denied with a page from Google indicating the link was broken. On and on. Finally, I goggled malwarebytes and got on in time to download the program.

Anyhoo, I ran the scan and 38 itmes were detected, and the vendors were as follows: Trojan.Vundo; Trojan.VundoH; Adware.PopCap; Rogue.Multiple; Rogue.DriveCleaner; Trojan.Seneka; Rogue.Installer; Trojan.Agent; Rogue.Rapid.Antivirus; Trojan.Downloader; Malware.Trace.

I removed them and my computer has thus far (two hours since the scan) shown no symptoms of infection. Could it be that it worked? It seems too easy... How can I be sure I am clean? I've read a few more posts and I'm concerned about the rookits infection and backdoor Trojans which, even after removal, steal passwords, and do all sorts of nasty business.

Also, there have been a few cases were it was recommended (after no further symptoms) that a New Restore Point be created. Should I do that?

Any help would be greatly appreciated!

Happy New Year

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:17 PM

Posted 01 January 2009 - 08:57 AM

Good that you took immediate action. You are correct in that if you click anywhere on the popup it will install the malware.
Best to use the "task manager" to kill the ad and browser.

As Vundo is constantly changing to hide from security programs it is best to use more than one and to update them for a couple of days and run them. Both programs update daily or more often.

Here are the links for MalwareBytes AntiMalware and Super AntiSpyware instructions for how best to use them.

Super Antispyware Instructions: (Be sure to update in Regular mode before rebooting into safe mode to run scan)
http://www.bleepingcomputer.com/forums/ind...t&p=1040160

MalwareBytes AntiMalware Instructions:
http://www.bleepingcomputer.com/forums/ind...st&p=944365

You can block the Ad/ tracking cookies from ever installing on your computer by following the steps below.
This applies to Internet explorer browsers.
Click on tools
click on internet options
click on privacy tab
click on advanced button
put a check in the box next to override automatic cookie handling
put a check in the box next to first party accept
put a check in the box next to block third party cookies (those are the ad/ tracking cookies that AVG deletes)
Click OK to exit
Then just run another quick scan with SAS to remove the third party cookies that were installed before changing the settings.

Click start, All programs, Accessories, System tools, Disk Cleanup, Put a check next to all items except "compress old files".
Click on the more options tab, click on the "cleanup" button next to "system restore" (this will remove all of the restore points but the last one as many are infected) click OK and allow cleanup to run.

Use Secunia online scanner to check for missing security updates. http://secunia.com/vulnerability_scanning/online/
After updating Java (if you haven't done so already) go to Add/ Remove and remove ALL old Java programs.
IE browser, Adobe Reader, Adobel Flash and Java have all been exploited recently. Important to get the latest updates to avoid malware exploiting those programs.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 violettendencies

violettendencies
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 01 January 2009 - 03:39 PM

Thank you buddy215; I am so grateful for your help.

Here's what I did per your instructions:

I installed & ran Superantispyware. It did detect a number of items: however, when I got to Scanner Logs, there was an entry for "Log", but when I click the "View Log" box, nothing happens.

Next, I installed & ran Malwarebytes Anti-Malware. As I mentioned in my opening post, I did this yesterday, but decided to remove the existing program, and start all over via your link on this thread, just in case whatever program I used yesterday was old. The result of the scan indicated "No malicious items detected." I did view and save the log in case you want to see it.

Next, I blocked Ad/tracking cookies from installing on my computer.

Next, I ran another Superantispyware scan. A large volume of items were detected (52 pages in MS Word), and I have the log details if you want to see it, though most every item includes the words cookies. And my name is all over it.

Next, I ran a Disk Cleanup and created a New Restore Point.

Finally, I used your link for Secunia to scan for missing security updates. I updated Adobe Reader, Macromedia Flash, and Java. I think I had three Java versions or updates (according to my control panel). I deleted what I believe to be the two older updates or versions.

That's it.

Is there anything else I need to do? Though my computer isn't experienceing symptoms, I still feel insecure as this has been such a daunting experience for us.

Thank you again for the help - I'm so happy to have found this resource:)

#4 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:17 PM

Posted 01 January 2009 - 04:07 PM

Sounds good. You should still run scans for the next couple of days because the programs are always playing catchup as the malware constantly changes to hide itself.

Run another scan with Super Antispyware and post the log if it finds anything. There shouldn't be any cookies in this scan as you reset to block them and removed them in your last scan.
52 Pages?? That may be a record! SAS gives a count at the top of the logs as to how many files (cookies) it removed. Just my curiosity, would like to know how many cookies it removed.

You mentioned deleting the MBAM program. You do not need to delete to get the latest updates for either MBAM or SAS. Simply open both and you will see a update button or tab in both. I could be misreading what you posted, though.

Edited by buddy215, 01 January 2009 - 04:11 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 violettendencies

violettendencies
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 01 January 2009 - 05:20 PM

Hello again buddy215!

I do indeed plan to run Malwarebytes + SUPERantispyware scans everyday for the next week!

I ran another SUPERantispyware scan and 1 item was detected... Here's the log:

*******

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/01/2009 at 04:47 PM

Application Version : 4.24.1004

Core Rules Database Version : 3693
Trace Rules Database Version: 1669

Scan type : Quick Scan
Total Scan Time : 00:15:40

Memory items scanned : 561
Memory threats detected : 0
Registry items scanned : 498
Registry threats detected : 0
File items scanned : 21499
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\M P\Cookies\m_p@ads.bleepingcomputer[2].txt

****************
Should I be worried? I believe we expected NOT to find any cookies.

You were curious about the number cookies detected after my first SAS scan which amounted to 52 pages on a Word document. I can't really find what you're looking for, but I've pasted the heading of the log below:

***************
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/01/2009 at 02:17 PM

Application Version : 4.24.1004

Core Rules Database Version : 3693
Trace Rules Database Version: 1669

Scan type : Quick Scan
Total Scan Time : 00:17:06

Memory items scanned : 553
Memory threats detected : 0
Registry items scanned : 493
Registry threats detected : 2
File items scanned : 22459
File threats detected : 1233

***************

Does that answer your question? I wonder what it says about my surfing habits that my computer had so many cookies. LOL We don't frequent any adult or gambling sites, though we shop online quite a bit and read quite a few blogs. Oh, and my son sometimes plays games on addictinggames.com - which are really children's games.

As an aside, I copy and pasted the log results on Microsoft Word because I've no idea how to retrieve it on Notepad, as I've never used that application.

One TROUBLING issue that has come up since I cleaned my computer is that on two occassions, I've been alerted by McAfee that my computer was not protected. When I open up the McAfee Security Center, I see the link to "Fix this problem," which I do and then everything is fine - protected, etc...

Also, I heard a gong sound while I was on the internet, however it wasn't associated with the window I was viewing or anything else. It was just a random sound, which I have heard in the past, but usually when you view a photo on a blog that has been corrupted or something, and then you get a window telling you the file cannot be opened and it usually shuts down. Very odd.

I look forward to hearing back from you and hope these issues I've described don't mean something terrible is going on...

Thank you!

#6 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:17 PM

Posted 01 January 2009 - 06:23 PM

Adware attempts to install ad cookies on almost all sites you would go to. They are not considered dangerous but if you are a little concerned about privacy as I am, you don't need or want the ad/tracking cookies.

Another suggestion, using Firefox browser with the NoScript addon will prevent "driveby" installs of malware and many other forms of malware installs. You will never see another popup to click on. Another addon for Firefox will block ALL ads. Adblock Plus.

Another program I recommend you get is Spyware Blaster. It blocks over l0,000 bad ActiveX and sites and doesn't use any resources. Just update it twice a month or contribute a small fee for automatic updates.
http://www.javacoolsoftware.com/spywareblaster.html

I would definitely keep MBAM or SAS or both around. Just remember to update them at least once a week so they will be ready when needed. Hopefully, never.

This is the line I was curious about---File threats detected : 1233 (number of cookies)
Not a record. Around two years ago there was a user who said AdAware had identified over 10,000 cookies.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 violettendencies

violettendencies
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 01 January 2009 - 06:38 PM

Apologies for asking, but can I trouble you for the links to:
*Firefox browser NoScript add on*
*Adblock Plus*

--I don't want to download the wrong thing.

I will get the Spyware Blaster, thanks for the link!

Also...

what are your thoughts on my McAfee alert telling me my computer is not protected? It happened again.

And any opinion on that odd gong sound I described?

Finally, (sorry to bombard you with so many questions), for SAS & MBAM, am I supposed to only click the update box or do I update and "Scan Now" for the next few days. And do I continue to scan in Safe Mode?

Thanks again!

#8 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:17 PM

Posted 01 January 2009 - 07:14 PM

Firefox 3.05
http://www.mozilla.com/en-US/products/down...in〈=en-US
NoScript Addon
http://noscript.net/

AdBlock Plus
https://addons.mozilla.org/en-US/firefox/addon/1865

Just open each program and click on update. Since malware often blocks your ability to use the internet to contact security programs, it is best to keep them updated so that want be a problem when you need to scan with them. Definitely update before scanning and yes, you should run a few scans during the next week.

Because malware constantly changes to hide from the security programs, scanning with a program that doesn't have the latest updates will not be effective.

I suggest contacting McAfee as to what the problem might be. You may need to uninstall and reinstall. Some programs have a "repair function" that can be accessed in the Add/Remove program. Check to see if that is the case with McAfee and attempt a repair if that option is offered instead of removing before uninstalling.

Try to see what is triggering the sound for a couple of days and if it is occurring on one site or more. Sometimes you can get a clue by watching at the bottom of the screen to see what is loading when changing sites.

If you decide to get Firefox, you may have some questions that I and other members here will be glad to help you with.

Edited by buddy215, 01 January 2009 - 07:16 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 Beenthere

Beenthere

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 01 January 2009 - 07:25 PM

you've found the greatest of the greatest, that is mbam(malwarebytes anti malware). it usually handles rogue anti spyware and vundo very well.
just to be sure I would make an online scan with kaspersky

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
I don't fancy mcafee... I see many people that are disappointed from them. I personally think, a free anti virus like avira does a better job.

Edited by Beenthere, 01 January 2009 - 07:25 PM.


#10 violettendencies

violettendencies
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 02 January 2009 - 12:44 PM

Buddy, thanks for the links!

I'll contact McAfee & monitor the gong issue. I just posted an inquiry on the the sound forum to see if someone might recognize it - perhaps I'm not describing it properly.

Beenthere, I'll run a Kaspersky scan tonight - thanks so much for the suggestion. I'll post the log if anything comes up:)

#11 RandomComputer

RandomComputer

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 03 January 2009 - 11:19 AM

Just wanted to add something.

Kaspersky doesn't remove ANYTHING. It simply scans your computer for anything, so if you would to remove it you would need to do it manually, that's why I don't like telling others to run online scan because then they go fixing stuff themselves and end up in trouble sometimes. Be carefull with what you fix.

I don't fancy mcafee... I see many people that are disappointed from them. I personally think, a free anti virus like avira does a better job.

That's your own opinon, I think it's fairly good. Avira stops every time it scans and then I have to click move to vault or something which is annoying espically when I want to get off the computer when it's scanning




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users