Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

part 2


  • Please log in to reply
11 replies to this topic

#1 joe2

joe2

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 23 April 2009 - 09:58 AM

Adding context from deleted "duplicate" ~ OB

I'm new to this game so I'll need all the help you can give me. I can't seem to connect to any of the big AV sites or Microsoft site. My OS is XP.
This all started when I decided to change my AV software from Norton to Bitdefender (2-3 user). I have succesfully downloaded it and installed it on my notebook but then when I went to do the same on my home computer I couln't access the site.
Then I tried a few other sites but of course no joy!!! I have tried installing some free av software carried out some scans but the problem persists. I'm here because I'd like to try this combofix thing but not on my own!!!!!!!!!
What's the best thing to do?

End of added content. ~ OB

managed to download Malwarebytes, did quick scan and got this log:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

23/04/2009 16.35.20
mbam-log-2009-04-23 (16-35-20).txt

Scan type: Quick Scan
Objects scanned: 82597
Time elapsed: 6 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
J:\autorun.inf (Trojan.Conficker.H) -> Quarantined and deleted successfully.

Edited by Orange Blossom, 27 April 2009 - 09:45 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 AM

Posted 23 April 2009 - 12:11 PM

Your Malwarebytes Anti-Malware log indicates you are using an outdated database version. Please update it through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Your database shows 1945. Last I checked it was 2031.Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating, is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 joe2

joe2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 24 April 2009 - 02:10 AM

Tried that and here's the log.


Malwarebytes' Anti-Malware 1.36
Database version: 2015
Windows 5.1.2600 Service Pack 3

24/04/2009 8.57.56
mbam-log-2009-04-24 (08-57-56).txt

Scan type: Quick Scan
Objects scanned: 85520
Time elapsed: 5 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


No infections but still can't access any AV sites. Had to access malwarebytes site for update through the first link you provided. Keep getting an "Oops! this link..." on the other links and AV sites.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 AM

Posted 24 April 2009 - 06:53 AM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 joe2

joe2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 26 April 2009 - 02:27 PM

Installed ATF cleaner and it did its job. Couldn't download Dr. Web from this computer so did it on my laptop and then put it on pendrive and and then put it on here.
Here is the DrWeb.csv report.
I'm living in Italy so initially it worked away in Italian and then I changed to English. "spostato" means moved.



cbctcnej.dll;c:\windows\system32;Win32.HLLW.Shadow.based;Cancellato.;
JSCRIPT5.CHM\htm/jstextwriteln.htm;C:\Programmi\Microsoft Office\OFFICE11\1040\JSCRIPT5.CHM;Modifica di VBS.Generic.94;;
JSCRIPT5.CHM;C:\Programmi\Microsoft Office\OFFICE11\1040;Container contains infected objects;Spostato.;
VBAOL11.CHM\html/olobjAddressEntries.htm;C:\Programmi\Microsoft Office\OFFICE11\1040\VBAOL11.CHM;Modifica di VBS.Generic.205;;
VBAOL11.CHM;C:\Programmi\Microsoft Office\OFFICE11\1040;Container contains infected objects;Spostato.;
A0006424.dll;C:\System Volume Information\_restore{E33BF9A2-0DA7-4B7C-988C-BC4BC39E0018}\RP25;Win32.HLLW.Shadow.based;Cancellato.;
relazioni prime e seconde.doc;J:\Backup Benni\Programmazioni;Modification of BAT.Sys.231;Moved.;
A0006234.inf;J:\System Volume Information\_restore{E33BF9A2-0DA7-4B7C-988C-BC4BC39E0018}\RP23;Win32.HLLW.Autoruner.5601;Incurable.Moved.;


Didn't install the other stuff yet.

Just checked to see if I can connect to AV sites and everything seems to be ok!!!!

Edited by joe2, 26 April 2009 - 02:32 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 AM

Posted 26 April 2009 - 03:43 PM

At least we are making progress so that's good news. Continue with the SAS scan and check to see if you can now update MBAM through the program's GUI.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 joe2

joe2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 27 April 2009 - 03:26 PM

couldn't get into safe mode using F8 method so used used utility method which kept trying to start in safe mode. Thanks to Bleeping computer tutorials I managed to get back to normal mode using the xp recovery console and renaming the file boot.ini.bak. Can't see it anywhere now unless it is called boot.ini.backup as I would like to rename it back to boot.ini and and get my boot.ini tab in ms config so that I can uncheck that safe boot option.
Looks like I've got some serious malware..
Anyway I can't run SAS scan in safe mode, should I try it in normal mode?

Managed to update MBAM using program's GUI.

Thanks for the help and patience so far!!!!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 AM

Posted 27 April 2009 - 06:27 PM

If you cannot boot into safe mode, then perform your scans in normal mode.

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 joe2

joe2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 28 April 2009 - 12:04 PM

Here's the SAS log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/28/2009 at 12:34 PM

Application Version : 4.26.1000

Core Rules Database Version : 3865
Trace Rules Database Version: 1816

Scan type : Complete Scan
Total Scan Time : 01:23:55

Memory items scanned : 502
Memory threats detected : 0
Registry items scanned : 6300
Registry threats detected : 0
File items scanned : 104886
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\Leon\Cookies\leon@chitika[2].txt
C:\Documents and Settings\Leon\Cookies\leon@rambler[1].txt
C:\Documents and Settings\Leon\Cookies\leon@tradedoubler[1].txt
C:\Documents and Settings\Leon\Cookies\leon@doubleclick[1].txt
C:\Documents and Settings\Leon\Cookies\leon@irishtimesgroup.112.2o7[1].txt
C:\Documents and Settings\Leon\Cookies\leon@euroclick[2].txt
C:\Documents and Settings\Leon\Cookies\leon@www.googleadservices[1].txt
C:\Documents and Settings\Leon\Cookies\leon@atdmt[1].txt
C:\Documents and Settings\Leon\Cookies\leon@adtech[1].txt
C:\Documents and Settings\Leon\Cookies\leon@doubleclick[2].txt
C:\Documents and Settings\Leon\Cookies\leon@tribalfusion[1].txt

And here's the MAM quick scan log

Malwarebytes' Anti-Malware 1.36
Database version: 2050
Windows 5.1.2600 Service Pack 3

28/04/2009 12.52.15
mbam-log-2009-04-28 (12-52-15).txt

Scan type: Quick Scan
Objects scanned: 89809
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 AM

Posted 28 April 2009 - 12:34 PM

Are you still unable to connect to major anti-virus and security sites?
What other issues still remain?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 joe2

joe2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 30 April 2009 - 01:06 AM

I am now able to access all major security sites. There don't seem to be any other issues. One final thing, should I now remove all the scanning software that you suggested before installing my AV software?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 AM

Posted 30 April 2009 - 06:39 AM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

should I now remove all the scanning software that you suggested before installing my AV software?

Keep and use both MBAM and SAS as part of your anti-malware toolkit. SAS does not provide real-time protection or scheduled scanning so there is no need for it to run at startup...disable that feature and use it as a separate stand-alone on-demand scanner. A purchased upgrade to the "Professional" version is required before those options can be activated.

After installing your anti-virus, I recommend taking advantage of the Malwarebytes Anti-Malware Protection Module uses advanced heuristic scanning technology to monitor your system and provide real-time protection to prevent the installation of most new malware. This technology monitors every process and stops malicious processes before they can infect your computer. The database that defines the heuristics is updated as often as there is something to add to it. Enabling the Protection Module feature requires reqistration and purchase of a license key that includes free lifetime upgrades and support. After activation, Malwarebytes can be set to update itself and schedule scans automatically on a daily basis. The Protection Module is not intrusive as it utilizes few system resources and should not conflict with other scanners or anti-virus programs.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users