Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log


  • This topic is locked This topic is locked
15 replies to this topic

#1 decafchicken

decafchicken

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 14 July 2009 - 10:26 PM

Been recently having problems with blue screen of death with the error: DRIVER_IRQL_NOT_LESS_OR_EQUAL

I ran trend micro antivirus and it found troj dloader oz and autorun.inf which it quarantined. I also decided to run HJT and was wondering if anyone could help me figure out what to fix and what not to. Sorry if i'm doing this wrong in advance >.<

Attached are my dds/attach files and hijackthis log.

Thanks for any help!

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:44 PM

Posted 25 July 2009 - 10:39 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 decafchicken

decafchicken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 28 July 2009 - 12:32 AM

Uploaded dds and attach.zip as per request. Thanks for your time.

edit: side note -also i haven't been able to get malware bytes to run...whenever i double click the icon nothing happens :-/

Attached Files


Edited by decafchicken, 28 July 2009 - 12:33 AM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 30 July 2009 - 07:12 PM

Hi decafchicken,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

I will be back soon with the first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 30 July 2009 - 07:47 PM

Hi decafchicken,

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.


On to the fix

There's nothing showing on the logs but if something's messing with MBAM we should be able to get that running and that might take out the hidden malware.

MBAM is often stopped by malware. Please open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe extension to .bat, .com, .pif, or .scr

Then try and run it on Full Scan.

If this does not work then delete the program and redownload it, renaming it to mole.exe. Then try running it as before.


If that does not work then let me know but continue with the steps below regardless.

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.


Finally,

Please download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 decafchicken

decafchicken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 31 July 2009 - 11:37 AM

Thanks for all your help, changing the extension on MBAM got it to work :thumbup2: This is what the full scan got:
---------------------------------------------------------------------------------------------------------------------------------
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1fd79a59-37b1-459b-9097-09f9fab8a523} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b97f9125-71a1-48d0-b920-f140ef8de809} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\mplayerplgn.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\RECYCLER\S-4-4-21-100010578-100007032-100024603-4672.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
-------------------------------------------------------------------------------------------------------------------------------

And here's the contents of rooter that i ran afterwards that you requested:

-------------------------------------------------------------------------------------------------------------------------------
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 23 Stepping 6, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 6.0.2900.5512
Mozilla Firefox 3.0.8 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:124 Go )
D:\ [CD_Rom]
E:\ [CD_Rom]
.
Scan : 12:33.09
Path : C:\Documents and Settings\Scott Peterson\Desktop\Rooter.exe
User : Scott Peterson ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (392)
______ \??\C:\WINDOWS\system32\csrss.exe (584)
______ \??\C:\WINDOWS\system32\winlogon.exe (612)
______ C:\WINDOWS\system32\services.exe (656)
______ C:\WINDOWS\system32\lsass.exe (668)
______ C:\WINDOWS\system32\svchost.exe (808)
______ C:\WINDOWS\system32\svchost.exe (888)
______ C:\WINDOWS\System32\svchost.exe (980)
______ C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (1012)
______ C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (1124)
______ C:\WINDOWS\system32\svchost.exe (1264)
______ C:\WINDOWS\system32\svchost.exe (1412)
______ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (1536)
______ C:\WINDOWS\system32\spoolsv.exe (1652)
______ C:\WINDOWS\Explorer.EXE (1568)
______ C:\WINDOWS\system32\agrsmsvc.exe (1836)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1844)
______ C:\Program Files\Program DJ\Dualview Server\dualviewsvc.exe (1932)
______ C:\Program Files\Intel\WiFi\bin\EvtEng.exe (1980)
______ C:\Program Files\Java\jre6\bin\jqs.exe (224)
______ C:\WINDOWS\system32\nvsvc32.exe (356)
______ C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe (464)
______ C:\WINDOWS\system32\HPZipm12.exe (128)
______ C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (1000)
______ C:\Program Files\CyberLink\Shared Files\RichVideo.exe (1172)
______ C:\Program Files\Program DJ\Smart Watchdog\SWDsvc.exe (1252)
______ C:\WINDOWS\system32\svchost.exe (1312)
______ C:\WINDOWS\system32\wdfmgr.exe (1096)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (1700)
______ C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe (1808)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (1952)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (2104)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (2112)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (2120)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (2128)
______ C:\WINDOWS\system32\wbem\unsecapp.exe (2388)
______ C:\WINDOWS\system32\wscntfy.exe (2700)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2720)
______ C:\WINDOWS\System32\alg.exe (2756)
______ C:\WINDOWS\system32\RUNDLL32.EXE (2924)
______ C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (2964)
______ C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (2976)
______ C:\Program Files\Apoint\Apoint.exe (2984)
______ C:\Program Files\RocketDock\RocketDock.exe (3036)
______ C:\Program Files\AIM6\aim6.exe (3044)
______ C:\WINDOWS\system32\ctfmon.exe (3052)
______ C:\Program Files\Messenger\msmsgs.exe (3064)
______ C:\Documents and Settings\Scott Peterson\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe (3092)
______ C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe (3128)
______ C:\Program Files\Apoint\HidFind.exe (3220)
______ C:\Program Files\Apoint\Apntex.exe (3288)
______ C:\Documents and Settings\Scott Peterson\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (3512)
______ C:\Program Files\Launchy\Launchy.exe (3532)
______ C:\Program Files\Logitech\SetPoint\SetPoint.exe (3544)
______ C:\WINDOWS\system32\wbem\unsecapp.exe (204)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (1672)
______ C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (2956)
______ C:\WINDOWS\System32\svchost.exe (2852)
______ C:\Program Files\Program DJ\Green Charger\GCTray.exe (1336)
______ C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE (3588)
______ C:\Program Files\Skype\Phone\Skype.exe (2904)
______ C:\Program Files\AIM6\aolsoftware.exe (2580)
______ C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (3328)
______ C:\Program Files\Skype\Plugin Manager\skypePM.exe (3436)
______ C:\Documents and Settings\Scott Peterson\Desktop\Rooter.exe (3852)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:250056705024)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1078081533-1801674531-1004Core.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1078081533-1801674531-1004UA.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\DOCUME~1\SCOTTP~1\My Documents\Downloads\keygen.rar
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 12:33.29
.
C:\Rooter$\Rooter_1.txt - (31/07/2009 | 12:33.29).c

-------------------------------------------------------------------------------------------------------------------------------

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 31 July 2009 - 04:32 PM

Hi decafchicken,

From the Rooter log:

C:\DOCUME~1\SCOTTP~1\My Documents\Downloads\keygen.rar


Someone on this system was trying to access cracks or a 'keygen'....this is a certain way to attract malware to your system. As well as being illegal, 'Cracks' and 'Keygens' are often associated or loaded with malware, and should be avoided (along with 'crack' sites).

I suggest you delete this file.


On to the fix

The MBAM run removed some quite potent trojans. Let's run Dr Web Cure-It but first...

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.


Now, Dr Web will see you now :)

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#8 decafchicken

decafchicken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 31 July 2009 - 11:24 PM

Thanks for your continued help :thumbup2:
After a speedy 2.5 hours of scanning dr.web got this:

megauploadtoolbar.dll;c:\program files\megauploadtoolbar;Adware.MegaBar.3;Incurable.Moved.;
gaopdxkrhkaeyaagkenptxydhowwcvyoupptwd.sys;c:\windows\system32\drivers;Trojan.Packed.2479;Incurable.Moved.;
MPC-6.4.9.exe\data009;C:\Documents and Settings\Scott Peterson\My Documents\Downloads\MPC-6.4.9.exe;Trojan.DNSCache;;
MPC-6.4.9.exe;C:\Documents and Settings\Scott Peterson\My Documents\Downloads;Archive contains infected objects;Moved.;
freeripmp3.exe\data005;C:\Documents and Settings\Scott Peterson\My Documents\Downloads\What.CD Toolbox - Windows 2.0\Ripping\freeripmp3.exe;Adware.MyWay;;
freeripmp3.exe;C:\Documents and Settings\Scott Peterson\My Documents\Downloads\What.CD Toolbox - Windows 2.0\Ripping;Archive contains infected objects;Moved.;
megauploadtoolbar.dll;C:\Program Files\MegauploadToolbar;Adware.MegaBar.3;Invalid path to file ;
fileExec.exe;C:\Program Files\Rainmeter\Skins\HUD.Vision\Black\util;Trojan.DownLoad.38194;Deleted.;
fileExec.exe;C:\Program Files\Rainmeter\Skins\HUD.Vision\White\util;Trojan.DownLoad.38194;Deleted.;
gaopdxqkhadnnymndpcoxucsjflqnqhdrtlwye.dll;C:\WINDOWS\system32;Trojan.Sniff.30;Deleted.;
gaopdxgwqkcjmkwnbejinvylfsthauhgcuflhs.sys;C:\WINDOWS\system32\drivers;Trojan.Packed.2479;Incurable.Moved.;
quadraserv.sys;C:\WINDOWS\system32\drivers;Trojan.Packed.2479;Incurable.Moved.;

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 01 August 2009 - 04:27 AM

Dr Web removed a rootkit,

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

If it finds anything else then we'll change tack. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 decafchicken

decafchicken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 01 August 2009 - 08:06 PM

This is the only thing malware bytes found:

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 02 August 2009 - 04:12 AM

Okay, we will run an online scan to remove any stray malware files

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Then please rerun MBAM on Full Scan - we will be looking for a clean log with NO gaopdx entries (otherwise the malware is returning after deletion)

If those two are clean then we're nearly there. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#12 decafchicken

decafchicken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 02 August 2009 - 02:12 PM

Here's what the online scan returned:
http://img7.imageshack.us/img7/5553/scanbwq.jpg

MBAM returned 0 infected files.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 02 August 2009 - 03:55 PM

BitDefender picked up quarantined malware and one stray infected file.

The MBAM result is exactly what we wanted, because....

Your log is clean. Good stuff! :thumbup2:

Let's do some housekeeping

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.


Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

I recommend that you download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it decafchicken, happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#14 decafchicken

decafchicken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 02 August 2009 - 06:02 PM

Thanks a lot for all your work to help me get clean! :thumbup2:

One more question, what free antivirus program would you recommend that doesn't bog down your system?

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 02 August 2009 - 06:36 PM

Avast is my recommendation.

Completely free, autoupdating and not a resource hog.

Quality freeware :thumbup2:
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users