Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antivirus pro removed by malwarebytes and has returned


  • This topic is locked This topic is locked
9 replies to this topic

#1 benjenln

benjenln

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 10 December 2009 - 02:17 AM

Hi, first time poster, long time reader. Hope I've followed the rules so far. Thanks for all the good stuff you do. I have a friend's laptop and thought I had removed antivirus pro from it. He now has the paid version of AVG 9. I gave it back to him and the virus returned within 30 minutes. Can you please check through the attached logs and let me know if it is in fact gone and whether you would like to see any other logs ? Thanks heaps.

Attached Files



BC AdBot (Login to Remove)

 


#2 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 10 December 2009 - 05:49 AM

Hi, welcome to the BC Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:
  • Absence of symptoms does not always mean the computer is clean
  • Please do not run any scans or fixes without my direction.
  • Finally, stay with this topic until I give you the final 'All clear' post.
Download Combofix from any of the links below.

Link 1
Link 2


==================================

Disable all antivirus and antispyware applications, then double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#3 benjenln

benjenln
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 10 December 2009 - 07:18 AM

Hi Raktor, thanks for replying. Here is the logfile requested.

Attached Files



#4 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 10 December 2009 - 07:29 AM

Please just copy/paste the Combofix logs, it's easier to read them in a post. :(

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\User\Local Settings\Application Data\xvgwkn
c:\documents and settings\User\Local Settings\Application Data\sgsbnw

RenV::
c:\windows\inf\WG511v2\snetcfg .exe


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#5 benjenln

benjenln
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 10 December 2009 - 07:43 AM

Hi Raktor,
Instructions followed and combofix.txt copy/pasted as requested:

ComboFix 09-12-09.04 - User 10/12/2009 23:33:55.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.440 [GMT 11:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Local Settings\Application Data\sgsbnw
c:\documents and settings\User\Local Settings\Application Data\xvgwkn

.
((((((((((((((((((((((((( Files Created from 2009-11-10 to 2009-12-10 )))))))))))))))))))))))))))))))
.

2009-12-10 03:45 . 2009-12-10 03:45 -------- d-----w- c:\documents and settings\User\Application Data\AVG9
2009-12-10 03:20 . 2009-12-10 03:32 -------- d-----w- C:\$AVG
2009-12-10 03:20 . 2009-12-10 03:20 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-12-10 03:20 . 2009-12-10 03:20 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-12-10 03:19 . 2009-12-10 03:19 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-12-10 03:19 . 2009-12-10 03:19 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-12-10 03:19 . 2009-12-10 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-10 03:19 . 2009-12-10 03:32 -------- d-----w- c:\windows\SxsCaPendDel
2009-12-06 00:46 . 2009-12-06 00:46 4844295 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-06 00:32 . 2009-12-06 00:32 -------- d--h--w- c:\windows\PIF
2009-12-06 00:14 . 2009-12-06 00:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-12-06 00:14 . 2009-12-06 00:14 68064 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-06 00:12 . 2009-12-06 00:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-06 00:06 . 2009-12-06 00:06 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-12-05 07:41 . 2009-12-03 05:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-05 07:41 . 2009-12-03 05:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-05 07:41 . 2009-12-05 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-05 07:41 . 2009-12-06 00:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-05 07:40 . 2008-11-06 06:53 2372472 ----a-w- c:\documents and settings\User\mbam-setup.exe
2009-12-02 12:41 . 2009-12-02 12:41 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Blizzard Entertainment
2009-11-29 09:10 . 2009-11-29 09:10 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-29 09:09 . 2009-11-29 09:10 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-11 08:03 . 2009-11-11 08:03 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-10 03:20 . 2008-06-10 09:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-10 03:20 . 2008-06-10 09:22 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-10 03:20 . 2008-06-10 09:22 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-10 03:20 . 2008-07-02 15:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-10 03:19 . 2008-06-10 09:21 -------- d-----w- c:\program files\AVG
2009-12-09 23:53 . 2008-11-23 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-08 10:25 . 2008-06-15 11:48 -------- d-----w- c:\documents and settings\User\Application Data\LimeWire
2009-11-29 09:12 . 2008-06-13 07:08 -------- d-----w- c:\program files\Java
2009-11-11 08:00 . 2008-05-24 10:10 -------- d-----w- c:\program files\Windows Live
2009-10-29 07:46 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 10:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 10:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 10:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 10:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-10 17:17 . 2009-03-03 06:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 08:39 . 2009-10-10 08:39 157880 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-10 07:52 . 2009-10-10 07:52 175616 ----a-w- c:\documents and settings\User\Application Data\EA\EASW\GameFace\unrar64_nocrypt.dll
2009-10-10 07:52 . 2009-10-10 07:52 150528 ----a-w- c:\documents and settings\User\Application Data\EA\EASW\GameFace\unrar_nocrypt.dll
2009-10-10 07:52 . 2009-10-10 07:52 30208 ----a-w- c:\documents and settings\User\Application Data\EA\EASW\GameFace\FileDownloadConsole.exe
2009-09-30 08:15 . 2009-10-10 07:55 13312 ----a-w- c:\documents and settings\User\Application Data\EA\EASW\GameFace\PhotoFaceConsole.exe
2009-09-30 08:14 . 2009-10-10 07:55 15872 ----a-w- c:\documents and settings\User\Application Data\EA\EASW\GameFace\PhotoFaceConsole.XmlSerializers.dll
2009-09-29 23:41 . 2009-10-10 07:55 361472 ----a-r- c:\documents and settings\User\Application Data\EA\EASW\GameFace\FgPhotofitDll.dll
2009-09-29 09:29 . 2009-10-10 07:55 6144 ----a-w- c:\documents and settings\User\Application Data\EA\EASW\GameFace\DetectOpenGLConsole.exe
2009-09-29 09:29 . 2009-10-10 07:55 5120 ----a-w- c:\documents and settings\User\Application Data\EA\EASW\GameFace\DownloadSourcePhotoConsole.exe
2009-09-29 09:29 . 2009-10-10 07:55 9216 ----a-w- c:\documents and settings\User\Application Data\EA\EASW\GameFace\UploadPhotofitConsole.exe
2009-09-22 09:07 . 2009-09-22 09:07 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-21 00:14 . 2009-10-10 07:55 8192 ----a-r- c:\documents and settings\User\Application Data\EA\EASW\GameFace\OpenGLCheck.dll
2009-09-11 14:03 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-10_12.11.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-04 01:38 . 2006-12-04 01:38 53248 c:\windows\inf\WG511v2\snetcfg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-26 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 344064]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-10 2020120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-10 03:20 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Thinstall\\TFC-Portable\\1400000211600002i\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [10/12/2009 2:20 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/12/2009 2:20 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/06/2008 8:22 PM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/06/2008 8:22 PM 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/12/2009 2:20 PM 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/12/2009 2:20 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [10/12/2009 2:20 PM 2304192]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [19/03/2009 5:47 PM 54752]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [10/12/2009 2:19 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [10/12/2009 2:20 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [10/12/2009 2:20 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [10/12/2009 2:20 PM 25736]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [15/03/2008 4:06 PM 92550]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [10/12/2009 2:20 PM 5832712]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [10/12/2009 2:19 PM 30104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [5/08/2009 10:48 PM 704864]
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {DACFE249-C6B9-42E3-96D5-8D8DF6666EEF} = 203.12.160.35,203.12.160.36
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-iPodVideoConverter_upgrade - c:\program files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 23:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1292)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1112)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-12-10 23:38:40
ComboFix-quarantined-files.txt 2009-12-10 12:38
ComboFix2.txt 2009-12-10 12:12

Pre-Run: 134,194,679,808 bytes free
Post-Run: 134,185,033,728 bytes free

- - End Of File - - F2550B00720721D38F04F1626E145219

#6 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 10 December 2009 - 07:49 AM

1) P2P Warning
P2P - I see you have P2P software (LimeWire) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.
I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

2) Update Adobe
Your current version of Adobe Reader is out of date, and may contain security issues. Please uninstall the version you have now from Add/Remove programs, and then download and install the latest Adobe Reader.

3) Update Java
Your version of Java is outdated.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

4) MBAM
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
5) ESET
You can use either Internet Explorer or Mozilla FireFox for this scan.
  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
6) What You Will Need To Post:
  • MBAM log
  • ESET log

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#7 benjenln

benjenln
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 10 December 2009 - 09:46 AM

Hi Raktor,

I will show my friend this thread, particularly about P2P and the links you provided. Thanks.

Adobe uninstall, download and install succeeded.
JavaRA encountered a problem and needed to close while removing old versions. I clicked the 'Don't send' button.
JRE install succeeded.

Mbam log and eset log as follows:

Malwarebytes' Anti-Malware 1.42
Database version: 3337
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

11/12/2009 12:30:44 AM
mbam-log-2009-12-11 (00-30-44).txt

Scan type: Quick Scan
Objects scanned: 111652
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

========================================


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.16945 (vista_gdr.091027-0049)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=863c36858527c74ca1872299b201e8a9
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-12-10 02:38:57
# local_time=2009-12-11 01:38:57 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1279 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 791 791 0 0
# scanned=57237
# found=2
# cleaned=0
# scan_time=2947
C:\Documents and Settings\User\Desktop\Portable Counter-Strike 1.6 Decayed-Lite.Proper.exe multiple threats 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C94D6726-7181-44A4-8389-8B8A03879527}\RP694\A0129816.DLL Win32/FunWeb application 00000000000000000000000000000000 I

=============================

#8 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 11 December 2009 - 12:26 AM

Please delete the file C:\Documents and Settings\User\Desktop\Portable Counter-Strike 1.6 Decayed-Lite.Proper.exe. It is infected - do not let your friend use it. :( Otherwise, everything appears clean.

The following will implement some cleanup procedures as well as reset System Restore points:
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
You can delete all programs and associated logs that we have used, except MBAM. Keep that, and scan/update weekly.

How to reduce your chances of infection in the future

Web Browsers
Internet Explorer does come pre-installed with all Windows machines - but this doesn't necessarily mean you have to use it! Because it is the most widely used browser, it is targeted by more malware writers, making you more susceptible to infection. There are many other free alternatives out there that offer better security, take one of these for a spin and see if it takes your fancy.
Mozilla Firefox
Google Chrome
Opera

WOT - Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go
Yellow for caution
Red to stop
WOT has an addon available for Firefox, Google Chrome and Internet Explorer.

If you would prefer to keep using Internet Explorer, follow these additional steps to make the browser more secure.
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Additional Security Measures
Keep your software up-to-date - You should be manually performing updates of your software once a week to ensure that you are current with anti-virus definitions and patched for any security vulnerabilities. This does not just apply to your anti-virus/anti-malware software; malware authors rely on exploiting commonly used software such as Java and Adobe Reader, which need to be kept up to date as well.

Keep Windows up-to-date - Use Windows Update regularly to stay current with security patches and service packs.

MVPS Hosts File - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

Firewalls - Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient - but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly.

What Not To Do
The Perils of P2P File Sharing - Even if a P2P application is on the 'safe' list, malware can still be downloaded through infected files - executables, zip files and even MP3s. It is just not worth the risk.

Fake Security/Optimization Software - Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Additional Reading
How to prevent Malware - I strongly recommend that you read Miekiemoses' good advice

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#9 benjenln

benjenln
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 11 December 2009 - 03:29 AM

Thank you Raktor.
Have done all you suggested, up to the bit where I tell him to read your posts. :(
Returning his computer tomorrow.

Sincere thanks for your help and your advice.

#10 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 11 December 2009 - 05:31 PM

As this topic is now resolved, it will be closed. New users, please start a new topic.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users