Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Infection - InternetSecurity2010 and Broswer Re-directs


  • This topic is locked This topic is locked
65 replies to this topic

#61 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 29 December 2009 - 12:48 PM

I updated Java yesterday in order to run the kapersky. I just checked on the Java site and I have the most current version. My fix for the Safe Mode was using the fix from the Didier Stevens link I put in post 47 above.
I think we can wrap up and do the cleanup now. There's a lot of debris on my desktop :-)
I really appreciate your assistance through all of this.

BC AdBot (Login to Remove)

 


#62 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:32 PM

Posted 29 December 2009 - 01:20 PM

Your knowledge has been a great asset to us being able to get this cleaned up. I want to do some checking and see if the Safe Boot Key Repair is targeting the same keys as what you found in the fix. This is something that could be very useful in the future.

Since you never could get ComboFix to run properly the following may not be needed but we'll run it anyway.



Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

    Posted Image

  • The following will implement some very important cleanup procedures as well as reset System Restore points.





The following removes a lot of other tools as well as itself.

Cleanup! with OTMoveIt


* Double click OTMoveIt3.exe to run it.
* Click the Clean Up button at the top . If you receive a warning from your security program, select allow to download the packet.
* A pop-up box will appear saying "Cleanup list download successfully Begin Removal Process?". Click Yes.
* If required for a reboot click Yes





Below are some steps to follow in order to lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts fileNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
  • Finally, this is very important. It is absolutely essential to keep all of your security programs up to date



If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. :(


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#63 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 29 December 2009 - 05:34 PM

Windows could not find CF. No suprise there since it apparently never installed.

I ran the rest of your suggestions. The Secunia was interesting find. I'm reading up a bit on the DNS/Hosts before I make that leap just to make sure I get it right.

What blockers and protection do you run on your machine?

#64 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:32 PM

Posted 29 December 2009 - 08:36 PM

I use Avira, MBAM and SAS and watch where I go very closely. I don't use P2P programs or ever visit any nefarious sites such as crack or keygen sites.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#65 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 31 December 2009 - 05:56 PM

I noticed this file in the startup folder....McRebootA5E6DEAA56$.lnk is it bad or good?

Never mind, I checked properties and it was just an old shortcut from the virus. When I selected find target, windows started looking for cmd.exe, then it came back that it could not find it so I simply deleted it.

thanks again for all your help.

Have a Happy and Prosperous New Year!

Edited by David-In-Chicago, 31 December 2009 - 06:11 PM.


#66 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:32 PM

Posted 31 December 2009 - 11:06 PM

The same to you and you are welcome for the help.

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users