Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Internet Security 2010


  • Please log in to reply
8 replies to this topic

#1 dhaselhorst

dhaselhorst

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 25 January 2010 - 07:29 PM

Infected with Internet Security 2010. Followed steps outlined at Bleeping Computer, including rkill followed by Malware Bytes Scans. Repeated scans removed more and more infected files until count was zero. Later in the day, error messages and symptoms were back. Help greatly appreciated. Thanks!


DDS (Ver_09-12-01.01) - NTFSx86
Run by admin at 17:57:33.42 on Mon 01/25/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.96 [GMT -6:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\NCH Swift Sound\VRS\vrs.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\explorer.exe
C:\Downloads\Bleeping Computer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://partnerpage.google.com/sunweststorage.com
uSearch Page =
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,
mSearchAssistant =
mWinlogon: Userinit=c:\windows\system32\winlogon32.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [Norton Ghost 9.0] c:\program files\symantec\norton ghost\agent\GhostTray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Cobian Backup 8 interface] "c:\program files\cobian backup 8\cbInterface.exe" -service
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [CARPService] carpserv.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [smss32.exe] c:\windows\system32\smss32.exe
dRun: [Internet Security 2010] c:\program files\internetsecurity2010\IS2010.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Shares.bat
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\helper32.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
AppInit_DLLs: rifabana.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-11-11 12552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-24 207792]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-11 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-11 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-11 108552]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-27 297752]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2004-11-1 106496]
R2 VRSService;VRS Recording System Service;c:\program files\nch swift sound\vrs\vrs.exe [2006-4-6 499716]
S3 MagEpNt;MagEpNt; [x]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-24 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-24 1141712]

=============== Created Last 30 ================

2010-01-25 23:32:45 0 ----a-w- c:\windows\system32\41.exe
2010-01-25 21:49:28 0 d-----w- c:\program files\InternetSecurity2010
2010-01-25 21:48:51 25088 ----a-w- c:\windows\system32\helper32.dll
2010-01-25 21:48:33 0 d-----w- c:\docume~1\admin\applic~1\MSNInstaller
2010-01-25 21:48:31 2931 ----a-w- c:\windows\system32\warning.html
2010-01-25 21:48:25 26624 ----a-w- c:\windows\system32\winlogon32.exe
2010-01-25 21:48:25 26624 ----a-w- c:\windows\system32\smss32.exe
2010-01-25 21:46:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-25 13:36:38 1 ----a-w- C:\s
2010-01-25 01:49:10 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-01-25 01:48:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 01:48:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-25 01:48:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 01:48:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 00:02:47 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-01-25 00:02:47 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-25 00:02:06 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-25 00:02:06 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-25 00:02:06 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-01-25 00:02:06 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-25 00:01:29 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-01-25 00:01:29 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-25 00:01:10 0 d-----w- c:\program files\Spyware Doctor
2010-01-25 00:01:10 0 d-----w- c:\program files\common files\PC Tools
2010-01-25 00:01:10 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-25 00:01:10 0 d-----w- c:\docume~1\admin\applic~1\PC Tools
2010-01-24 23:59:23 0 ----a-w- c:\windows\system32\11942.exe
2010-01-24 23:38:51 259072 ----a-w- c:\windows\system32\2995.exe
2010-01-24 23:18:47 0 d-----w- C:\spoolerlogs
2010-01-24 22:37:58 0 ----a-w- c:\windows\system32\16827.exe
2010-01-24 22:17:44 0 ----a-w- c:\windows\system32\23281.exe
2010-01-24 21:57:37 0 ----a-w- c:\windows\system32\28145.exe
2010-01-24 21:37:36 0 ----a-w- c:\windows\system32\5705.exe
2010-01-24 21:17:36 0 ----a-w- c:\windows\system32\24464.exe
2010-01-24 20:57:29 0 ----a-w- c:\windows\system32\26962.exe
2010-01-24 20:37:24 0 ----a-w- c:\windows\system32\29358.exe
2010-01-24 20:17:14 0 ----a-w- c:\windows\system32\11478.exe
2010-01-24 19:57:02 0 ----a-w- c:\windows\system32\15724.exe
2010-01-24 19:37:02 0 ----a-w- c:\windows\system32\19169.exe
2010-01-24 19:17:02 0 ----a-w- c:\windows\system32\26500.exe
2010-01-24 18:57:01 0 ----a-w- c:\windows\system32\6334.exe
2010-01-24 18:37:01 0 ----a-w- c:\windows\system32\18467.exe
2010-01-12 19:51:48 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2003-05-11 22:35:46 7839 --sha-w- c:\windows\system32\drivers\aspmon.sys

============= FINISH: 17:59:46.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 dhaselhorst

dhaselhorst
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 26 January 2010 - 12:17 AM

I attempted to run another round of the Malware scanner. About 1/2 way through, an error message popped about and object (Dcom?) that needed to reboot the PC. I'm assuming this is a bogus message from the Malware; not sure. The PC then did reboot. Problem still exists. Again, any insights would be appreciated.


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 26 January 2010 - 06:49 AM.


#3 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:33 AM

Posted 01 February 2010 - 05:39 PM

hi,

Your log is a few days old. If you still need help simply reply to my post.

How Can I Reduce My Risk to Malware?


#4 dhaselhorst

dhaselhorst
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 01 February 2010 - 05:54 PM

Thank you for your offer.

Malware could not be removed after a week of trying. Restored older backup. Please close thread.

#5 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:33 AM

Posted 01 February 2010 - 07:47 PM

ok thanks for letting me know. Anything short of a reformat/reinstall of Windows would be unsuccessful in removing malware, that is unless you where able to remove it using available anti- this and that software then did the restore afterwards.

For your reference:

Some tips to help keep you malware free

10 Tips for Reducing/Preventing Your Risk To Malware:


1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. Use the Alt+F4 key to close your browser. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If these are constantly finding malware on your computer then its time to review your computer habits.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Do you trust the source? Where you expecting that attachment?

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason. Use the Alt+f4 key to close your browser.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.*

8) Install and understand the *limitations* of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's.

10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. Using them will cause you all kinds of problems. If you download/install files via p2p networks then you are also much more likely to encounter malicious code. Do you really trust the source of the file? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?


#6 dhaselhorst

dhaselhorst
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 01 February 2010 - 09:40 PM

Thanks for the reply. I did a restore of a ghost image of the drive (entire partition) from before the infection. Shouldn't that have removed it?

-Darin

#7 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:33 AM

Posted 02 February 2010 - 06:59 PM

hi,

Yes it would remove all the malware if it did a reformat of the drive first. to be honest I have never restored a machine with a image so cant really say if they wipe the drive first. I suppose one way to check would be to see if you see any files, data, software etc on the machine that wouldnt be on the image, depending on when you made the image of course. Do your malware symptoms appear to be gone now?

How Can I Reduce My Risk to Malware?


#8 dhaselhorst

dhaselhorst
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 02 February 2010 - 07:07 PM

Malware symptoms gone. Thanks for following up. The image backup wipes the partition.

For what its worth, the malware was Internet Security 2010. I followed the un-install guide here: http://www.bleepingcomputer.com/virus-remo...t-security-2010, very specifically, multiple times to no avail. Perhaps the malware has gotten smarter since the un-install guide was published. I could find no other way to remove it. Was there a better option, base on your experience.

#9 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:33 AM

Posted 02 February 2010 - 09:36 PM

Ok good. Malware is gone. Those guides are pretty generic. Sometimes malware can come with other 'extras' like trojans, rootkits etc or once installed to a machine download even more malware. Much more than whats just shown in the guides. Sometimes Malwarebytes or other anti-malware can take care of it all, sometimes not. Its not always cut and dried which can be evident by posts that can go several pages.

Malware is getting much more sophisticated and harder to detect and remove. Perhaps a few rounds with combofix may have done the trick for your machine. Its not recommended one use it on their own though.
Always good to back up in case of malware or hard drive failure. Re-imaging your drive would be a lot quicker than posts that could last days. Keep malwarebytes and always check for updates before doing a scan with it.
I suppose you can also scan your saved image with your AV and anti-malware? I assume the image is stored locally on your drive. This would ensure its clean also just so no malware could be restored with the image.
See the 10 tips to help you remain malware free.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users