Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool Infected My Computer


  • This topic is locked This topic is locked
12 replies to this topic

#1 Esh

Esh

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 23 March 2010 - 11:27 PM

I was using the internet and then Security Tool poped up I clicked scan and then my computer shut down.
Once I turned it back on everything was white. I can't open anything I can only go onto the internet but I don't know for how long.
Now my computer shuts off every 10 mins. A Blue screen comes on saying that theres gonna be damage done and then it restarts .
Help me please :thumbsup:

BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 PM

Posted 24 March 2010 - 12:47 AM

Hello Esh. :huh: ..

Your Aunt send a PM to me asking if I can help you on this. :thumbsup:

let's do the following:
  • If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

  • For Internet Explorer:
    o Choose to save, not open the file
    o When prompted - save the file to your desktop
If you can not download and run the following tools, then I would like for you to try another approach:

If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.

ensure you put them on the desktop of the infected computer.


:inlove: * exeHelper by Raktor.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

:trumpet: After running exeHelper (without rebooting) download and run Rkill and Malwarebyte's (MBAM) tool using this instructions.

We need to use the RKill Tool by Grinler

Link #1
Link #2
Link #3
Link #4

  • Please Download Link #1. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double click the RKill desktop icon to run the tool.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
NOTE:
1. Try running RKill using Link 1, if it does not run, download Link 2 and delete Link 1 then try running it again.
2. If you still can't run RKill, repeat the same steps using Link 3 and 4. Please tell me if all the link does not work.
*If the tool does not run from any of the links, Please tell me about it.


:flowers: Posted Image* Malwarebytes' Anti-Malware (MBAM)

Because some malware can be easily removed, we recommend Malwarebytes Anti-Malware be run. It's an advanced piece of software which should get a lot of what's on this machine. These guys are so on top of the latest infections it's amazing.

It's important to let me know however, if you experience any trouble getting to the site or updating it or opening it to run. Some rootkits target MBAM and those indicators are the 'tell', if you will. We have another method of double-checking for this rootkit, which if present, will require another special tool.


Please disable your anti spyware programs if you have any like spybot teatimer during the following steps.
If you are unsure on how to do this, please read this guide

Please download Posted ImageMalwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.[/list]***NOTE: If MBAM will not install, try renaming it this way.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
**If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

MBAM Tutorial if needed


Summary of the logs I will need in your next reply:
  • The report log of exeHelper
  • The report log of Rkill
  • The report log of MBAM
And a description of any remaining problems.

How are things your end Esh...???.


Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer

Posted Image

#3 Esh

Esh
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 24 March 2010 - 12:53 AM

Ok, You talk about saving a file which is step 1 .. but what file are you talking about exactly ? Iam using my Pc at the moment cause my labtop kept shutting down on me.. so I will transfer and start this

Edited by Esh, 24 March 2010 - 12:55 AM.


#4 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 PM

Posted 24 March 2010 - 12:58 AM

This file:

exeHelper by Raktor.

Please download exeHelper to your desktop.

rest your mouse on top of exeHelper front of download then double click on it and you will get the link to it.

#5 RhonB

RhonB

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:09:00 PM

Posted 24 March 2010 - 05:33 PM

HI Net_Surfer...it's me, RhonB...

So, like I thought my neice looked at your instructions and said "huh"....so I have now picked up her computer and if you don't mind I will work on it with you...I figure we have been through this before and we work well together no?? ;-) lol!

So I will now start following the instructions you have posted and will let you know how it goes... ..

#6 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 PM

Posted 24 March 2010 - 06:32 PM

Hi Esh and RhonB,

That will be ok with me.

just remember that you have to complete all of those steps without rebooting that way the malware will not have a chance.


Regards.
Net_Surfer

#7 RhonB

RhonB

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:09:00 PM

Posted 24 March 2010 - 08:35 PM

Hi Net_surfer....

Ok, so I could not run exehelper...the machine would not let me save it to desktop would not even let me see the desktop...I thought I was finally able to run it once, from my flash drive, but the log is empty. I had no choice but to run rkill to stop the madness!

I am attaching the logs and then going to my machine to describe more because the keyboard on this one is doing strange things and taking my 10 minutes to type just this.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Hollywood on 24/03/2010 at 16:23:46.


Processes terminated by Rkill or while it was running:


C:\ProgramData\29463832\29463832.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe


Rkill completed on 24/03/2010 at 16:23:51.



Malwarebytes' Anti-Malware 1.44
Database version: 3910
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

24/03/2010 6:17:26 PM
mbam-log-2010-03-24 (18-17-26).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 231900
Time elapsed: 1 hour(s), 37 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 36
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 21
Files Infected: 31

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\Windows\System32\SiKernel.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\expertenhancer.pornpro_bho (Adware.BrowsingEnhancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\expertenhancer.pornpro_bho.1 (Adware.BrowsingEnhancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0140df95-9128-4053-ae72-f43f0cfca062} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0140df95-9128-4053-ae72-f43f0cfca062} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0140df95-9128-4053-ae72-f43f0cfca062} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b7ab564f-be70-4aec-928c-3fdccd11809d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vstdpv33 (Rootkit.Agent) -> Delete on reboot.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.dll (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\SiKernel.PolyMimeFilter (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ExpertEnhancer (Adware.ExpertEnhancer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mirar (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\29463832 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\host process (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bags else hole lite (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\Local Page (Hijack.SearchPage) -> Bad: (http://www.iesearch.com/) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\ProgramData\29463832 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Users\Guest\Documents\LimeWire\Saved\_ (Worm.Archive) -> Quarantined and deleted successfully.
C:\Users\Hollywood\Documents\LimeWire\Saved\_ (Worm.Archive) -> Quarantined and deleted successfully.
C:\Program Files\ExpertEnhancer (Adware.BrowsingEnhancer) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Delete on reboot.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\SrchAstt\6.bin (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\Registry Defender Platinum (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
C:\Program Files\Registry Defender Platinum\backup (Rogue.RegistryDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\drivers\VSTDPV33.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\ProgramData\29463832\29463832.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\Windows\System32\SiKernel.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows\System32\owuovjdjmgd.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
C:\Program Files\ExpertEnhancer\ExpertEnhancer.dat (Adware.BrowsingEnhancer) -> Quarantined and deleted successfully.
C:\Program Files\ExpertEnhancer\pcre3.dll (Adware.BrowsingEnhancer) -> Quarantined and deleted successfully.
C:\Program Files\ExpertEnhancer\uninstall.exe (Adware.BrowsingEnhancer) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Hollywood\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Users\Hollywood\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Users\Guest\Desktop\BitDownload Downloads.lnk (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Users\Hollywood\Desktop\BitDownload Downloads.lnk (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Windows\System32\atmtd.dll._ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\core.cache.dsk (Rootkit.Agent) -> Delete on reboot.

#8 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 PM

Posted 24 March 2010 - 08:44 PM

Hello again Esh and RhonB. :trumpet:

You were pretty bad infected. :thumbsup:

we need to move to another forum and use specialized tools to scan your computer more deeply.

Please go HERE....

From the Preparation Guide: > do steps 4 -to- 9.

Create a DDS log and post it in the new topic from step 9.
If Gmer won't run,skip it and move on.

If for any reason you can not run DDS try running Rkill and then DDS.

Let me know if that went well.

I will pick up the topic there, just add a note that is for me to take over.

Regards
Net_Surfer
:flowers:

#9 RhonB

RhonB

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:09:00 PM

Posted 24 March 2010 - 08:49 PM

Hi...I'm back...on my machine now, I had to restart the infected machine to complete the cleaning process with MBAM.

The keyboard on that machine is doing very strange things and it was taking me forever to type 2 sentences....
I would be typing and all of a sudden the cursor would jump up one or 2 lines and put in what I am typing within another line.....I had to type one word at a time, always checking that the cursor had not moved....very annoying!! Maybe you know what that is and how to fix it?? Also, when I tried to type ' it gave me a french e (with the little squiggle)...very strange.

In any case, I hope it was not an issue that I did not run exehelper...it would just not let me...I tried for about an hour, then just moved on with rkill....and that worked!! Pop ups stopped, desktop came back...no picture, but it's back and the security tool icon is gone from the startup tray & desktop.

I ran MBAM....and then restarted to complete the cleaning....now waiting for your next steps...

Oh and I think I will have to use the flash drive cleaner again, on my machine...because I used the flash drive to get rkill on the bad machine, there was no internet.....now there is...but after I put the flash drive back on my machine (can't remember why) my machine suddenly shut down...just like last time....so please send me the link to the flash drive cleaner again. Just for use on my machine, won't use it on the infected one.

Thanks for th help. :-) Again!!

#10 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 PM

Posted 24 March 2010 - 09:09 PM

Hi RhonB and Esh.


As you requested here is the link to the Flash drive disinfector,

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Before you run DDS and Gmer I need you to do this step first with the Comedian just follow the prompts and then the run the other tools and post the logs on the new topic that you created.

After that we will close this topic here.



Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..

Regards
Net_Surfer
:thumbsup:

#11 RhonB

RhonB

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:09:00 PM

Posted 24 March 2010 - 09:22 PM

HI there....I already started running the DDS & GMER before I saw your post to do the other thing first....GMER is running now...so what did you want me to do...run the comediene thing after? What is that for? I have never seen this one before.

Went to look for you on chat but you're not there.

#12 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 PM

Posted 24 March 2010 - 09:28 PM

Is ok, after you run Gmer then run the comedian.

Do not post the logs here.........post them into the new topic that had created.

Net_Surfer

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 PM

Posted 25 March 2010 - 01:42 AM

The topic is being continued here:

http://www.bleepingcomputer.com/forums/t/304721/security-tool-infection/

As such I am closing this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users