Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect/Popups/XP Security Tool Virus


  • Please log in to reply
18 replies to this topic

#1 flipinacoin

flipinacoin

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 16 April 2010 - 03:34 PM

Hello!

After looking through the "am I infected" pinned posts and following the steps from another users post that looked almost exactly like my issue (http://www.bleepingcomputer.com/forums/topic309985-15.html), I have decided to create a post and ask for some help as I can't seem to lick this one.

Computer Info: OS - Microsoft XP, Browser - IE 7, regular Antivirus program - TrendMicro, regular Spyware program - Spybot

Original Problem: browser is hijacked when any link is clicked, multiple pop-up ad windows appear, false XP Security Tool window opens and runs "scan", windows firewall is disabled each time the computer is rebooted

Steps taken: I ran fixexe.reg and ATF cleaner; scanned the machine with MBAM, SUPERAntiSypware (in safe mode) and TDDS Killer. I have saved all logs but will wait for instruction before posting them as I am not sure if I will need to run them again posting each step of the way to ensure it is done to specification.

Problems Remaining: browser is hijacked when any link is clicked, windows firewall is disabled each time the computer is rebooted, av.exe and ave.exe files periodically attempt to run (TrendMicro blocks them from running now)


SUPERAntiSypware found file 'trojan.agent/Gen-RogueAV' but I cannot seem to remove it on my own. If you need any additional information or if I missed anything to get help started please let me know and I will update immediately. Many thanks in advance for any help!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 16 April 2010 - 03:47 PM

Hello, you can post these logs... MBAM, SUPERAntiSypware (in safe mode) and TDDS Killer

If SpyBot's Teatimer is running ,it may alter the repairs. If so disable it and rescan.
I'll post how just in case.


We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Now (even if it was not running) run RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot your computer after running rkill as the malware programs will start again.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 flipinacoin

flipinacoin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 16 April 2010 - 04:02 PM

Thanks for the speedy response!!! :thumbsup:

TeaTimer has been disabled; sorry I didn't think to include that before. I am moving Rkill to the infected computer now along with this post so I can follow it directly. I will post back with the results and requested logs shortly...

#4 flipinacoin

flipinacoin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 16 April 2010 - 05:14 PM

Ok here we go.


Here are the logs from the first set of scans:

~MBAM~
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3997

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/16/2010 12:15:29 PM
mbam-log-2010-04-16 (12-15-29).txt

Scan type: Quick scan
Objects scanned: 117415
Time elapsed: 13 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.



~SuperAntiSpyware~
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/16/2010 at 01:16 PM

Application Version : 4.35.1000

Core Rules Database Version : 4814
Trace Rules Database Version: 2626

Scan type : Complete Scan
Total Scan Time : 00:44:14

Memory items scanned : 278
Memory threats detected : 0
Registry items scanned : 6972
Registry threats detected : 0
File items scanned : 34627
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revenue[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@xml.happytofind[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP131\A0031061.EXE
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/16/2010 at 02:45 PM

Application Version : 4.35.1000

Core Rules Database Version : 4814
Trace Rules Database Version: 2626

Scan type : Custom Scan
Total Scan Time : 01:06:31

Memory items scanned : 0
Memory threats detected : 0
Registry items scanned : 57
Registry threats detected : 0
File items scanned : 31532
File threats detected : 16

Adware.Tracking Cookie
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@smartadserver[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tracking.realtor[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertisingplug[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@homestore.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@admarketplace[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bridge2.admarketplace[1].txt

Trojan.Agent/Gen-RogueAV
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\AVE.EXE


~TDSSKiller~
13:37:32:234 3320 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
13:37:32:234 3320 ================================================================================
13:37:32:234 3320 SystemInfo:

13:37:32:234 3320 OS Version: 5.1.2600 ServicePack: 3.0
13:37:32:234 3320 Product type: Workstation
13:37:32:234 3320 ComputerName: NIBLING
13:37:32:234 3320 UserName: HP_Administrator
13:37:32:234 3320 Windows directory: C:\WINDOWS
13:37:32:234 3320 Processor architecture: Intel x86
13:37:32:234 3320 Number of processors: 2
13:37:32:234 3320 Page size: 0x1000
13:37:32:234 3320 Boot type: Normal boot
13:37:32:234 3320 ================================================================================
13:37:32:328 3320 UnloadDriverW: NtUnloadDriver error 2
13:37:32:328 3320 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
13:37:32:359 3320 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
13:37:32:359 3320 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:37:32:359 3320 wfopen_ex: Trying to KLMD file open
13:37:32:359 3320 wfopen_ex: File opened ok (Flags 2)
13:37:32:359 3320 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
13:37:32:359 3320 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:37:32:359 3320 wfopen_ex: Trying to KLMD file open
13:37:32:359 3320 wfopen_ex: File opened ok (Flags 2)
13:37:32:359 3320 Initialize success
13:37:32:359 3320
13:37:32:359 3320 Scanning Services ...
13:37:32:812 3320 Raw services enum returned 348 services
13:37:32:828 3320
13:37:32:828 3320 Scanning Kernel memory ...
13:37:32:828 3320 Devices to scan: 11
13:37:32:828 3320
13:37:32:828 3320 Driver Name: Disk
13:37:32:828 3320 IRP_MJ_CREATE : F7516BB0
13:37:32:828 3320 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:37:32:828 3320 IRP_MJ_CLOSE : F7516BB0
13:37:32:828 3320 IRP_MJ_READ : F7510D1F
13:37:32:828 3320 IRP_MJ_WRITE : F7510D1F
13:37:32:828 3320 IRP_MJ_QUERY_INFORMATION : 804F4562
13:37:32:828 3320 IRP_MJ_SET_INFORMATION : 804F4562
13:37:32:828 3320 IRP_MJ_QUERY_EA : 804F4562
13:37:32:828 3320 IRP_MJ_SET_EA : 804F4562
13:37:32:828 3320 IRP_MJ_FLUSH_BUFFERS : F75112E2
13:37:32:828 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:37:32:828 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:37:32:828 3320 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:37:32:828 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:37:32:828 3320 IRP_MJ_DEVICE_CONTROL : F75113BB
13:37:32:828 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7514F28
13:37:32:828 3320 IRP_MJ_SHUTDOWN : F75112E2
13:37:32:828 3320 IRP_MJ_LOCK_CONTROL : 804F4562
13:37:32:828 3320 IRP_MJ_CLEANUP : 804F4562
13:37:32:828 3320 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:37:32:828 3320 IRP_MJ_QUERY_SECURITY : 804F4562
13:37:32:828 3320 IRP_MJ_SET_SECURITY : 804F4562
13:37:32:828 3320 IRP_MJ_POWER : F7512C82
13:37:32:828 3320 IRP_MJ_SYSTEM_CONTROL : F751799E
13:37:32:828 3320 IRP_MJ_DEVICE_CHANGE : 804F4562
13:37:32:828 3320 IRP_MJ_QUERY_QUOTA : 804F4562
13:37:32:828 3320 IRP_MJ_SET_QUOTA : 804F4562
13:37:32:843 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:37:32:843 3320
13:37:32:843 3320 Driver Name: Disk
13:37:32:843 3320 IRP_MJ_CREATE : F7516BB0
13:37:32:843 3320 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:37:32:843 3320 IRP_MJ_CLOSE : F7516BB0
13:37:32:843 3320 IRP_MJ_READ : F7510D1F
13:37:32:843 3320 IRP_MJ_WRITE : F7510D1F
13:37:32:843 3320 IRP_MJ_QUERY_INFORMATION : 804F4562
13:37:32:843 3320 IRP_MJ_SET_INFORMATION : 804F4562
13:37:32:843 3320 IRP_MJ_QUERY_EA : 804F4562
13:37:32:843 3320 IRP_MJ_SET_EA : 804F4562
13:37:32:843 3320 IRP_MJ_FLUSH_BUFFERS : F75112E2
13:37:32:843 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:37:32:843 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:37:32:843 3320 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:37:32:843 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:37:32:843 3320 IRP_MJ_DEVICE_CONTROL : F75113BB
13:37:32:843 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7514F28
13:37:32:859 3320 IRP_MJ_SHUTDOWN : F75112E2
13:37:32:859 3320 IRP_MJ_LOCK_CONTROL : 804F4562
13:37:32:859 3320 IRP_MJ_CLEANUP : 804F4562
13:37:32:859 3320 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:37:32:859 3320 IRP_MJ_QUERY_SECURITY : 804F4562
13:37:32:859 3320 IRP_MJ_SET_SECURITY : 804F4562
13:37:32:859 3320 IRP_MJ_POWER : F7512C82
13:37:32:859 3320 IRP_MJ_SYSTEM_CONTROL : F751799E
13:37:32:859 3320 IRP_MJ_DEVICE_CHANGE : 804F4562
13:37:32:859 3320 IRP_MJ_QUERY_QUOTA : 804F4562
13:37:32:859 3320 IRP_MJ_SET_QUOTA : 804F4562
13:37:32:859 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:37:32:859 3320
13:37:32:859 3320 Driver Name: Disk
13:37:32:859 3320 IRP_MJ_CREATE : F7516BB0
13:37:32:859 3320 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:37:32:859 3320 IRP_MJ_CLOSE : F7516BB0
13:37:32:859 3320 IRP_MJ_READ : F7510D1F
13:37:32:859 3320 IRP_MJ_WRITE : F7510D1F
13:37:32:859 3320 IRP_MJ_QUERY_INFORMATION : 804F4562
13:37:32:859 3320 IRP_MJ_SET_INFORMATION : 804F4562
13:37:32:859 3320 IRP_MJ_QUERY_EA : 804F4562
13:37:32:859 3320 IRP_MJ_SET_EA : 804F4562
13:37:32:859 3320 IRP_MJ_FLUSH_BUFFERS : F75112E2
13:37:32:859 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:37:32:859 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:37:32:859 3320 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:37:32:859 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:37:32:859 3320 IRP_MJ_DEVICE_CONTROL : F75113BB
13:37:32:859 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7514F28
13:37:32:859 3320 IRP_MJ_SHUTDOWN : F75112E2
13:37:32:859 3320 IRP_MJ_LOCK_CONTROL : 804F4562
13:37:32:859 3320 IRP_MJ_CLEANUP : 804F4562
13:37:32:859 3320 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:37:32:859 3320 IRP_MJ_QUERY_SECURITY : 804F4562
13:37:32:859 3320 IRP_MJ_SET_SECURITY : 804F4562
13:37:32:859 3320 IRP_MJ_POWER : F7512C82
13:37:32:859 3320 IRP_MJ_SYSTEM_CONTROL : F751799E
13:37:32:859 3320 IRP_MJ_DEVICE_CHANGE : 804F4562
13:37:32:859 3320 IRP_MJ_QUERY_QUOTA : 804F4562
13:37:32:859 3320 IRP_MJ_SET_QUOTA : 804F4562
13:37:32:875 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:37:32:875 3320
13:37:32:875 3320 Driver Name: Disk
13:37:32:875 3320 IRP_MJ_CREATE : F7516BB0
13:37:32:875 3320 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:37:32:875 3320 IRP_MJ_CLOSE : F7516BB0
13:37:32:875 3320 IRP_MJ_READ : F7510D1F
13:37:32:875 3320 IRP_MJ_WRITE : F7510D1F
13:37:32:875 3320 IRP_MJ_QUERY_INFORMATION : 804F4562
13:37:32:875 3320 IRP_MJ_SET_INFORMATION : 804F4562
13:37:32:875 3320 IRP_MJ_QUERY_EA : 804F4562
13:37:32:875 3320 IRP_MJ_SET_EA : 804F4562
13:37:32:875 3320 IRP_MJ_FLUSH_BUFFERS : F75112E2
13:37:32:875 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:37:32:875 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:37:32:875 3320 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:37:32:875 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:37:32:875 3320 IRP_MJ_DEVICE_CONTROL : F75113BB
13:37:32:875 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7514F28
13:37:32:875 3320 IRP_MJ_SHUTDOWN : F75112E2
13:37:32:875 3320 IRP_MJ_LOCK_CONTROL : 804F4562
13:37:32:875 3320 IRP_MJ_CLEANUP : 804F4562
13:37:32:875 3320 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:37:32:875 3320 IRP_MJ_QUERY_SECURITY : 804F4562
13:37:32:875 3320 IRP_MJ_SET_SECURITY : 804F4562
13:37:32:875 3320 IRP_MJ_POWER : F7512C82
13:37:32:875 3320 IRP_MJ_SYSTEM_CONTROL : F751799E
13:37:32:875 3320 IRP_MJ_DEVICE_CHANGE : 804F4562
13:37:32:875 3320 IRP_MJ_QUERY_QUOTA : 804F4562
13:37:32:875 3320 IRP_MJ_SET_QUOTA : 804F4562
13:37:32:890 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:37:32:890 3320
13:37:32:890 3320 Driver Name: usbstor
13:37:32:890 3320 IRP_MJ_CREATE : F78B5218
13:37:32:890 3320 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:37:32:890 3320 IRP_MJ_CLOSE : F78B5218
13:37:32:890 3320 IRP_MJ_READ : F78B523C
13:37:32:890 3320 IRP_MJ_WRITE : F78B523C
13:37:32:890 3320 IRP_MJ_QUERY_INFORMATION : 804F4562
13:37:32:890 3320 IRP_MJ_SET_INFORMATION : 804F4562
13:37:32:890 3320 IRP_MJ_QUERY_EA : 804F4562
13:37:32:890 3320 IRP_MJ_SET_EA : 804F4562
13:37:32:890 3320 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:37:32:890 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:37:32:890 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:37:32:890 3320 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:37:32:890 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:37:32:890 3320 IRP_MJ_DEVICE_CONTROL : F78B5180
13:37:32:890 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78B09E6
13:37:32:890 3320 IRP_MJ_SHUTDOWN : 804F4562
13:37:32:890 3320 IRP_MJ_LOCK_CONTROL : 804F4562
13:37:32:890 3320 IRP_MJ_CLEANUP : 804F4562
13:37:32:890 3320 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:37:32:890 3320 IRP_MJ_QUERY_SECURITY : 804F4562
13:37:32:890 3320 IRP_MJ_SET_SECURITY : 804F4562
13:37:32:890 3320 IRP_MJ_POWER : F78B45F0
13:37:32:890 3320 IRP_MJ_SYSTEM_CONTROL : F78B2A6E
13:37:32:890 3320 IRP_MJ_DEVICE_CHANGE : 804F4562
13:37:32:890 3320 IRP_MJ_QUERY_QUOTA : 804F4562
13:37:32:890 3320 IRP_MJ_SET_QUOTA : 804F4562
13:37:32:906 3320 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:37:32:906 3320
13:37:32:906 3320 Driver Name: usbstor
13:37:32:906 3320 IRP_MJ_CREATE : F78B5218
13:37:32:906 3320 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:37:32:906 3320 IRP_MJ_CLOSE : F78B5218
13:37:32:906 3320 IRP_MJ_READ : F78B523C
13:37:32:906 3320 IRP_MJ_WRITE : F78B523C
13:37:32:906 3320 IRP_MJ_QUERY_INFORMATION : 804F4562
13:37:32:906 3320 IRP_MJ_SET_INFORMATION : 804F4562
13:37:32:906 3320 IRP_MJ_QUERY_EA : 804F4562
13:37:32:906 3320 IRP_MJ_SET_EA : 804F4562
13:37:32:906 3320 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:37:32:906 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:37:32:906 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:37:32:906 3320 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:37:32:906 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:37:32:906 3320 IRP_MJ_DEVICE_CONTROL : F78B5180
13:37:32:906 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78B09E6
13:37:32:906 3320 IRP_MJ_SHUTDOWN : 804F4562
13:37:32:906 3320 IRP_MJ_LOCK_CONTROL : 804F4562
13:37:32:906 3320 IRP_MJ_CLEANUP : 804F4562
13:37:32:906 3320 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:37:32:906 3320 IRP_MJ_QUERY_SECURITY : 804F4562
13:37:32:906 3320 IRP_MJ_SET_SECURITY : 804F4562
13:37:32:906 3320 IRP_MJ_POWER : F78B45F0
13:37:32:906 3320 IRP_MJ_SYSTEM_CONTROL : F78B2A6E
13:37:32:906 3320 IRP_MJ_DEVICE_CHANGE : 804F4562
13:37:32:906 3320 IRP_MJ_QUERY_QUOTA : 804F4562
13:37:32:906 3320 IRP_MJ_SET_QUOTA : 804F4562
13:37:32:921 3320 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:37:32:921 3320
13:37:32:921 3320 Driver Name: usbstor
13:37:32:921 3320 IRP_MJ_CREATE : F78B5218
13:37:32:921 3320 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:37:32:921 3320 IRP_MJ_CLOSE : F78B5218
13:37:32:921 3320 IRP_MJ_READ : F78B523C
13:37:32:921 3320 IRP_MJ_WRITE : F78B523C
13:37:32:921 3320 IRP_MJ_QUERY_INFORMATION : 804F4562
13:37:32:921 3320 IRP_MJ_SET_INFORMATION : 804F4562
13:37:32:921 3320 IRP_MJ_QUERY_EA : 804F4562
13:37:32:921 3320 IRP_MJ_SET_EA : 804F4562
13:37:32:921 3320 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:37:32:921 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:37:32:921 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:37:32:921 3320 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:37:32:921 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:37:32:921 3320 IRP_MJ_DEVICE_CONTROL : F78B5180
13:37:32:921 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78B09E6
13:37:32:921 3320 IRP_MJ_SHUTDOWN : 804F4562
13:37:32:921 3320 IRP_MJ_LOCK_CONTROL : 804F4562
13:37:32:921 3320 IRP_MJ_CLEANUP : 804F4562
13:37:32:921 3320 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:37:32:921 3320 IRP_MJ_QUERY_SECURITY : 804F4562
13:37:32:921 3320 IRP_MJ_SET_SECURITY : 804F4562
13:37:32:921 3320 IRP_MJ_POWER : F78B45F0
13:37:32:921 3320 IRP_MJ_SYSTEM_CONTROL : F78B2A6E
13:37:32:921 3320 IRP_MJ_DEVICE_CHANGE : 804F4562
13:37:32:921 3320 IRP_MJ_QUERY_QUOTA : 804F4562
13:37:32:921 3320 IRP_MJ_SET_QUOTA : 804F4562
13:37:32:937 3320 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:37:32:937 3320
13:37:32:937 3320 Driver Name: usbstor
13:37:32:937 3320 IRP_MJ_CREATE : F78B5218
13:37:32:937 3320 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:37:32:937 3320 IRP_MJ_CLOSE : F78B5218
13:37:32:937 3320 IRP_MJ_READ : F78B523C
13:37:32:937 3320 IRP_MJ_WRITE : F78B523C
13:37:32:937 3320 IRP_MJ_QUERY_INFORMATION : 804F4562
13:37:32:937 3320 IRP_MJ_SET_INFORMATION : 804F4562
13:37:32:937 3320 IRP_MJ_QUERY_EA : 804F4562
13:37:32:937 3320 IRP_MJ_SET_EA : 804F4562
13:37:32:937 3320 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:37:32:937 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:37:32:937 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:37:32:937 3320 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:37:32:937 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:37:32:937 3320 IRP_MJ_DEVICE_CONTROL : F78B5180
13:37:32:937 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78B09E6
13:37:32:937 3320 IRP_MJ_SHUTDOWN : 804F4562
13:37:32:937 3320 IRP_MJ_LOCK_CONTROL : 804F4562
13:37:32:937 3320 IRP_MJ_CLEANUP : 804F4562
13:37:32:937 3320 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:37:32:937 3320 IRP_MJ_QUERY_SECURITY : 804F4562
13:37:32:937 3320 IRP_MJ_SET_SECURITY : 804F4562
13:37:32:937 3320 IRP_MJ_POWER : F78B45F0
13:37:32:937 3320 IRP_MJ_SYSTEM_CONTROL : F78B2A6E
13:37:32:937 3320 IRP_MJ_DEVICE_CHANGE : 804F4562
13:37:32:937 3320 IRP_MJ_QUERY_QUOTA : 804F4562
13:37:32:937 3320 IRP_MJ_SET_QUOTA : 804F4562
13:37:32:953 3320 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:37:32:953 3320
13:37:32:953 3320 Driver Name: Disk
13:37:32:953 3320 IRP_MJ_CREATE : F7516BB0
13:37:32:953 3320 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:37:32:953 3320 IRP_MJ_CLOSE : F7516BB0
13:37:32:953 3320 IRP_MJ_READ : F7510D1F
13:37:32:953 3320 IRP_MJ_WRITE : F7510D1F
13:37:32:953 3320 IRP_MJ_QUERY_INFORMATION : 804F4562
13:37:32:953 3320 IRP_MJ_SET_INFORMATION : 804F4562
13:37:32:953 3320 IRP_MJ_QUERY_EA : 804F4562
13:37:32:953 3320 IRP_MJ_SET_EA : 804F4562
13:37:32:953 3320 IRP_MJ_FLUSH_BUFFERS : F75112E2
13:37:32:953 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:37:32:953 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:37:32:953 3320 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:37:32:953 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:37:32:953 3320 IRP_MJ_DEVICE_CONTROL : F75113BB
13:37:32:953 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7514F28
13:37:32:953 3320 IRP_MJ_SHUTDOWN : F75112E2
13:37:32:953 3320 IRP_MJ_LOCK_CONTROL : 804F4562
13:37:32:953 3320 IRP_MJ_CLEANUP : 804F4562
13:37:32:953 3320 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:37:32:953 3320 IRP_MJ_QUERY_SECURITY : 804F4562
13:37:32:953 3320 IRP_MJ_SET_SECURITY : 804F4562
13:37:32:953 3320 IRP_MJ_POWER : F7512C82
13:37:32:953 3320 IRP_MJ_SYSTEM_CONTROL : F751799E
13:37:32:953 3320 IRP_MJ_DEVICE_CHANGE : 804F4562
13:37:32:953 3320 IRP_MJ_QUERY_QUOTA : 804F4562
13:37:32:953 3320 IRP_MJ_SET_QUOTA : 804F4562
13:37:32:968 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:37:32:968 3320
13:37:32:968 3320 Driver Name: Disk
13:37:32:968 3320 IRP_MJ_CREATE : F7516BB0
13:37:32:968 3320 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:37:32:968 3320 IRP_MJ_CLOSE : F7516BB0
13:37:32:968 3320 IRP_MJ_READ : F7510D1F
13:37:32:968 3320 IRP_MJ_WRITE : F7510D1F
13:37:32:968 3320 IRP_MJ_QUERY_INFORMATION : 804F4562
13:37:32:968 3320 IRP_MJ_SET_INFORMATION : 804F4562
13:37:32:968 3320 IRP_MJ_QUERY_EA : 804F4562
13:37:32:968 3320 IRP_MJ_SET_EA : 804F4562
13:37:32:968 3320 IRP_MJ_FLUSH_BUFFERS : F75112E2
13:37:32:968 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:37:32:968 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:37:32:968 3320 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:37:32:968 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:37:32:968 3320 IRP_MJ_DEVICE_CONTROL : F75113BB
13:37:32:968 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7514F28
13:37:32:968 3320 IRP_MJ_SHUTDOWN : F75112E2
13:37:32:968 3320 IRP_MJ_LOCK_CONTROL : 804F4562
13:37:32:968 3320 IRP_MJ_CLEANUP : 804F4562
13:37:32:968 3320 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:37:32:968 3320 IRP_MJ_QUERY_SECURITY : 804F4562
13:37:32:968 3320 IRP_MJ_SET_SECURITY : 804F4562
13:37:32:968 3320 IRP_MJ_POWER : F7512C82
13:37:32:968 3320 IRP_MJ_SYSTEM_CONTROL : F751799E
13:37:32:968 3320 IRP_MJ_DEVICE_CHANGE : 804F4562
13:37:32:968 3320 IRP_MJ_QUERY_QUOTA : 804F4562
13:37:32:968 3320 IRP_MJ_SET_QUOTA : 804F4562
13:37:32:968 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:37:32:968 3320
13:37:32:968 3320 Driver Name: atapi
13:37:32:968 3320 IRP_MJ_CREATE : F72486F2
13:37:32:968 3320 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:37:32:968 3320 IRP_MJ_CLOSE : F72486F2
13:37:32:968 3320 IRP_MJ_READ : 804F4562
13:37:32:968 3320 IRP_MJ_WRITE : 804F4562
13:37:32:968 3320 IRP_MJ_QUERY_INFORMATION : 804F4562
13:37:32:968 3320 IRP_MJ_SET_INFORMATION : 804F4562
13:37:32:968 3320 IRP_MJ_QUERY_EA : 804F4562
13:37:32:968 3320 IRP_MJ_SET_EA : 804F4562
13:37:32:968 3320 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:37:32:968 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:37:32:968 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:37:32:968 3320 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:37:32:984 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:37:32:984 3320 IRP_MJ_DEVICE_CONTROL : F7248712
13:37:32:984 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7244852
13:37:32:984 3320 IRP_MJ_SHUTDOWN : 804F4562
13:37:32:984 3320 IRP_MJ_LOCK_CONTROL : 804F4562
13:37:32:984 3320 IRP_MJ_CLEANUP : 804F4562
13:37:32:984 3320 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:37:32:984 3320 IRP_MJ_QUERY_SECURITY : 804F4562
13:37:32:984 3320 IRP_MJ_SET_SECURITY : 804F4562
13:37:32:984 3320 IRP_MJ_POWER : F724873C
13:37:32:984 3320 IRP_MJ_SYSTEM_CONTROL : F724F336
13:37:32:984 3320 IRP_MJ_DEVICE_CHANGE : 804F4562
13:37:32:984 3320 IRP_MJ_QUERY_QUOTA : 804F4562
13:37:32:984 3320 IRP_MJ_SET_QUOTA : 804F4562
13:37:33:000 3320 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
13:37:33:000 3320
13:37:33:000 3320 Completed
13:37:33:000 3320
13:37:33:000 3320 Results:
13:37:33:000 3320 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
13:37:33:000 3320 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:37:33:000 3320 File objects infected / cured / cured on reboot: 0 / 0 / 0
13:37:33:000 3320
13:37:33:000 3320 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
13:37:33:000 3320 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
13:37:33:015 3320 KLMD(ARK) unloaded successfully

I will put the new scans in a separate post next.

#5 flipinacoin

flipinacoin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 16 April 2010 - 05:35 PM

I ran Rkill and did see the black DOS window so I think that worked.

I opened MBAM without rebooting the machine, completed updates, and ran a quick scan. Here is that log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3999

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/16/2010 4:45:12 PM
mbam-log-2010-04-16 (16-45-12).txt

Scan type: Quick scan
Objects scanned: 114655
Time elapsed: 12 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


After the scan was complete it required the system to reboot. I restarted the computer and the firewall was still enabled, IE has not redirected and it has not attempted to launch av.exe or ave.exe. It seems like this did the trick. Do you think it is all cleared up now or would you recommend running SUPERAntiSpyware scan again?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 16 April 2010 - 05:50 PM

Looks very good.. Let's just get a online scan,please.
ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 flipinacoin

flipinacoin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 16 April 2010 - 06:59 PM

Just an update - the scan is running but it is at 27% at 45 mins. As soon as it is done I will post the log. Thanks! :thumbsup:

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 16 April 2010 - 07:10 PM

Welcome :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 flipinacoin

flipinacoin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 16 April 2010 - 11:11 PM

ok here is the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e76fb6b9995a0d48ad10668bdb851335
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-17 03:45:45
# local_time=2010-04-16 10:45:45 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=515 16777173 100 83 0 106323902 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=96505
# found=6
# cleaned=6
# scan_time=16334
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws3.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudXPInternetSecurity.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Nurech1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\48\6e37a330-2f5f74fd multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Temp\2220797.828869029.exe a variant of Win32/Kryptik.DSA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

I checked the delete files from quarantine box before I exited the application. Next steps?

#10 flipinacoin

flipinacoin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 17 April 2010 - 01:13 AM

It is 1:10 AM CST (my time) so I am going to go ahead and call it a night. The computer does still seem to be functioning well right now, I cannot duplicate any of the original issues, but the last scan found some problems. I will check back in tomorrow afternoon (around 2 pm CST) to see if you have had time to review it and what your advice is on next steps. I am so grateful for your help. THANK YOU!

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 17 April 2010 - 09:28 AM

I am an hour later so I already fell asleep.
Anyway... Looks real good. Mbam has updated so let's spend another 10 minutes on being sure.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 flipinacoin

flipinacoin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 17 April 2010 - 06:33 PM

I'm a little late but going to scan now.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 17 April 2010 - 06:48 PM

No problem,I'll be gere for acouple hours.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 flipinacoin

flipinacoin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 17 April 2010 - 07:43 PM

MBAM found nothing! WOOHOO! Thank you for ALL your help and time fixing the problem :thumbsup:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4003

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/17/2010 6:50:23 PM
mbam-log-2010-04-17 (18-50-23).txt

Scan type: Quick scan
Objects scanned: 117714
Time elapsed: 13 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I would like to ask you one last question, if I may, regarding prevention.

Do you know much about and/or would you recommend using the TeaTimer function in Spybot? If not, Is there a specific prevention application compatible with Trend Micro that you would suggest using on a regular basis?

From your notes on TeaTimer above it seems like adding this back in may help prevent the computer we have been working with from getting this type of Trojan/malware again. I only deleted it originally because of the space and memory it took up and it didnít seem necessary.

The computer belongs to and is primarily used by my father-in-law. He is a novice user and probably won't advance much past that so I don't want to add anything that is not very easy to use. Completing Spybot updates and scans is a small challenge for him, so you can see my dilemma. I appreciate any feedback you may be able to offer here.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 17 April 2010 - 09:01 PM

Great news... OK I need to know if you have the Paid versions of TM and/or SpyBot? As we can replace these but If you paid ,do you want to?

For the PC ...


Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users