Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows security alert


  • Please log in to reply
6 replies to this topic

#1 almagg

almagg

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 01 June 2010 - 08:24 PM

yeah i have it and there is no year shown.
keeps telling me pages are unsafe, computer being attacked, files infected etc...
i cannot even do a search on the forum.
when i do i get a window telling me to go to the virus protection page.
even on craig's list, i can access the computer forum but when i do a search i get the above mentioned window.

malware bytes caught four items and successfully deleted them, but it did not tell me i had to reboot and i did not want to do that yet till i had more info.

Avira just finished scanning and caught nothing.
would going to a restore point be the easiest way to take care of it?

thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:40 AM

Posted 01 June 2010 - 10:05 PM

Please post that MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 almagg

almagg
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 02 June 2010 - 02:11 AM

ok i am will go thru your instructions.

previously i ran malware twice before i received your response.
first in normal mode - i ran rkill.exe which stopped the fake alerts and ran the various programs i mentioned.

second i went into safe mode and ran rkill.exe and the virus apps and this has not worked either.

below are the two mbam logs. both times it says the infections were deleted.
before i go thru the whole process again i will wait for you to take a look at the logs.
what about just doing a system restore?

NORMAL MODE

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4162

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/1/2010 9:41:45 PM
mbam-log-2010-06-01 (21-41-45).txt

Scan type: Quick scan
Objects scanned: 116529
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9d425283-d487-4337-bab6-ab8354a81457} (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9d425283-d487-4337-bab6-ab8354a81457} (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Zugo (Adware.Zugo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{9d425283-d487-4337-bab6-ab8354a81457} (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{9d425283-d487-4337-bab6-ab8354a81457} (Adware.Zugo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SAFE MODE

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4162

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/1/2010 10:57:16 PM
mbam-log-2010-06-01 (22-57-16).txt

Scan type: Quick scan
Objects scanned: 115834
Time elapsed: 10 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 almagg

almagg
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 02 June 2010 - 10:11 AM

ok here is what i got.
ark file attached
ran ATF in safe mode
did a complete scan ins safe mode with SAS(attached)
ran a quick scan in normal mode with mbam(attached)

still have it.

someone on craig's list just suggested turning off system restore.

anyways i obviously will have to do this again.

thanks for your help and i hope you see this soon and advise.

ARK
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-02 06:28:10
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwlorkoc.sys


---- System - GMER 1.0.15 ----

SSDT F7E1297E ZwCreateKey
SSDT F7E12974 ZwCreateThread
SSDT F7E12983 ZwDeleteKey
SSDT F7E1298D ZwDeleteValueKey
SSDT F7E12992 ZwLoadKey
SSDT F7E12960 ZwOpenProcess
SSDT F7E12965 ZwOpenThread
SSDT F7E1299C ZwReplaceKey
SSDT F7E12997 ZwRestoreKey
SSDT F7E12988 ZwSetValueKey
SSDT F7E1296F ZwTerminateProcess

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[292] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

SAS
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/02/2010 at 10:26 AM

Application Version : 4.34.1000

Core Rules Database Version : 5018
Trace Rules Database Version: 2830

Scan type : Complete Scan
Total Scan Time : 03:48:55

Memory items scanned : 247
Memory threats detected : 0
Registry items scanned : 4729
Registry threats detected : 4
File items scanned : 28540
File threats detected : 0

Rogue.AntivirusSoft
HKU\S-1-5-21-507921405-1993962763-854245398-1001\Software\avsoft

Malware.Trace
HKU\S-1-5-21-507921405-1993962763-854245398-1001\SOFTWARE\AVSUITE
HKLM\SOFTWARE\AVSUITE
HKLM\SOFTWARE\AVSOFT

MBAM
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4162

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/2/2010 10:46:15 AM
mbam-log-2010-06-02 (10-46-15).txt

Scan type: Quick scan
Objects scanned: 115822
Time elapsed: 12 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:40 AM

Posted 02 June 2010 - 11:30 AM

Hello, personnally I dump the restore points last so I have at least an infected one if needed in case something goes wrong.
Appears we have protected malware.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Include the GMER logs you posted earlier.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 almagg

almagg
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 02 June 2010 - 02:27 PM

right after i posted my response the malware security icons in the taskbar went away and the alerts stopped.
i turned off system restore and ran MBAM and it just picked up avsuite which was removed.
i then started up in safe mode and ran a quick scan in SAS and MBAM.
and they both came up clean and everything seems to be working ok.

that was weird because when i had rebooted after following your procedure the problem was there and then it just went away. also initially there were too many boxes checked in SAS and unchecking them probably helped.

thanks a lot for your assistance.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:40 AM

Posted 03 June 2010 - 08:59 AM

Hello ,just quirky getting out of the registry I'd say. Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users