Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Soft stopping Updates


  • Please log in to reply
12 replies to this topic

#1 jckbredwards

jckbredwards

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 02 June 2010 - 10:24 PM

Hello, I was sent here by Orange Blossom. I started with a Antivirus Soft virus on my daughter's laptop. Followed her guide and removed it but it appears traces linger as I cannot update Microsoft Security Essentials or I think Windows generally. I am attaching the dds attach and gmer logs I was able to create. The pop ups have stopped and I have regained control of IE (but don't generally use it, I prefer Firefox). The redirects to shopping sites have stopped as well. It seems the one thing I can't do is the updating of MSE. MBM shows no current infrections. Thank you for any assistance on where to go next.

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:09 AM

Posted 06 June 2010 - 11:35 AM

Hello jckbredwards

Welcome to BleepingComputer smile.gif
==========================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
========================
Download TDSSKiller and save it to your Desktop.
  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log
================
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 jckbredwards

jckbredwards
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 06 June 2010 - 02:13 PM

I did as directed and did not see any Microsoft Recovery Console so I'm guessing it must be installed as the combo fix just downloaded a newer version and ran. Here is the log it created. Will await further instructions.

Attached Files



#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:09 AM

Posted 07 June 2010 - 06:04 AM

Hi did you run Tdsskiller?
If so please post the log from it.
The instructions are in my previous post to run it please run it if you haven't already and if you did run it please post the log from it.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 jckbredwards

jckbredwards
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 07 June 2010 - 08:46 AM

Hello,
I did run tdsskiller and as I recall it did not generate a log. I followed the instructions and I think it said it found something and stopped it and that I needed to reboot. I ran it again and now it shows zeros across the board, i.e. Registry objects infected 0/0/0 and file objects infected 0/0/0. Hope this helps. Then it says press any key to continune and it goes away.

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:09 AM

Posted 07 June 2010 - 01:05 PM

Check here > C:\Tddsskiller*.txt (The * stands for anything after the tdsskiller)
It will auto make a log in the C:\drive please post the first then the other that was just run please.

Edited by kahdah, 07 June 2010 - 01:05 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 jckbredwards

jckbredwards
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 07 June 2010 - 01:51 PM

Thanks for that. Found 'em. Here you go.

Attached Files



#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:09 AM

Posted 08 June 2010 - 06:29 AM

Please go to Start>Run type in Notepad.
Copy what is in the code box below into the open Notepad window.
Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop.
CODE
@Echo off
rd /q /s "c:\documents and settings\Kelsey1\Local Settings\Application Data\jcymxwgpk"
del %0

Then please double click on fixthis.bat a window will open and close quickly.This is normal.
================
Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 jckbredwards

jckbredwards
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 08 June 2010 - 10:32 AM

Ok. Ran the added code and then MBM after updating. The MBM ran fine. It found no infections. I opened IE and went to eset and the box did not say "scan unwanted applications". The choices were "Remove Found Threats" and "Scan archives" there was no "Scan unwanted applications" box. I left the scan archives box UNchecked. I hope this was ok. If not let me know and I'll do it again. There was a place to click for "advanced settings" but I did NOT click on that. Attached is the eset log. It did find threats and presumably removed them (it quarantined them and asked if I wanted to delete them and I checked YES). What's next?.

Attached Files

  • Attached File  log.txt   3.98KB   5 downloads


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:09 AM

Posted 08 June 2010 - 01:17 PM

Great the way you did it was fine.
They change the interface from time to time.

Please let me know of any further problems and run DDS once more and post only the DDS.txt log that opens.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 jckbredwards

jckbredwards
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 08 June 2010 - 02:53 PM

No more redirects, I have not tried to update MSE yet. Here are DDS Logs

Attached Files



#12 jckbredwards

jckbredwards
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 08 June 2010 - 03:22 PM

I turned the defogger back on and ran MSE and it updated fine. No redirects or pop ups. Looks good now. Anythign else need to be done?

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:09 AM

Posted 08 June 2010 - 05:58 PM

Great now your logs are clean.

=======Cleanup=======
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.
===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
======================Clear out infected System Restore points======================


Then we need to reset your System Restore points.
The link below shows how to do this.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set.


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users