Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this computer worth recovering or should I format it all?


  • Please log in to reply
1 reply to this topic

#1 MedinaFamily

MedinaFamily

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 23 June 2010 - 01:29 PM

So, I was visiting family and was called upon to play Tech Support. They had Norton 360, but was installed wrong so they were concerned for their security.

Computer is running Windows Vista Home Premium, SP 1. There are two profiles, the admin and another user.

While in admin, I tried to update Windows. Attempts to update SP result in error 80240016. Tried shutting down and restarting Windows Update from admin command line. No change after successful restart. Decided to try on the other profile.

Logged on to secondary user. Immediately assaulted by 3 different 'You are infected, click here for anti-virus software' adware. Attempts to download MBAM failed as internet was being redirected. Logged off secondary user.

Attempted to access internet from admin account. IE works. Download MBAM successfully and run scan. Results listed at end of post. Most were listed as successfully removed, but better to be sure.

Restarted in Safe Mode and ran another scan. All clear. Ran C-Cleaner to make sure everything was cleaned.

Is it worth it to download Super-AntiSpyware and try to salvage, or just get what I can salvage and format the drive?

~~~~MBAM LOG~

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4226

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

6/22/2010 11:27:07 PM
mbam-log-2010-06-22 (23-27-07).txt

Scan type: Full scan (C:\|)
Objects scanned: 277095
Time elapsed: 1 hour(s), 15 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 46

Memory Processes Infected:
C:\Users\Elias Medina\AppData\Local\asam.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\wstech.wstechb (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wstech.wstechb.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\WStech.DLL (Rogue.GreenAV) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AntiSpywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\zangosa (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\69387646557683 (Rogue.GreenAV) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\37465982736455 (Rogue.GreenAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Settings (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\ProgramData\gwr (Rogue.GreenAV) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\Zango (Adware.Zango) -> Delete on reboot.
C:\ProgramData\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Green AV (Rogue.GreenAV) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\Microsoft\Windows\Start Menu\A360 (Rogue.A360AntiVirus) -> Quarantined and deleted successfully.
C:\Windows\System32\sysloc (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Elias Medina\AppData\Local\asam.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Users\Elias Medina\AppData\Local\syssvc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Elias Medina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2NKIW7UW\n008106201318r0409J0d000601Ree18187fXd4c23d67Y98dc4faeZ0100f0701[1] (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Users\Elias Medina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9Y8P4N3J\n008106201318r0409J0d000601Ra6ab6b00W6512bec0Xd4fc9145Y98dc4faeZ0100f0701[1] (Trojan.Alureon) -> Quarantined and deleted successfully.
C:\Users\Elias Medina\AppData\Local\Temp\iMJV.exe (Trojan.Alureon) -> Quarantined and deleted successfully.
C:\Users\Elias Medina\AppData\Local\Windows Server\fcexhl.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Users\Elias Medina\AppData\Roaming\Microsoft\Windows\Templates\memory.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Local\av.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Local\Temp\HQgF.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\rs.dat (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jul 01 - 12_01_26 AM_250.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jul 03 - 07_11_26 PM_182.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jul 17 - 05_07_00 PM_671.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jul 24 - 11_23_07 PM_556.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jul 28 - 07_36_09 PM_516.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jun 17 - 03_00_01 AM_308.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jun 17 - 03_00_01 AM_831.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jun 17 - 03_40_09 PM_100.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jun 23 - 01_45_36 PM_275.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jun 26 - 01_14_20 AM_305.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jun 29 - 09_06_40 PM_371.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Log\2009 Jun 30 - 12_06_46 AM_605.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\AntiSpywareBot\Settings\ScanResults.pie (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\ProgramData\gwr\Viruses.dat (Rogue.GreenAV) -> Quarantined and deleted successfully.
C:\ProgramData\gwr\wsn.bat (Rogue.GreenAV) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSA.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSAAbout.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSAau.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSAEula.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSA_kyf.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Green AV\ Green AV .lnk (Rogue.GreenAV) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\Microsoft\Windows\Start Menu\A360\A360.lnk (Rogue.A360AntiVirus) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\Microsoft\Windows\Start Menu\A360\Help.lnk (Rogue.A360AntiVirus) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Roaming\Microsoft\Windows\Start Menu\A360\Registration.lnk (Rogue.A360AntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System\Uninstall\Uninstall A360.lnk (Rogue.AV360) -> Quarantined and deleted successfully.
C:\Users\Public\Desktop\ Green AV .lnk (Rogue.GreenAV) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\AppData\Local\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
C:\Users\Yasmin Medina\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\Elias Medina\Local Settings\Application Data\Windows Server\fcexhl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Elias Medina\Templates\memory.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\Tasks\AntispywareBot Scheduled Scan.job (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Windows\Tasks\AntispywareBot System Startup.job (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Elias Medina\Local Settings\Application Data\syssvc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:27 AM

Posted 24 June 2010 - 07:51 AM

Restarted in Safe Mode and ran another scan.

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Why? MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally. If that is the case, after completing a safe mode scan, reboot normally, update the database definitions through the program's interface (preferable method) and try rescanning again.

After performing a new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

Is it worth it to download Super-AntiSpyware and try to salvage

If nothing else, you gain experience by attempting to disinfect as you can always reformat. If you don't want to downlaod SuperAntispyware, then do this: Perform a scan with SUPERAntiSpyware Online Safe Scan.
  • Be sure to follow the instructions provided on that same page.
  • When the scan is complete, please post the results in your next reply.
Note: If the link for the online scan opens to the Home Page, scroll down to the list of Popular links and click on the one for SUPERAntiSpyware Online Safe Scan.

-- If you encounter any problems using the online scan, try downloading and using the SUPERAntiSpyware Portable Scanner instead.
  • Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer.
  • Then double-click on it to launch and scan.
  • The file is randomly named to help keep malware from blocking the scanner.

should I format it all?

The degree of infection and amount of resultant damage can vary depending on the type of malware you are dealing with. If infection was due to a rootkit, backdoor Trojan, Botnet, or IRCBot, be aware that many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS.

Your decision as to what action to take should be made by reading and asking yourself the questions presented in these articles:In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned, repaired or trusted especially if you are dealing with rootkit components that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. In some instances an infection may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned, repaired or trusted. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users