Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spybot indicates attempts at malicous websites


  • Please log in to reply
31 replies to this topic

#1 BQfromNY

BQfromNY

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 05 August 2010 - 03:01 PM

Is my LAPTOP infected? I have both spybot and malware bytes running in the background. Spybot indicates it has blocked several attempts at connecting to malicous websites. I scanned my computer using both programs and thay report no issues.

Please note... I had a virus not too long ago that I think I got rid of but this might be the "after effects". I do not remember the name of the virus.

It should also be noted that Iam currently receiving help in regards to my desktop which IS infected (I believe my childs laptop is also infected).

Please advise.

== BQ ==

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:24 PM

Posted 05 August 2010 - 04:21 PM

I've edited as I mis read.
I suggest we run 2 scans.
An online and then a rootkit scan.

ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "< button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log



GMER:This may not run if you have VISTA or WIN7 64 bit.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Edited by boopme, 05 August 2010 - 04:27 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 06 August 2010 - 05:05 AM

C:\Users\Bill Querrie\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v65ED1E19\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe probably a variant of Win32/Agent trojan
C:\Users\Bill Querrie\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v65ED1E19\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe probably a variant of Win32/Agent trojan
C:\Users\Bill Querrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-5b4610d8 multiple threats
C:\Users\Bill Querrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\30feb821-36f650ba multiple threats
C:\Users\Bill Querrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\73b30ea5-1f8725b8 multiple threats
C:\Users\Bill Querrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-4513b783 probably a variant of Win32/Agent trojan
C:\Users\Bill Querrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\43d1e232-31a5b489 multiple threats
C:\Users\Bill Querrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\31bba1f4-22f2a97f probably a variant of Win32/Agent trojan
C:\Users\Bill Querrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\16e2b0f5-592cf36c a variant of Java/Exploit.Agent.NAC trojan
C:\Users\Bill Querrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\4432378-1befbcfd a variant of Java/Exploit.Agent.NAC trojan
C:\Users\Bill Querrie\Desktop\BQs Desktop\Deep_Shredder_11_UCI.zip probably a variant of Win32/Agent trojan
C:\Users\Bill Querrie\Desktop\BQs Desktop\BQ\muzic\Tournament.Indicator.2008.v1.2.1.WinAll.Cracked-SpokerY\Tournament.Indicator.2008.v1.2.0.WinAll.Cracked-SpokerY\CRACK\Indicator.exe probably a variant of Win32/Agent trojan
C:\Users\Bill Querrie\Desktop\BQs Desktop\BQ\Poker-Tournament.Indicator.v1.2.4.WinAll.Cracked-ZARDOZ\CRACK\Indicator.exe probably a variant of Win32/Agent trojan
C:\Users\Bill Querrie\Desktop\BQs Desktop\BQ\Poker.Indicator.v2.0.6.WinAll.Cracked-PALACEup\Crack\PokerIndicator.exe probably a variant of Win32/Genetik trojan
C:\Users\Bill Querrie\Desktop\BQs Desktop\BQ\Poker.Office.v2.38.Incl.Keys.PROPER-BOA\Poker.Office.V.2.38 Install.exe probably a variant of Win32/Agent trojan
C:\Users\Bill Querrie\Desktop\BQs Desktop\BQ\Tournament.Indicator.2008.v1.2.0.WinAll.Cracked-SpokerY\CRACK\Indicator.exe probably a variant of Win32/Agent trojan
C:\Users\Bill Querrie\Desktop\BQs Desktop\Deep_Shredder_11_UCI\Deep Shredder 11\keygen.exe probably a variant of Win32/Agent trojan

++++++

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-06 06:02:08
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\BILLQU~1\AppData\Local\Temp\agtiipow.sys


---- System - GMER 1.0.15 ----

SSDT 8747FC08 ZwAlertResumeThread
SSDT 87480040 ZwAlertThread
SSDT 8747D950 ZwAllocateVirtualMemory
SSDT 874EE390 ZwConnectPort
SSDT 87465C10 ZwCreateMutant
SSDT 8747DAA8 ZwCreateThread
SSDT 8747CAD0 ZwFreeVirtualMemory
SSDT 872D5768 ZwImpersonateAnonymousToken
SSDT 8747D1E8 ZwImpersonateThread
SSDT 8747C9F0 ZwMapViewOfSection
SSDT 874725B0 ZwOpenEvent
SSDT 8747EBE8 ZwOpenProcessToken
SSDT 874658B0 ZwOpenThreadToken
SSDT 87464E48 ZwResumeThread
SSDT 874657F0 ZwSetContextThread
SSDT 87465970 ZwSetInformationProcess
SSDT 87465730 ZwSetInformationThread
SSDT 87472578 ZwSuspendProcess
SSDT 874655B0 ZwSuspendThread
SSDT 8747D7C8 ZwTerminateProcess
SSDT 87465670 ZwTerminateThread
SSDT 8747C930 ZwUnmapViewOfSection
SSDT 8747CB90 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 822E2880 8 Bytes [08, FC, 47, 87, 40, 00, 48, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 822E2894 2 Bytes [50, D9]
.text ntkrnlpa.exe!KeSetEvent + 134 822E2897 1 Byte [87]
.text ntkrnlpa.exe!KeSetEvent + 1C1 822E2924 4 Bytes [90, E3, 4E, 87]
.text ntkrnlpa.exe!KeSetEvent + 1F5 822E2958 4 Bytes [10, 5C, 46, 87] {ADC [ESI+EAX*2-0x79], BL}
.text ...
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A155000, 0x4036D, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A19E000, 0x510, 0x40000040]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2916] kernel32.dll!SetUnhandledExceptionFilter 7755A84F 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!SetWindowsHookExW 776A87AD 5 Bytes JMP 6E659AC9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!CallNextHookEx 776A8E3B 5 Bytes JMP 6E64D0ED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!UnhookWindowsHookEx 776A98DB 5 Bytes JMP 6E5C467C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!CreateWindowExW 776B1305 5 Bytes JMP 6E65DB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!DialogBoxParamW 776D10B0 5 Bytes JMP 6E5854C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!DialogBoxIndirectParamW 776D2EF5 5 Bytes JMP 6E75480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!DialogBoxParamA 776E8152 5 Bytes JMP 6E7547AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!DialogBoxIndirectParamA 776E847D 5 Bytes JMP 6E754872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!MessageBoxIndirectA 776FD4D9 5 Bytes JMP 6E754741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!MessageBoxIndirectW 776FD5D3 5 Bytes JMP 6E7546D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!MessageBoxExA 776FD639 5 Bytes JMP 6E754674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] USER32.dll!MessageBoxExW 776FD65D 5 Bytes JMP 6E754612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] ole32.dll!OleLoadFromStream 76221E12 5 Bytes JMP 6E754B77 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4200] ole32.dll!CoCreateInstance 76259EA6 5 Bytes JMP 6E65DB78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4520] USER32.dll!CreateWindowExW 776B1305 5 Bytes JMP 6E65DB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4520] USER32.dll!DialogBoxParamW 776D10B0 5 Bytes JMP 6E5854C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4520] USER32.dll!DialogBoxIndirectParamW 776D2EF5 5 Bytes JMP 6E75480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4520] USER32.dll!DialogBoxParamA 776E8152 5 Bytes JMP 6E7547AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4520] USER32.dll!DialogBoxIndirectParamA 776E847D 5 Bytes JMP 6E754872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4520] USER32.dll!MessageBoxIndirectA 776FD4D9 5 Bytes JMP 6E754741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4520] USER32.dll!MessageBoxIndirectW 776FD5D3 5 Bytes JMP 6E7546D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4520] USER32.dll!MessageBoxExA 776FD639 5 Bytes JMP 6E754674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4520] USER32.dll!MessageBoxExW 776FD65D 5 Bytes JMP 6E754612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73BB7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73C0A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73BBBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73BAF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73BB75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73BAE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73BE8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73BBDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73BAFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73BAFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73BA71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73C3CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73BDC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73BAD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73BA6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73BA687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73BB2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:24 PM

Posted 06 August 2010 - 09:52 AM

Hello.
Cracking and keygen tools are often obtained via peer-to-peer (P2P) or file sharing programs which too are a security risk. The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge. Even if you change the risky default settings to a safer configuration, downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat. Many malicious worms and Trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities. In some instances the infection may cause so much damage to your system that recovery is not possible and a Repair Install will NOT help!. In those cases, the only option is to wipe your drive, reformat and reinstall the OS.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications. Read P2P Software User Advisories, Risks of File-Sharing Technology and P2P file sharing: Anticipate the risks....


Run a File cleaner:TFC by OT
Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.
Before you save it rename it to say zztoy.exe


alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 06 August 2010 - 05:04 PM

Done with both - no threats found.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4397

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

8/6/2010 6:03:38 PM
mbam-log-2010-08-06 (18-03-38).txt

Scan type: Quick scan
Objects scanned: 157742
Time elapsed: 19 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:24 PM

Posted 06 August 2010 - 08:00 PM

This look s good now. If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 06 August 2010 - 09:40 PM

OK.. I have an issue.. I was attempting to install firefox as advised but in the process windows explorer stopped working.. it now seems to be stuck in a loop crashing and attempting to restart which freezes my computer.. plz advise.

== BQ ==

Also.. what programs do you suggest I run for ongoing protection.. another mod told me to run superantispyware.. is that all I need?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:24 PM

Posted 06 August 2010 - 10:01 PM

With your A/V,update and scan weekly with MBAM you have and SAS, a great tool.
Usually if you think you have an infection and not a routine scan then run SAS in safe mode.

Here's how to use it.

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Sounds like a bad install of Firefox
Uninstall it from Control Panel. See if IE normalizes.
If not try doing a system restore to the new Restore point you made after the infection.

Then reinstall FireFox. http://www.mozilla.com/en-US/firefox/ie.html
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 06 August 2010 - 10:05 PM

I didnt try to install firefox yet, I just dled it.. I was in the process of uninstalling an old copy. Now, I cant access anything.. I cant access the control panel or open a browser to repair explorer. I tried safe mode to no avail.. I restored to my last working restore point and nothing.. plz help.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:24 PM

Posted 06 August 2010 - 10:14 PM

I will ask someone thao look here.t specializes in this situation t
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 06 August 2010 - 11:23 PM

OK.. I think the culprit has something to do w/ google toolbar because I was attempting to delete that when things went bad.. FYI

#12 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 07 August 2010 - 03:32 PM

solved my explorer issue.. seems it was a conflict with a media player I had installed. My latest scans of MB and Spybot say Iam clean.. Here are my current issues.

1.. It appears I have some files on my desktop that should be hidden they have names that start with "$" and I can see my desktop.ini

2.. In an attempt to solve my explorer issue a guy told me to do this..

Try this - type "msconfig" into the run box. Go to the startup tab, disable everything. Then go to the services tab, check "hide all microsoft services", then disable everything still showing. Reboot.

This will show us if it's something you installed or if it's the OS.


I reversed hsi directions when it didnt solve my issue.. anything else I need to do?

Other then that.. do you have any other advise? I feel I need a VERY good "cleaning".. what about my registry or my startup programs?

Thxs again!

== BQ ==

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:24 PM

Posted 07 August 2010 - 04:01 PM

Hi, I have always found the $ sign at the end of Hidden Files.. So I need to ask about this...
Do not run a registry cleaner they do more harm then good..
You can ask about your start up list in the XP forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 07 August 2010 - 04:10 PM

ok.. seems we have a new issue...

I just ran SAS and it detected a trogan by the name of trojan.agent/gen-hackpatch which I removed.. nto doing anythign unti I hear from you again.

== BQ ==

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:24 PM

Posted 07 August 2010 - 05:19 PM

OK, we will run a deep long scan.. Hopefully we'll find this. If not we may need to move to the forum with your other machine.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users