Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue Infection (?)


  • Please log in to reply
14 replies to this topic

#1 Rewster

Rewster

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 14 September 2010 - 09:09 PM

Well, Microsoft Security Essentials detected a Rogue:JS/FakeSpypro infection on my computer. I checked out the details, and it seems to be the Sophos Anti Rootkit I have on the computer. It was strange though, because only a file in Appdata was deleted, and not the actual Sophos files in Program Files(x86)

So, I am not sure I am actually infected, or this is just a false positive.

http://www.microsoft.com/security/portal/T...atid=2147634372

Edited by Rewster, 14 September 2010 - 09:10 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 AM

Posted 21 September 2010 - 02:09 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Rewster

Rewster
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 21 September 2010 - 09:23 PM

I had scanned my Computer with MalwareBytes Anti-Malware, Super AntiSpyware, and Microsoft Security Essentials right after MSE found the infection. None of them found anything (I did full scans). I will run the scan and provide you the log as you requested anyways. The infection isn't Sophos, I just read the information given by MSE wrong.

Here is the information from MSE.
Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items: 
containerfile:C:\Users\home\AppData\Local\ucepepubit.dll
file:C:\Users\home\AppData\Local\ucepepubit.dll->(SCRIPT0000)





Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4667

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

9/21/2010 9:23:00 PM
mbam-log-2010-09-21 (21-23-00).txt

Scan type: Quick scan
Objects scanned: 150356
Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Rewster, 21 September 2010 - 09:44 PM.


#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 AM

Posted 21 September 2010 - 09:34 PM

Please run a scan with SUPERAntiSpyware in Safe Mode and post the log.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Rewster

Rewster
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 21 September 2010 - 09:40 PM

Quick scan or full scan?

Could this possibly be a remaining file from my previous Security Suite infection? thc helped me remove it, but MBAM found an extra file a couple weeks after Security Suite was removed, after some new definitions were added.

Edited by Rewster, 21 September 2010 - 09:46 PM.


#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 AM

Posted 21 September 2010 - 09:49 PM

Quick scan is okay.

Could this possibly be a remaining file from my previous Security Suite infection?

It's possible.

Edited by Budapest, 21 September 2010 - 09:49 PM.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:39 PM

Posted 21 September 2010 - 09:54 PM

Pardon my interuption it can be from that and several Rogue AV programs.
Run These first
>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


Thanks
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Rewster

Rewster
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 21 September 2010 - 09:57 PM

RKill just terminated itself, nothing else.

Continuing with the scan.

~~Going to bed, I will post the log when I wake up tomorrow.

Edited by Rewster, 21 September 2010 - 10:26 PM.


#9 Rewster

Rewster
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 22 September 2010 - 09:59 AM

~~Scan time was extended because I had checked all drives to scan. Four of those drives did not exist, so it had a popup which waited for my response.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/22/2010 at 09:57 AM

Application Version : 4.35.1002

Core Rules Database Version : 5556
Trace Rules Database Version: 3368

Scan type : Quick Scan
Total Scan Time : 12:14:14

Memory items scanned : 208
Memory threats detected : 0
Registry items scanned : 485
Registry threats detected : 0
File items scanned : 150692
File threats detected : 1

Adware.Tracking Cookie
C:\Users\home\AppData\Roaming\Microsoft\Windows\Cookies\home@doubleclick[1].txt

Edited by Rewster, 22 September 2010 - 10:11 AM.


#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 AM

Posted 22 September 2010 - 04:05 PM

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 Rewster

Rewster
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 25 September 2010 - 11:49 AM

Nothing was found.

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 AM

Posted 25 September 2010 - 05:42 PM

Is Microsoft Security Essentials still finding anything?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 Rewster

Rewster
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 25 September 2010 - 07:39 PM

No, it hasn't. I'm thinking they just updated their definitions and found some left-over files from an old rogue infection.

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 AM

Posted 25 September 2010 - 08:59 PM

If you are not experiencing any problems I think you are good to go.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 Rewster

Rewster
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 25 September 2010 - 10:41 PM

No problems here. Feel free to lock the topic if you want.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users