Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7 Security 2011 / exe virus returned 3x


  • This topic is locked This topic is locked
11 replies to this topic

#1 JH&A

JH&A

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 AM

Posted 30 March 2011 - 08:35 AM

Hello!

A few weeks ago I posted on the "Am I infected" forum that I had the Win 7 Security 2011 virus that generated fake warnings, then downloaded something on my computer that made it impossible to open executable files. At the time, I was calling it the .exe virus. I completed the "doug knox fix" by opening notebook as an administrator (one of the few programs on my computer I could run), and pasting the fix. I followed up by updating and running Malwarebytes Anti-Malware, SpywareBlaster and the Esets scan. MAM and Esets found some entries and cleaned them. The problem appeared to be fixed.

A week later, I received another fake warning and almost immediately could not open any exe files. Again, ran the doug knox fix, updated and scanned with MAM, Spywareblaster and Esets. This time they did not detect anything. Problem solved.

This morning I have been bombarded with fake warnings for the same virus. They mostly appear as pop-ups, but some appear to be generated from my Control Panel, asking me to turn on Win 7 Security. So far exe files have not been affected.

My OS is Windows 7. I use ZoneAlarm and generally have not had a major problem with malware or viruses.

I followed your preparation guide and will attach the DDS link. I had problems with GMER. I downloaded it to my desktop and clicked on "extract all files." One file appeared. When I clicked on it,the correct screen appeared but I ran into trouble trying to select the options. The choices systems, sections, devices, modules, ect. appear, but I am not able to select them. The only things selected are services, registry, files, C:\ and ADS. It appears to start scanning as soon as I open it and before I can try to check/uncheck boxes. I tried to download this program from both links you provided with the same result.

At this point, I don't know if the virus was never properly cleaned or if it keeps getting through ZoneAlarm. Btw, I do keep receiving weird emails in my yahoo account, but I don't click on them so I don't know how the virus could get through. A quick google search and bleeping computer search did not provide me with any other options for cleaning this and the fix I used was geared toward Windows XP. Any help would be greatly appreciated!

Attached Files



BC AdBot (Login to Remove)

 


#2 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 04 April 2011 - 08:58 PM

Hello JH&A,

I do see the Attach.txt, but I do not see the dds.txt included in your attachment. Kindly run dds.scr again and copy/paste the contents of the dds.txt in your next reply.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#3 JH&A

JH&A
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 AM

Posted 05 April 2011 - 06:55 AM

Oops, sorry about that. DDS is now attached.

Upate: since posting the inquiry, I've needed to use the doug know fix several times. Each time I use it the problem appears to immediately be fixed. Inevitably, though, I start to receive the fake warnings again. Not all fake warnings lead to my .exe files being disabled; sometimes the warnings just stop coming. I can't tell what's triggering the warnings to start, and why some warnings lead to the full-blown problem of not being able to open anything. Most recently, I noticed the fake warning started and immediately affected the .exe files after a re-direct to the Monster Marketplace website. That's the only time I've seen Monster Mktplc involved, though. Thanks.

Attached Files

  • Attached File  DDS.txt   17.85KB   4 downloads


#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 05 April 2011 - 07:47 AM

Thank you. :)

It will require more than 1 round to clean the system. Please stay with me until given the 'all clear' even if symptoms seem to abate.


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 JH&A

JH&A
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 AM

Posted 05 April 2011 - 10:25 AM

Hi,
I disabled security apps according to instructions. I then downloaded Combofix. When opened, I receive a message saying that Combofix detected that Ad-Watch Live is still running. I again opened Ad-aware and looked at Ad-Watch. It appears to be disabled. What should I do about this message?
Thanks.

#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 05 April 2011 - 02:47 PM

If you are certain you have it disabled, Ok your way through the warnings.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 JH&A

JH&A
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 AM

Posted 05 April 2011 - 04:38 PM

combofix log attached

ComboFix 11-04-04.04 - Davis Family 04/05/2011 17:21:17.1.1 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.1756 [GMT -4:00]
Running from: c:\users\Davis Family\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\users\Davis Family\AppData\Local\{EDC8AA15-6AFD-4C4E-B1A1-A1996D2A24FF}
c:\users\Davis Family\AppData\Local\{EDC8AA15-6AFD-4C4E-B1A1-A1996D2A24FF}\chrome.manifest
c:\users\Davis Family\AppData\Local\{EDC8AA15-6AFD-4C4E-B1A1-A1996D2A24FF}\chrome\content\_cfg.js
c:\users\Davis Family\AppData\Local\{EDC8AA15-6AFD-4C4E-B1A1-A1996D2A24FF}\chrome\content\overlay.xul
c:\users\Davis Family\AppData\Local\{EDC8AA15-6AFD-4C4E-B1A1-A1996D2A24FF}\install.rdf
c:\users\Davis Family\AppData\Local\aea.exe
c:\users\Davis Family\AppData\Local\iys.exe
c:\users\Davis Family\AppData\Local\jwn.exe
c:\users\Davis Family\AppData\Local\mjr.exe
c:\users\Davis Family\AppData\Local\mpi.exe
c:\users\Davis Family\AppData\Local\nub.exe
c:\users\Davis Family\AppData\Local\oav.exe
c:\users\Davis Family\AppData\Local\pep.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-05 to 2011-04-05 )))))))))))))))))))))))))))))))
.
.
2011-04-05 21:27 . 2011-04-05 21:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-05 21:19 . 2011-04-05 21:20 -------- d-----w- C:\32788R22FWJFW
2011-03-18 11:15 . 2011-03-18 11:15 -------- d-----w- c:\users\Davis Family\AppData\Local\Apple
2011-03-11 02:56 . 2011-03-16 10:32 -------- d-----w- c:\users\Davis Family\AppData\Local\Adobe
2011-03-10 00:12 . 2010-12-18 06:12 3138048 ----a-w- c:\windows\system32\mstscax.dll
2011-03-10 00:12 . 2010-12-18 06:08 1097216 ----a-w- c:\windows\system32\mstsc.exe
2011-03-10 00:12 . 2010-12-18 05:30 2690560 ----a-w- c:\windows\SysWow64\mstscax.dll
2011-03-10 00:12 . 2010-12-18 05:26 1034240 ----a-w- c:\windows\SysWow64\mstsc.exe
2011-03-08 11:57 . 2011-02-11 07:30 7947600 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8ACF6C6C-8CBF-40EA-8693-006FE62F1994}\mpengine.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 22:11 . 2010-02-19 19:55 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-01-26 06:53 . 2011-02-09 20:37 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-26 06:53 . 2011-02-09 20:37 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-01-26 06:31 . 2011-02-09 20:37 144384 ----a-w- c:\windows\system32\cdd.dll
2011-01-07 08:07 . 2011-02-23 12:12 662528 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-07 08:07 . 2011-02-23 12:12 475648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-07 08:06 . 2011-02-09 20:36 46080 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 07:31 . 2011-02-23 12:12 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-01-07 07:31 . 2011-02-23 12:12 288256 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2011-01-07 07:27 . 2011-02-09 20:36 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2011-01-07 05:49 . 2011-02-09 20:36 366080 ----a-w- c:\windows\system32\atmfd.dll
2011-01-07 05:33 . 2011-02-09 20:36 294400 ----a-w- c:\windows\SysWow64\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files (x86)\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]
.
[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]
2010-05-09 15:50 2517088 ----a-w- c:\program files (x86)\ZoneAlarm\tbZone.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ABD3B5E1-B268-407B-A150-2641DAB8D898}]
2009-06-08 21:41 120104 ----a-w- c:\program files (x86)\Common Files\Homepage Protection\HomepageProtection.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files (x86)\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]
.
[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 2988784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QPService"="c:\program files (x86)\HP\QuickPlay\QPService.exe" [2009-06-24 468264]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640]
"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ZoneAlarm Client"="c:\program files (x86)\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
.
c:\users\Davis Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-5-24 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"WallpaperStyle"= 2
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-11 136176]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-11 136176]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-10-14 92216]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2010-05-26 33008]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2010-05-26 823272]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-07-19 1352832]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:28]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-11 21:24]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-11 21:24]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-07-14 495104]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-17 171520]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 1116136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\users\Davis Family\AppData\Roaming\Mozilla\Firefox\Profiles\c2a5vzx2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\WOW64\TrustChecker
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD} - (no file)
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{08DB3902-2CE0-474D-BCE3-0177766CE9F1} - c:\program files (x86)\InstallShield Installation Information\{08DB3902-2CE0-474D-BCE3-0177766CE9F1}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-04-05 17:29:58
ComboFix-quarantined-files.txt 2011-04-05 21:29
.
Pre-Run: 187,543,044,096 bytes free
Post-Run: 187,274,207,232 bytes free
.
- - End Of File - - A281A1C811FC19E0BDC93F8A19B35F01

Attached Files


Edited by Ried, 05 April 2011 - 04:53 PM.
edited in the CF.txt for viewing


#8 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 05 April 2011 - 04:56 PM

The redirects should be gone now. If so, kindly proceed with the next instruction...


It's important to run an online scan to search for any remnants that may be lurking. Please go to here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

Please do not attach it, copy/paste the log directly into the reply box. Thanks. :)

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#9 JH&A

JH&A
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 AM

Posted 05 April 2011 - 09:13 PM

doesn't look good....eset scan results:

C:\Qoobox\Quarantine\C\Users\Davis Family\AppData\Local\aea.exe.vir a variant of Win32/Kryptik.MCK trojan
C:\Qoobox\Quarantine\C\Users\Davis Family\AppData\Local\iys.exe.vir a variant of Win32/Injector.FOZ trojan
C:\Qoobox\Quarantine\C\Users\Davis Family\AppData\Local\jwn.exe.vir a variant of Win32/Injector.FOG trojan
C:\Qoobox\Quarantine\C\Users\Davis Family\AppData\Local\nub.exe.vir Win32/Adware.XPAntiSpyware.AB application
C:\Qoobox\Quarantine\C\Users\Davis Family\AppData\Local\pep.exe.vir a variant of Win32/Kryptik.MCK trojan
C:\Users\Davis Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\6298b7e9-32b97d4d Java/TrojanDownloader.OpenStream.NBL trojan

#10 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 05 April 2011 - 09:21 PM

Actually, it's better than you think. :)

Eset is reporting backups that were created during the course of this fix. Those will be cleared out momentarily, when we uninstall ComboFix.

The infection in your Java Cache is easily cleared. Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
==================================


After you've completed that, your logs are clean. If there aren't any more problems, we can tend to the final cleanup. Please do not skip this step as it will implement important cleanup procedures, as well as reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point for you.


On your keyboard, press the Windows Logo key and the letter R to bring up the Run command box. Copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
    • SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

  • WOT, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE.


  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • BACKING UP YOUR REGISTRY
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

    Vista/Windows 7 users - see this link for proper setup of Erunt http://www.winhelponline.com/blog/backup-windows-vista-registry-daily-using-erunt/


    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles


**Kindly respond one more time and let me know if we may consider this thread resolved.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#11 JH&A

JH&A
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 AM

Posted 06 April 2011 - 07:53 PM

Everything seems to be working fine now. I downloaded the preventative items and will look over the articles. Thanks so much for your help and thoroughness, Ried!!

#12 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 07 April 2011 - 12:10 AM

You're most welcome, JH&A. :)



As this issue is resolved, this thread shall be closed.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users