Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antispyware 2011 issue


  • This topic is locked This topic is locked
18 replies to this topic

#1 Seth Bucholz

Seth Bucholz

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 15 April 2011 - 09:58 PM

Hello all :)

About 3 days ago my computer was infected by Antispyware 2011. I used Malaware to try an delete it and it did find multiple errors, however after restarting the computer the virus program was still on the PC. I tried the site's removal guide, but even with the RHkill the Malaware still didn't remove it. I also used Spybots and it managed to find some malware thouigh had similar results as the Malaware program. I'm kind of a novice to computers so I apologize if I haven't provided the correct information needed.

Facts worth mentioning:

-Antivirus program: Microsoft Security Essentials

-Previous antivirus program: Nod Security

-Safe mode has not worked for months.

-XP Security Tools infected my PC the day before, however Malaware did delete that.

-Internet does work with the virus though it is incredibly slow.

-Proferebly I don't want to restart my computer because of school documents and other papers.

Thank you if anyone can help me with my dilemma.

Edited by Blade Zephon, 15 April 2011 - 11:27 PM.
Moved from XP to AII. ~BZ


BC AdBot (Login to Remove)

 


#2 Seth Bucholz

Seth Bucholz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 16 April 2011 - 05:37 PM

Anyone? :(

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 PM

Posted 16 April 2011 - 09:19 PM

Hello... Please follow our Removal Guide here Remove System Tool and SystemTool .
After reading how the malware is misleading you ...
You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Seth Bucholz

Seth Bucholz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 17 April 2011 - 01:17 PM

Thank you for the response. :)

Here is the log, hope it provides clear identification to the issue:

alwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6339

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/15/2011 11:16:34 PM
mbam-log-2011-04-15 (23-16-34).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 296933
Time elapsed: 1 hour(s), 32 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\documents and settings\all users.windows\application data\antivirus antispyware 2011\AS2011.exe (Trojan.FakeAlert) -> 172 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\SE2010 (Rogue.Securityessentials2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Rogue.AV) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updatesst (Trojan.FakeAlert) -> Value: updatesst -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vsm.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vsm.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vsm.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ANTIVIRUSDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FIREWALLDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UPDATESDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Seth\application data\microsoft\internet explorer\quick launch\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\all users.windows\application data\antivirus antispyware 2011\AS2011.exe (Trojan.FakeAlert) -> Delete on reboot.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 PM

Posted 17 April 2011 - 02:19 PM

Excellent now run a Safe Mode scan,we are almost thru this.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

NOTE: There have been reported problems with FireFox not loading pages properly after running ATF to clean the Firefox cache and download history. The glitch occurs if you have Firefox opened to Bleepingcomputer or other web sites while clearing the Firefox cache with ATF Cleaner. Close FF before running ATF. If ATF was run while the browser was open and OP reports problems, have them use FF itself afterwards to clear the cache.

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
Close all open browsers before using, especially FireFox. <-Important!!!
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Seth Bucholz

Seth Bucholz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 18 April 2011 - 05:08 PM

Thank you for the guide, but to be quite frank after following the instructions "exactly" I think the virus might be worst now. :(

Logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/18/2011 at 00:33 AM

Application Version : 4.50.1002

Core Rules Database Version : 6859
Trace Rules Database Version: 4671

Scan type : Complete Scan
Total Scan Time : 02:05:32

Memory items scanned : 440
Memory threats detected : 0
Registry items scanned : 6880
Registry threats detected : 4
File items scanned : 82318
File threats detected : 46

System.BrokenFileAssociation
HKCR\.exe

Rogue.SecurityEssentials2010
HKU\S-1-5-21-1645522239-1202660629-682003330-1006\Software\SE2010

Malware.Trace
HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL
HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Adware.Tracking Cookie
crackle.com [ C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\ZGY5UM6X ]
media.heavy.com [ C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\ZGY5UM6X ]
media.kyte.tv [ C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\ZGY5UM6X ]
media1.break.com [ C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\ZGY5UM6X ]
secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\ZGY5UM6X ]
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@adbrite[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@ads.pubmatic[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@adserv.brandaffinity[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@advertise[2].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@bizzclick[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@clicks.freesearchbuddy[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@media6degrees[2].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@mediaservices-d.openxenterprise[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@pointroll[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@questionmarket[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@realmedia[2].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@revsci[2].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@specificclick[2].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@technoratimedia[2].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@tribalfusion[2].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@uiadserver[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@www.crackle[1].txt
cdn.media.abc.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
convoad.technoratimedia.net [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
crackle.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
media.heavy.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
media.mtvnservices.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
media.scanscout.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
media1.break.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
msnbcmedia.msn.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
objects.tremormedia.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
s0.2mdn.net [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
serving-sys.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
sftrack.searchforce.net [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
stat.easydate.biz [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
www.yourdailymedia.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]
yourdailymedia.com [ C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Macromedia\Flash Player\#SharedObjects\Y4ZCHA82 ]

Trojan.Agent/Gen-FakeAV
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE.NT AUTHORITY\LOCAL SETTINGS\APPLICATION DATA\ADX.EXE

Trojan.Agent/Gen-FakeAlert[WinsCP]
C:\DOCUMENTS AND SETTINGS\SETH\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\25\230800D9-64ACF5E7

Trojan.Agent/Gen-FakeAlert
C:\DOCUMENTS AND SETTINGS\SETH\LOCAL SETTINGS\APPLICATION DATA\NSL.EXE

Trojan.Agent/Gen
C:\DOCUMENTS AND SETTINGS\SETH\LOCAL SETTINGS\APPLICATION DATA\YHP.EXE



Malaware Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6378

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/18/2011 5:39:23 PM
mbam-log-2011-04-18 (17-39-23).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 323287
Time elapsed: 1 hour(s), 51 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\SE2010 (Rogue.Securityessentials2010) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vsm.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vsm.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vsm.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Seth\Desktop\null0.23537846742403867.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\local settings\application data\hrd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\local settings\Temp\8459.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9b3f6f9f-5f9d-4165-aa7e-93c5eb3c30ba}\RP497\A0087409.exe (Trojan.FakeRean) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9b3f6f9f-5f9d-4165-aa7e-93c5eb3c30ba}\RP499\A0090559.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9b3f6f9f-5f9d-4165-aa7e-93c5eb3c30ba}\RP501\A0092685.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9b3f6f9f-5f9d-4165-aa7e-93c5eb3c30ba}\RP501\A0092686.exe (Trojan.FakeRean) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\3FE9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\5B28.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\67D1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\764A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\7F5B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\845B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\Desktop\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\application data\microsoft\internet explorer\quick launch\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 PM

Posted 18 April 2011 - 07:35 PM

Wow! Ok,you had many different Rogues on here. I can see why it may seem worse.. Is it running slower ,,what is up??
We may still need a few scans but we'll see.

A TDSS infection will cause trouble.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Next an Online scan.
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Seth Bucholz

Seth Bucholz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 18 April 2011 - 07:47 PM

I don't think I can access my net anymore, so will it be alright to download the TDSS on a flash drive then instal it on my computer?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 PM

Posted 18 April 2011 - 08:14 PM

Yes that will work,but try this first.
For the connection try these...

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.

Click the Connections tab and click the LAN settings option.

Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.

Now check if the internet is working again.


OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Seth Bucholz

Seth Bucholz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 19 April 2011 - 06:04 AM

Being prevented from using notepad, but thankfully saving the info onto the flash drive worked. :)

Log:



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=a2121258cebaad4faa84bb74d8d7e541
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-04-19 05:58:30
# local_time=2011-04-19 01:58:30 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8195 39157145 100 100 2739995 47335778 0 0
# scanned=86156
# found=16
# cleaned=0
# scan_time=10655
# nod_component=V3 Build:0x30000000
C:\Documents and Settings\All Users.WINDOWS\Application Data\Antivirus AntiSpyware 2011\AS2011.exe Win32/Adware.SecurityEssentials.AB application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\svrwsc.exe Win32/AutoRun.Spy.Banker.G worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Sun\Java\Deployment\cache\6.0\11\3923648b-4d3747b3 a variant of Win32/Injector.FUD trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Sun\Java\Deployment\cache\6.0\20\2fd6e594-526210bb multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vsm.exe Win32/Injector.FVL trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\4\8f85c44-7cda6a3d multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Seth\My Documents\Xvid-Setup-dm-9.exe Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Seth\My Documents\backups\backup-20110413-011525-181.dll Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Temp\3FF3.tmp Win32/Adware.SecurityEssentials.AB application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Temp\5B2A.tmp Win32/Adware.SecurityEssentials.AB application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Temp\67D3.tmp Win32/Adware.SecurityEssentials.AB application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Temp\7652.tmp Win32/Adware.SecurityEssentials.AB application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Temp\7F5D.tmp Win32/Adware.SecurityEssentials.AB application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Temp\B.tmp Win32/Adware.SecurityEssentials.AB application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Temp\srv140.tmp Win32/AutoRun.Agent.ABK worm (unable to clean) 00000000000000000000000000000000 I
${Memory} multiple threats 00000000000000000000000000000000 I

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 PM

Posted 19 April 2011 - 03:39 PM

you had a few nasties and I hope things are getting better. Lets reun MBAM and see if you can run TDSS Killer.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Seth Bucholz

Seth Bucholz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 19 April 2011 - 06:20 PM

Can't say things are getting better, but they ain't getting worst. :) And thanks a lot for the assistance you've provided so far!

Malaware log after TDSS Kill scan:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6378

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/18/2011 5:39:23 PM
mbam-log-2011-04-18 (17-39-23).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 323287
Time elapsed: 1 hour(s), 51 minute(s), 36 second(s)

Memory Processes Infected: 0
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6400

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/19/2011 7:12:48 PM
mbam-log-2011-04-19 (19-12-48).txt

Scan type: Quick scan
Objects scanned: 228683
Time elapsed: 18 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\SE2010 (Rogue.Securityessentials2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antivirus AntiSpyware 2011 (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wevjds.cfg (Trojan.FakeAlert) -> Value: wevjds.cfg -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webgjjkeds.cfg (Trojan.FakeAlert) -> Value: webgjjkeds.cfg -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vsm.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vsm.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vsm.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users.windows\application data\antivirus antispyware 2011\AS2011.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\3FF3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\5B2A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\67D3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\7652.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\7F5D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 PM

Posted 19 April 2011 - 07:19 PM

Ok you did run hosts-perm.bat and resey the Hosts file as per the Guide?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Seth Bucholz

Seth Bucholz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 19 April 2011 - 07:27 PM

Sorry but as stated in my first post I'm kind of a novice, so please define what files are the hosts-perm.bat? :wacko:

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 PM

Posted 19 April 2011 - 07:35 PM

That's OK,we were all once. In the Guide in post 3 , here's the link
http://www.bleepingcomputer.com/virus-removal/remove-system-tool

Did you do steps 22-25? If not do that now.

To reset the Hosts file to default it may be easier to do this
To reset the hosts file automatically,go HERE click the Posted Image button. Then just follow the promots in the Fix it wizard.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users