Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Files and Google Misdirect At Same Time


  • This topic is locked This topic is locked
14 replies to this topic

#1 enderst123

enderst123

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 01 June 2011 - 07:05 PM

Hi, I seem to have found a nasty virus or two. When I was browsing the net using Firefox v. 4.0.1 I happened upon a virus when i clicked a flash video to turn it on. (I have flash blocker) The computer locked up and WinPatrol (free addition) said something was trying to run I told it not to let it run but Firefox was still locked up. I could not close it and I could not hit CTRL + ALT + Del to come to the task manager to close it that way. So I hard shutdown the computer by pressing and holding the power button.

When the computer came back to life I could not see most of my files on c:. I was able to find them if i right clicked and went to properties and then went to previous versions and yesterdays version would show up just fine. I ran Malwarebytes and found a few (4) infected files which I deleted and then restarted my computer. When the computer came back alive there were still no files and so I went to Google to search the problem. every time I searched Google the search would be redirected to some spam site.

I have run Malwarebytes a few more times both in normal mode and in safe mode without networking with no new infections coming up. I have also run Adaware by lavasoft and it came up with a few cookies to be deleted.

I have run Rkill with nothing being found either.

Any help would be greatly appreciated.

Here is DDS file

Run by Enderst at 14:34:57 on 2011-06-01
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3071.1908 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Windows\system32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\system32\nlssrv32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\Explorer.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CatcherBHO Class: {9b4df450-dcc7-4b07-935d-0cd757a64583} - c:\program files\moyea\youtube flv downloader\MoyeaCatcher.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Google Update] "c:\users\enderst\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
StartupFolder: c:\users\enderst\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\enderst\appdata\roaming\dropbox\bin\Dropbox.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{04D41C85-D6C8-4A20-94C3-1D2177427791} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{04D41C85-D6C8-4A20-94C3-1D2177427791}\16E6A6 : DhcpNameServer = 192.168.1.152 24.158.96.130 24.158.96.131
TCP: Interfaces\{BD552441-3220-4ADB-9E98-62E884A6E7A6} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\enderst\appdata\roaming\mozilla\firefox\profiles\tmi8ci8v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\enderst\appdata\local\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\users\enderst\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\enderst\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-19 64288]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-1-20 81920]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-7-6 176128]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-5-25 1336712]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2010-10-21 57344]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R2 TabletServicePen;TabletServicePen;c:\program files\tablet\pen\Pen_Tablet.exe [2010-8-25 6076272]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\tablet\pen\Pen_TouchService.exe [2010-8-25 616816]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-7-6 5882368]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-7-6 210944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2010-8-24 13224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-31 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 2151128]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15232]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-4 1343400]
S4 ASTSRV;AST HighEnd Service;c:\windows\system32\ASTSRV.EXE [2010-10-21 57344]
.
=============== Created Last 30 ================
.
2011-06-01 19:16:24 65024 ---ha-w- c:\windows\system32\ASTSstUI.dll
2011-06-01 19:12:49 -------- d-----w- c:\users\enderst\appdata\roaming\Malwarebytes
2011-06-01 19:12:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-01 19:12:45 -------- d-----w- c:\programdata\Malwarebytes
2011-06-01 19:12:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-01 19:12:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-01 08:28:19 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-05-16 08:22:18 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-11 13:48:45 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 13:48:45 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
.
==================== Find3M ====================
.
2011-04-18 10:23:39 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 14:54:08.36 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:46 AM

Posted 09 June 2011 - 07:12 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 enderst123

enderst123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 14 June 2011 - 02:13 PM

Hi, apparently my last post was not posted saying that I would be gone until today did not actually get posted on the site. I am back but when I got back my computer would not load past the booting phase.

There was something that said booting from Cd-Rom and saying there was no priority. I hit F2 and went to the BIOS page and put my hard drive back as the first boot now it just sits there with a blinking line (-)

Sorry for the late response I was not near a connection.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:46 AM

Posted 14 June 2011 - 06:02 PM

Do you have a recovery disk?
Posted Image
m0le is a proud member of UNITE

#5 enderst123

enderst123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 14 June 2011 - 06:07 PM

Hey I might have recovery disks. I will look when off work and post from my smart phone if i can do that. A friend said that a virus could be doing this as well and I would just hate to lose all my data. I have not had a backup system in too long. (I know my fault)

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:46 AM

Posted 14 June 2011 - 06:20 PM

Okay. Your friend is right, HDD rogues do hide your files and rootkits can stop the PC booting. Until we can get back into the system we don't know which combination we are dealing with. Please take a look at this page and see if anything seems familiar to what you are experiencing.
Posted Image
m0le is a proud member of UNITE

#7 enderst123

enderst123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 16 June 2011 - 12:54 AM

Alright I have good news and bad news. I read your note a bit late and stuck in my windows disk and reinstalled windows. The good news is that the virus is not bothering me at the moment but I do believe that it exists because all of my stuff is still here. everything is stored in a folder called windows.old I (probably stupidly) opened a few programs. (Ventrilo, Photoshop, Foobar music player, Starcraft II video game.) I have been playing music from these files as well. I ran a quick scan with malwarebytes and am running a big scan now.

Now on to the list of what the virus was doing.

I did get the fake antivirus
I did get hidden files
I did get google misdirects
I Didn't get any critical warnings
I think that it reset my computer a few times.
I think that it hid my HDD from my computer because when I reinstalled windows I now have it back


Hope all this helps

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:46 AM

Posted 16 June 2011 - 05:36 PM

Now you're booting again we can see if we can find any remnants. Reinstallation usually destroys the vast majority of malware so I am not expecting a massive array in the logs.

First we can do a longish scan using ESET which should crawl through the windows.old files

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#9 enderst123

enderst123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 18 June 2011 - 10:54 AM

Here is the scan. the first time I tried to scan my auto updates made me lose my progress second time it took a little of 18 hours :(

C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\49e03e00-23349258 multiple threats deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\55a2d3ce-106aa2e7 a variant of Java/TrojanDownloader.OpenStream.NBF trojan deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\57f6ba56-2f189278 Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\2781d21b-5708757f multiple threats deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\46d1ce60-788788ba multiple threats deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\54c37721-5572ff6f multiple threats deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\37db3fe2-63476d8b Java/TrojanDownloader.Agent.ME trojan cleaned by deleting - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\5bb7d9e3-6d9647a4 multiple threats deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\3c32cfa6-3a31ae43 multiple threats deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\54d04ee9-416520bc multiple threats deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\b692329-13e7d33f multiple threats deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\53194aa-6fd5d518 Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\18396c39-1453d130 a variant of Java/TrojanDownloader.OpenStream.NBF trojan deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\787f39b9-358ecfd9 multiple threats deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\3eb966fe-4c840278 multiple threats deleted - quarantined
C:\Windows.old\Documents and Settings\Enderst\Downloads\PowerIS0_4.3.zip a variant of Win32/Keygen.AF application deleted - quarantined
C:\Windows.old\Windows\System32\ASTSstUI.dll a variant of Win32/Kryptik.OTI trojan cleaned by deleting - quarantined
C:\Windows.old\Windows\System32\drivers\volsnap.sys Win32/Olmasco.E trojan deleted - quarantined

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:46 AM

Posted 19 June 2011 - 05:17 AM

the first time I tried to scan my auto updates made me lose my progress second time it took a little of 18 hours :(


It does take time, as I warned, but it has removed all traces of malware from your machine.

How is the PC now?
Posted Image
m0le is a proud member of UNITE

#11 enderst123

enderst123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 19 June 2011 - 01:52 PM

Everything seems to be running normal. I know there are no google misdirects I can see my files and my harddrive. No fake antivirus stuff.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:46 AM

Posted 19 June 2011 - 06:02 PM

Okay, that's excellent. Please clear up and read the final instructions

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

If you used DeFogger now is the time to enable your CD emulation software again.

We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

Now create a new system protection point

1. Open System by clicking the Start button, right-clicking Computer, and then clicking Properties.

2. In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the
password or provide confirmation.

3. Click the System Protection tab, and then click Create.

4. In the System Protection dialog box, type a description, and then click Create.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#13 enderst123

enderst123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 20 June 2011 - 10:51 AM

Thanks for all the help. downloaded the new antivirus you recommend. Does that work well with malwarebytes or take the place of it?

Again thanks for all you did.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:46 AM

Posted 20 June 2011 - 06:36 PM

The free version of MBAM is a stand alone run-when-needed program and is neither an antivirus or antispyware so can be used with the antivirus. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:46 AM

Posted 25 June 2011 - 05:51 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users