Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection with trojan Agent - keeps coming back


  • This topic is locked This topic is locked
16 replies to this topic

#1 jagrim

jagrim

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 31 July 2011 - 02:11 PM

Computer was infected around June 16 with Internet Security 2010. Utilized the removal guide on this site and all appeared well but I suspect something else is still occuring.

Symptoms:
1) Anti-virus Software (McAfee) will turn it self off momentarily then come back on.
2) MBAM program has found recent Trojans and has prevented (blocked) going to several suspicious sites ( have inserted some the the logs)

Downloaded dds but have been unsuccessful in running. I see a black box pop up the close - nothing else. Have renamed from scr to exe without results


System Specs:
Win 7 Home Premium (64 bit)
HP Pavilion dv7 Notebook PC

Log #1:
Inital log when infection jumped out.


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6873

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

6/16/2011 9:00:26 PM
mbam-log-2011-06-16 (21-00-26).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 486540
Time elapsed: 2 hour(s), 31 minute(s), 2 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\Users\mom & dad\AppData\Local\sju.exe (Trojan.ExeShell.Gen) -> 5504 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3099827806 (Trojan.ExeShell.Gen) -> Value: 3099827806 -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\Mom & Dad\AppData\Local\sju.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\mom & dad\AppData\Local\sju.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\Users\mom & dad\AppData\Local\Temp\0.8166039894421351.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\mom & dad\AppData\Roaming\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\mom & dad\AppData\Roaming\Adobe\plugs\mmc239.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.


Log #2 - Most recent log - full scan - no issues noticed prior to scanMalwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7327

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

7/30/2011 7:25:06 PM
mbam-log-2011-07-30 (19-25-05).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 502830
Time elapsed: 1 hour(s), 32 minute(s), 57 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
c:\Windows\SysWOW64\winsockhc32.exe (Trojan.Agent) -> 2216 -> Unloaded process successfully.
c:\programdata\api-ms-win-core-localregistry-l1-1-032.exe (Trojan.Agent) -> 2288 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\SysWOW64\winsockhc32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\programdata\api-ms-win-core-localregistry-l1-1-032.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\winsockhc32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\mom & dad\AppData\Local\Temp\jucheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\mom & dad\AppData\Local\Temp\tmph8899877806226247641.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


Protection Log (I have more like this if you need)

10:07:10 Mom & Dad MESSAGE Protection started successfully
10:07:14 Mom & Dad MESSAGE IP Protection started successfully
10:08:38 Mom & Dad MESSAGE Scheduled update executed successfully
10:09:08 Mom & Dad MESSAGE IP Protection stopped
10:09:10 Mom & Dad MESSAGE Database updated successfully
10:09:11 Mom & Dad MESSAGE IP Protection started successfully
13:47:10 Mom & Dad DETECTION C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-032.dll Trojan.Tracur.Gen QUARANTINE
14:49:46 Mom & Dad IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 62387, Process: winsockhc32.exe)
15:50:44 Mom & Dad IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 56574, Process: winsockhc32.exe)
16:50:44 Mom & Dad IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 55725, Process: winsockhc32.exe)
17:40:14 Mom & Dad IP-BLOCK 94.100.18.194 (Type: outgoing, Port: 58069, Process: iexplore.exe)
17:50:44 Mom & Dad IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 58564, Process: winsockhc32.exe)
18:50:46 Mom & Dad IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 60993, Process: winsockhc32.exe)
19:50:49 Mom & Dad IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 49783, Process: winsockhc32.exe)
20:54:12 Mom & Dad IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 63242, Process: winsockhc32.exe)
21:59:43 Mom & Dad IP-BLOCK 91.217.153.48 (Type: outgoing, Port: 64614, Process: winsockhc32.exe)

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 08 August 2011 - 02:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on http://www.bleepingcomputer.com/logreply/412234 and follow the instructions there. If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 jagrim

jagrim
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 08 August 2011 - 05:50 PM

Still can not run DDS on the computer. A box opens then closes.

Windows 7 Home Premium (x64) Service Pack 1 (build 7601)

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:24 PM

Posted 08 August 2011 - 08:17 PM

Hi

Please try running the following:


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 jagrim

jagrim
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 08 August 2011 - 09:07 PM

Attached are the requested logs

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:24 PM

Posted 08 August 2011 - 09:28 PM

Hi,

Please do the following:


Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    O3 - HKU\S-1-5-21-889174403-2583164961-370754843-1001\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
    O3 - HKU\S-1-5-21-889174403-2583164961-370754843-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin]  File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin]  File not found
    [2011/07/29 12:06:22 | 000,000,000 | ---D | C] -- C:\Users\Mom & Dad\AppData\Local\{2F97D934-B08A-4FA7-B316-77C1B2EC3E0A}
    [2011/07/29 13:47:10 | 000,000,090 | ---- | C] () -- C:\Windows\SysWow64\787359351
    [2011/07/07 09:23:05 | 005,152,320 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmpDSCN0051.JPG
    [2011/06/16 15:47:16 | 000,011,030 | -HS- | C] () -- C:\Users\Mom & Dad\AppData\Local\1owi0exui8r323657g1fvdgyk2t387os80x
    [2011/06/16 15:47:16 | 000,004,208 | -HS- | C] () -- C:\ProgramData\1owi0exui8r323657g1fvdgyk2t387os80x
    [2011/05/26 21:05:30 | 000,347,261 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmpASA.0
    [2011/05/26 21:05:30 | 000,146,936 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmpASA.JPG
    [2011/05/26 21:03:44 | 000,146,936 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmpIMG_0090[3][1].JPG
    [2011/05/26 21:03:43 | 000,347,261 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmpIMG_0090[3][1].0
    [2011/02/10 10:59:23 | 000,018,976 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmpOLINOR.0
    [2011/02/10 10:59:23 | 000,018,682 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmpOLINOR.JPG
    [2010/10/26 16:17:51 | 000,545,943 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp090.JPG
    [2010/10/26 16:17:51 | 000,506,414 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp090.0
    [2010/10/25 19:34:21 | 001,030,832 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp025.JPG
    [2010/10/25 19:34:20 | 001,030,869 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp025.0
    [2010/10/24 19:08:00 | 004,257,779 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp127.0
    [2010/10/24 19:08:00 | 000,822,907 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp127.JPG
    [2010/10/24 19:05:49 | 001,112,205 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp118.JPG
    [2010/10/24 19:05:48 | 004,394,477 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp118.0
    [2010/10/24 19:00:33 | 001,268,759 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp101.JPG
    [2010/10/24 19:00:32 | 004,339,740 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp101.0
    [2010/10/24 18:24:24 | 004,500,356 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp097.0
    [2010/10/24 18:24:24 | 001,042,504 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp097.JPG
    [2010/10/24 17:43:57 | 004,441,132 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp008.JPG
    [2010/10/24 17:35:12 | 004,984,428 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp003.JPG
    [2010/10/24 17:22:39 | 004,388,884 | ---- | C] () -- C:\Users\Mom & Dad\AppData\Local\tmp073.JPG
    
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [emptyflash]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log



NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 jagrim

jagrim
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 09 August 2011 - 06:01 PM

Have attached files for both OTL Fix and ComboFix.

While running Combo fix, it said that Macfee was running. after opening McAfee, it said it was turned off.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:24 PM

Posted 09 August 2011 - 06:06 PM

Hi

Please run the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 jagrim

jagrim
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 10 August 2011 - 04:38 AM

ESET scan found no Threats.


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7422

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

8/9/2011 6:52:37 PM
mbam-log-2011-08-09 (18-52-37).txt

Scan type: Quick scan
Objects scanned: 200097
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:24 PM

Posted 10 August 2011 - 06:08 AM

Please do the following:

Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 26 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click Continue The page will refresh.
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java™ SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u26-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window. Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window.
  • Click OK to leave the Java Control Panel.
  • Delete jre-6u26-windows-i586-p.exe from your desktop.


NEXT

Please post a fresh OTL log and advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 jagrim

jagrim
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 10 August 2011 - 06:37 PM

I reran the OTL as in the first step.[attachment=104282:OTL2.Txt]

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:24 PM

Posted 10 August 2011 - 07:18 PM

How is the computer running now? Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 jagrim

jagrim
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 10 August 2011 - 07:28 PM

It seems to be running okay. I'm not seeing any issues at this time. I'll monitor pretty closely for the next couple of months to ensure it doesn't happen again. Appreciate the help.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:24 PM

Posted 10 August 2011 - 07:43 PM

OK good, we just have some housekeeping to do now, please do the following:


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 jagrim

jagrim
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 10 August 2011 - 08:38 PM

Thanks for the help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users