Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NECURS Rootkit


  • This topic is locked This topic is locked
8 replies to this topic

#1 Bwaltman

Bwaltman

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 14 July 2015 - 04:49 PM

Hello,

I ran roguekiller and it says that I am infected with the NECURS rootkit. I tried to follow their suggested steps but I couldn't get it to work.

 

I have a Windows XP professional sp3. 32 bit

 

Thank Bill



BC AdBot (Login to Remove)

 


m

#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 15 July 2015 - 09:19 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
 
 
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 
  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
 
 
 Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Bwaltman

Bwaltman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 15 July 2015 - 02:43 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-07-2015
Ran by Administrator (administrator) on ENTRY_2 on 15-07-2015 13:40:25
Running from C:\Documents and Settings\Administrator\Desktop\Malware Tools
Loaded Profiles: Administrator (Available Profiles: ADMIN & Racing & Administrator & player & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Program Files\Intel\ASF Agent\ASFAgent.exe
(Intel Corporation) C:\Program Files\Intel\AMT\atchksrv.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Intel) C:\Program Files\Intel\AMT\LMS.exe
(Intel) C:\Program Files\Intel\AMT\UNS.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Intel Corporation) C:\Program Files\Intel\AMT\atchk.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1036288 2007-09-24] (Analog Devices, Inc.)
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [178712 2007-10-03] (Intel Corporation)
HKLM\...\Run: [atchk] => C:\Program Files\Intel\AMT\atchk.exe [408344 2007-06-12] (Intel Corporation)
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03] (SUPERAntiSpyware.com)
HKLM\...\Policies\Explorer: [NoInternetIcon] 1
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
GroupPolicyScripts: Group Policy detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1596996539-1842698588-2507347965-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1596996539-1842698588-2507347965-500\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1596996539-1842698588-2507347965-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1596996539-1842698588-2507347965-500 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-09-05] (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-03-27] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-03-27] (Oracle Corporation)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [77824 2008-05-13] (SuperAdBlocker.com)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.59 192.168.1.58
Tcpip\..\Interfaces\{79D99B7C-9C12-4DF6-A3AC-3D721D74C03F}: [DhcpNameServer] 192.168.1.59 192.168.1.58

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-03-27] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-03-27] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-18] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-18] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2011-09-05] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-04-07]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - No Path Or update_url value

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ASFAgent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [133968 2007-01-23] (Intel Corporation)
R2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [183064 2007-06-12] (Intel Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-03-27] (Oracle Corporation)
R2 LMS; C:\Program Files\Intel\AMT\LMS.exe [109336 2007-06-12] (Intel)
R2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2521880 2007-06-12] (Intel)
R2 uvnc_service; C:\Program Files\UltraVNC\winvnc.exe [1590216 2009-12-07] (UltraVNC)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R2 BrPar; C:\WINDOWS\System32\drivers\BrPar.sys [19537 2000-07-24] (Brother Industries Ltd.) [File not signed]
R1 epp32; C:\EEK\bin\epp32.sys [111368 2015-06-17] (Emsisoft GmbH)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12872 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67656 2010-06-21] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SenFiltService; C:\WINDOWS\System32\drivers\Senfilt.sys [392960 2007-09-24] (Sensaura)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-15 06:01 - 2015-07-15 06:01 - 00000619 _____ C:\Documents and Settings\Administrator\Desktop\JRT.txt
2015-07-14 17:19 - 2015-07-14 17:19 - 00000000 ____D C:\Quarantine
2015-07-14 16:47 - 2015-07-14 13:59 - 18070088 _____ C:\RogueKiller.exe
2015-07-14 15:36 - 2015-07-14 15:37 - 00057354 _____ C:\OTL.Txt
2015-07-14 15:31 - 2015-07-15 13:40 - 00000000 ____D C:\FRST
2015-07-14 13:13 - 2015-06-18 14:02 - 17659640 _____ C:\RogueKiller32.exe
2015-07-14 10:19 - 2015-07-14 10:21 - 00000000 ____D C:\Documents and Settings\Racing\Desktop\Most Resent
2015-07-14 10:10 - 2015-07-14 10:10 - 00000250 _____ C:\Documents and Settings\Racing\My Documents\Recovery_File_buhav.txt
2015-07-14 10:07 - 2015-07-14 10:07 - 00000250 _____ C:\Documents and Settings\Racing\My Documents\Recovery_File_krxoi.txt
2015-07-14 09:53 - 2015-07-14 10:10 - 00000664 _____ C:\Documents and Settings\Racing\Local Settings\Application Data\d3d9caps.dat
2015-07-14 09:45 - 2015-07-14 10:14 - 00000157 _____ C:\Documents and Settings\Racing\Local Settings\Application Data\svcxdcl32.dat
2015-07-14 09:42 - 2015-07-14 09:43 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\{DE52BEFA-3181-41D4-867A-F789196A5978}
2015-07-14 09:42 - 2015-07-14 09:42 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\cau
2015-07-04 07:41 - 2015-07-14 12:44 - 00000000 ____D C:\Documents and Settings\Racing\Local Settings\Application Data\akem
2015-07-04 07:35 - 2015-07-15 13:37 - 00000424 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{309947AB-CDEF-4DE4-954E-1C005322A7BE}.job
2015-06-18 17:34 - 2015-06-18 17:34 - 00000639 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Start Emsisoft Emergency Kit.lnk
2015-06-18 16:27 - 2015-06-18 16:27 - 00000639 _____ C:\Documents and Settings\Administrator\Desktop\Start Emsisoft Emergency Kit.lnk
2015-06-18 16:26 - 2015-07-14 12:28 - 00000000 ____D C:\EEK
2015-06-18 16:24 - 2015-06-18 16:25 - 00000000 ____D C:\WINDOWS\pss
2015-06-18 16:23 - 2015-07-15 13:40 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\temp
2015-06-18 16:23 - 2015-07-14 11:02 - 00000000 ____D C:\Documents and Settings\Racing\Local Settings\temp
2015-06-18 16:23 - 2015-06-18 16:23 - 00010184 _____ C:\ComboFix.txt
2015-06-18 16:23 - 2015-06-18 16:23 - 00000000 ____D C:\Documents and Settings\player\Local Settings\temp
2015-06-18 16:23 - 2015-06-18 16:23 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\temp
2015-06-18 16:23 - 2015-06-18 16:23 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\temp
2015-06-18 16:23 - 2015-06-18 16:23 - 00000000 ____D C:\Documents and Settings\administrator.SUNRAY\Local Settings\temp
2015-06-18 16:23 - 2015-06-18 16:23 - 00000000 ____D C:\Documents and Settings\ADMIN\Local Settings\temp
2015-06-18 14:55 - 2015-06-18 14:55 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2015-06-18 14:55 - 2015-06-18 14:55 - 00008192 ____H C:\WINDOWS\system32\config\default.tmp.LOG
2015-06-18 14:55 - 2015-06-18 14:55 - 00000000 ____H C:\WINDOWS\system32\config\system.tmp.LOG
2015-06-18 14:55 - 2015-06-18 14:55 - 00000000 ____H C:\WINDOWS\system32\config\software.tmp.LOG
2015-06-18 14:55 - 2015-06-18 14:55 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2015-06-18 14:33 - 2015-06-18 16:23 - 00000000 ____D C:\Qoobox
2015-06-18 14:33 - 2011-06-26 00:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2015-06-18 14:33 - 2010-11-07 11:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2015-06-18 14:33 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2015-06-18 14:33 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2015-06-18 14:33 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2015-06-18 14:33 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2015-06-18 14:33 - 2000-08-30 18:00 - 00098816 _____ C:\WINDOWS\sed.exe
2015-06-18 14:33 - 2000-08-30 18:00 - 00080412 _____ C:\WINDOWS\grep.exe
2015-06-18 14:33 - 2000-08-30 18:00 - 00068096 _____ C:\WINDOWS\zip.exe
2015-06-18 14:32 - 2015-06-18 16:22 - 00000000 ____D C:\WINDOWS\erdnt
2015-06-18 14:19 - 2015-07-14 16:50 - 00035064 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-06-18 14:19 - 2015-06-18 14:30 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\RogueKiller
2015-06-18 14:17 - 2015-06-18 14:17 - 00000000 ____D C:\RegBackup
2015-06-18 13:09 - 2015-07-14 17:08 - 00000000 ____D C:\AdwCleaner
2015-06-18 12:59 - 2015-06-18 12:59 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Panda Security
2015-06-18 12:58 - 2015-06-18 12:58 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\CyberLink
2015-06-18 12:56 - 2015-07-15 13:40 - 00000000 ____D C:\Documents and Settings\Administrator\Desktop\Malware Tools

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-15 13:39 - 2008-04-25 15:28 - 01552651 _____ C:\WINDOWS\WindowsUpdate.log
2015-07-15 13:38 - 2009-09-25 12:24 - 00235502 _____ C:\WINDOWS\setupapi.log
2015-07-15 13:37 - 2008-04-25 15:27 - 00000000 ____D C:\WINDOWS\system32\Restore
2015-07-15 13:36 - 2009-03-27 15:00 - 00000128 _____ C:\WINDOWS\system32\config\netlogon.ftl
2015-07-15 13:36 - 2008-04-25 15:32 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-07-15 13:36 - 2008-04-25 10:16 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-07-15 13:36 - 2008-04-25 03:25 - 00000159 _____ C:\WINDOWS\wiadebug.log
2015-07-15 13:36 - 2008-04-25 03:25 - 00000049 _____ C:\WINDOWS\wiaservc.log
2015-07-15 13:35 - 2008-04-25 15:32 - 00032598 _____ C:\WINDOWS\SchedLgU.Txt
2015-07-15 13:35 - 2008-04-25 15:32 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2015-07-14 17:08 - 2012-04-04 12:41 - 00065536 _____ C:\WINDOWS\system32\config\Nano.evt
2015-07-14 17:08 - 2012-04-04 12:41 - 00000000 ____D C:\Program Files\Panda Security
2015-07-14 17:08 - 2008-04-25 03:21 - 00139648 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-07-14 13:04 - 2009-03-21 06:42 - 00001813 _____ C:\WINDOWS\setupact.log
2015-07-14 10:10 - 2012-04-04 11:07 - 00000000 ___RD C:\Documents and Settings\Administrator\Application Data\Brother
2015-07-14 10:09 - 2011-10-06 15:57 - 00000000 ____D C:\CardPrinterInstall
2015-07-14 10:03 - 2012-04-04 11:20 - 00000178 ___SH C:\Documents and Settings\Racing\ntuser.ini
2015-06-26 10:06 - 2011-10-06 13:44 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2015-06-24 17:04 - 2008-04-25 15:32 - 00000000 __SHD C:\Documents and Settings\NetworkService
2015-06-18 16:25 - 2008-04-25 10:16 - 00000552 _____ C:\WINDOWS\win.ini
2015-06-18 16:25 - 2008-04-25 10:16 - 00000227 _____ C:\WINDOWS\system.ini
2015-06-18 16:25 - 2008-04-25 10:16 - 00000211 __RSH C:\boot.ini
2015-06-18 14:59 - 2009-03-21 00:00 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-06-18 14:55 - 2008-04-25 03:21 - 29884416 _____ C:\WINDOWS\system32\config\software.bak
2015-06-18 14:55 - 2008-04-25 03:21 - 05242880 _____ C:\WINDOWS\system32\config\system.bak
2015-06-18 14:55 - 2008-04-25 03:21 - 00524288 _____ C:\WINDOWS\system32\config\default.bak
2015-06-18 14:55 - 2008-04-25 03:21 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY.bak
2015-06-18 14:55 - 2008-04-25 03:21 - 00262144 _____ C:\WINDOWS\system32\config\SAM.bak
2015-06-18 14:15 - 2011-10-07 03:17 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
2015-06-18 14:14 - 2014-03-28 03:07 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-06-18 12:59 - 2009-03-20 23:51 - 00023968 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2015-06-18 12:57 - 2009-04-20 15:12 - 00000000 ____D C:\WINDOWS\system32\appmgmt

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================

 

 

 

ADDITION.TXT

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 12-07-2015
Ran by Administrator at 2015-07-15 13:40:54
Running from C:\Documents and Settings\Administrator\Desktop\Malware Tools
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

ADMIN (S-1-5-21-1596996539-1842698588-2507347965-1005 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\ADMIN
Administrator (S-1-5-21-1596996539-1842698588-2507347965-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Guest (S-1-5-21-1596996539-1842698588-2507347965-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1596996539-1842698588-2507347965-1004 - Limited - Disabled)
Racing (S-1-5-21-1596996539-1842698588-2507347965-1006 - Limited - Enabled) => %SystemDrive%\Documents and Settings\Racing
SUPPORT_388945a0 (S-1-5-21-1596996539-1842698588-2507347965-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.0.0.4080 - Adobe Systems Incorporated)
Adobe Flash Player 10 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 10.2.153.1 - Adobe Systems Incorporated)
Adobe Photoshop 7.0 (HKLM\...\Adobe Photoshop 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Reader X (10.1.1) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.1 - Adobe Systems Incorporated)
Brother HL-5240 (HKLM\...\{872AAC51-BAE8-467E-B1F9-93C0AF797DAB}) (Version: 1.00 - Brother)
Choice Guard (Version: 1.2.87.0 - Microsoft Corporation) Hidden
CrystalReports (HKLM\...\{B8DF58A6-8534-48D9-BFAA-32B0B1F7DDFB}) (Version: 1.0.0 - Aristocrat)
Dell ETS Factory Installation (Version: 1.0.0 - Dell Inc.) Hidden
Google Update Helper (Version: 1.3.24.7 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.27.5 - Google Inc.) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - )
Intel® PRO Alerting Agent (HKLM\...\{53183B25-FBDC-4B95-856A-DCDD69DFEE18}) (Version: 12.0.2 - Intel Corporation)
Intel® PRO Network Connections 12.1.12.4 (HKLM\...\{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}) (Version:  - Dell)
Intel® Active Management Technology (HKLM\...\MESOL) (Version:  - Intel Corporation)
JackpotFill PRIME (HKLM\...\{B486B433-2D77-4E31-8453-DA486776D7D8}) (Version: 1.0 - )
Java 7 Update 51 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217051FF}) (Version: 7.0.510 - Oracle)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
MeadCo ScriptX (v7.1.0.60 (x86)) (HKLM\...\{BC15EFA7-97B7-43A3-A293-5117EC3C1A86}) (Version: 7.1.0 - Mead & Co Ltd.)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2742597) (HKLM\...\M2742597) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Standard 2007 (HKLM\...\STANDARD) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SOAP Toolkit 3.0 (HKLM\...\{BCB4C18A-ACA6-4383-8688-E19933A705DD}) (Version: 3.00.1325.3 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6.0 Parser (KB927977) (HKLM\...\{5A710547-B58E-488B-828D-CA9A25A0533C}) (Version: 6.00.3890.0 - Microsoft Corporation)
OASIS Windows (HKLM\...\{415A8602-9494-4817-A734-AAD152DF4202}) (Version: 11.5.2 - )
PowerDVD (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 8.1 - Dell)
RealUpgrade 1.1 (Version: 1.1.0 - RealNetworks, Inc.) Hidden
SUPERAntiSpyware Free Edition (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 4.37.0.1000 - SUPERAntiSpyware.com)
UltraVNC 1.0.8.2 (HKLM\...\Ultravnc2_is1) (Version: 1.0.8.2 - 1.0.8.2)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
XML Paper Specification Shared Components Pack 1.0 (Version:  - Microsoft Corporation) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1596996539-1842698588-2507347965-500_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll No File

==================== Restore Points =========================

15-07-2015 13:37:52 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2008-04-25 10:16 - 2015-06-18 16:19 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{309947AB-CDEF-4DE4-954E-1C005322A7BE}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (Whitelisted) ==============

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\44229326.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\44229326.sys => ""="Driver"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1596996539-1842698588-2507347965-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.1.59 - 192.168.1.58

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: PDVDDXSrv => "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: Synchronization Manager => %SystemRoot%\system32\mobsync.exe /logon

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\Program Files\UltraVNC\winvnc.exe] => Enabled:winvnc.exe
DomainProfile\AuthorizedApplications: [C:\Program Files\UltraVNC\vncviewer.exe] => Enabled:vncviewer.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE] => Enabled:Microsoft Office Outlook
DomainProfile\GloballyOpenPorts: [5900:TCP] => Enabled:vnc5900
DomainProfile\GloballyOpenPorts: [5800:TCP] => Enabled:vnc5800
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
DomainProfile\GloballyOpenPorts: [3389:TCP] => Enabled:@xpsp2res.dll,-22009
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [3389:TCP] => Enabled:@xpsp2res.dll,-22009

==================== Faulty Device Manager Devices =============

Name: mv video hook driver2
Description: mv video hook driver2
Class Guid: {4D36E968-E325-11CE-BFC1-08002BE10318}
Manufacturer: UVNC BVBA
Service: mv2
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.

==================== Event log errors: =========================

Application errors:
==================
Error: (07/15/2015 01:36:30 PM) (Source: SceCli) (EventID: 1001) (User: )
Description: Security policy cannot be propagated.
Cannot delete GP cache.

Error: (07/15/2015 01:36:25 PM) (Source: Intel® AMT) (EventID: 2002) (User: )
Description: [UNS] Failed to subscribe to local Intel® AMT.

Error: (07/15/2015 01:30:51 PM) (Source: SceCli) (EventID: 1001) (User: )
Description: Security policy cannot be propagated.
Cannot delete GP cache.

Error: (07/15/2015 01:30:43 PM) (Source: Intel® AMT) (EventID: 2002) (User: )
Description: [UNS] Failed to subscribe to local Intel® AMT.

Error: (07/15/2015 05:46:38 AM) (Source: SceCli) (EventID: 1001) (User: )
Description: Security policy cannot be propagated.
Cannot delete GP cache.

Error: (07/15/2015 05:46:33 AM) (Source: Intel® AMT) (EventID: 2002) (User: )
Description: [UNS] Failed to subscribe to local Intel® AMT.

Error: (07/15/2015 05:34:07 AM) (Source: SceCli) (EventID: 1001) (User: )
Description: Security policy cannot be propagated.
Cannot delete GP cache.

Error: (07/15/2015 03:37:06 AM) (Source: SceCli) (EventID: 1001) (User: )
Description: Security policy cannot be propagated.
Cannot delete GP cache.

Error: (07/15/2015 01:59:05 AM) (Source: SceCli) (EventID: 1001) (User: )
Description: Security policy cannot be propagated.
Cannot delete GP cache.

Error: (07/15/2015 12:02:05 AM) (Source: SceCli) (EventID: 1001) (User: )
Description: Security policy cannot be propagated.
Cannot delete GP cache.

System errors:
=============
Error: (07/14/2015 10:06:15 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The PSINProc service failed to start due to the following error:
%%31

Error: (07/14/2015 10:06:15 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The PSINFile service failed to start due to the following error:
%%31

Error: (07/14/2015 09:51:14 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The PSINProc service failed to start due to the following error:
%%31

Error: (07/14/2015 09:51:14 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The PSINFile service failed to start due to the following error:
%%31

Error: (07/14/2015 09:48:24 AM) (Source: Service Control Manager) (EventID: 7028) (User: )
Description: The BITS Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

Microsoft Office:
=========================

==================== Memory info ===========================

Processor: Intel® Core™2 Duo CPU E6550 @ 2.33GHz
Percentage of memory in use: 48%
Total physical RAM: 996.54 MB
Available physical RAM: 514.15 MB
Total Virtual: 2949.05 MB
Available Virtual: 2564.71 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:74.37 GB) (Free:59.63 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive e: (SPINRITE V6) (Removable) (Total:7.46 GB) (Free:5.89 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 74.5 GB) (Disk ID: A42D04A3)
Partition 1: (Not Active) - (Size=125 MB) - (Type=DE)
Partition 2: (Active) - (Size=74.4 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7.5 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=7.5 GB) - (Type=0C)

==================== End of log ============================



#4 Bwaltman

Bwaltman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 15 July 2015 - 02:50 PM

Yesterday before you replied back to me, I continued to work on this computer. I think I was able to get rid of the NECURS rootkit. But I would like to be safe. 



#5 Bwaltman

Bwaltman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 15 July 2015 - 09:56 PM

ASWMBR LOG...

 

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2015-07-15 16:07:20
-----------------------------
16:07:20.895    OS Version: Windows 5.1.2600 Service Pack 3
16:07:20.895    Number of processors: 2 586 0xF0B
16:07:20.895    ComputerName: ENTRY_2  UserName:
16:07:21.113    Initialize success
16:07:21.129    VM: initialized successfully
16:07:21.129    VM: Intel CPU BiosDisabled
16:08:11.097    AVAST engine defs: 15071500
16:09:57.080    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:09:57.080    Disk 0 Vendor: WDC_WD80 10.0 Size: 76293MB BusType: 3
16:09:57.299    Disk 0 MBR read successfully
16:09:57.299    Disk 0 MBR scan
16:09:57.439    Disk 0 Windows VISTA default MBR code
16:09:58.127    Disk 0 Partition 1 00     DE   Dell Utility Dell 8.0      125 MB offset 63
16:09:58.143    Disk 0 Partition 2 80 (A) 07      HPFS/NTFS NTFS        76159 MB offset 257040
16:09:58.189    Disk 0 default boot code
16:09:58.205    Disk 0 scanning sectors +156232125
16:09:58.439    Disk 0 scanning C:\WINDOWS\system32\drivers
16:10:07.939    Service scanning
16:10:20.626    Modules scanning
16:10:20.626    Disk 0 trace - called modules:
16:10:20.657    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
16:10:20.657    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86160ab8]
16:10:20.657    3 CLASSPNP.SYS[f75bffd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86161030]
16:10:21.438    AVAST engine scan C:\WINDOWS
16:10:35.094    AVAST engine scan C:\WINDOWS\system32
16:12:58.648    AVAST engine scan C:\WINDOWS\system32\drivers
16:13:10.444    AVAST engine scan C:\Documents and Settings\Administrator
16:13:32.021    AVAST engine scan C:\Documents and Settings\All Users
16:13:48.661    Disk 0 statistics 1268095/0/0 @ 3.88 MB/s
16:13:48.661    Scan finished successfully
20:56:04.095    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\Malware Tools\MBR.dat"
20:56:04.095    The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\Malware Tools\aswMBR.txt"

 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 16 July 2015 - 02:00 AM

Well, then you seem to have fixed this on your own! :)

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.




Delete System Restore Points

To ensure your System Restore Points are free of malware, we will delete all of them but the most recent or create a new one.

On Windows Vista: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows 7/8: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows XP: Please follow these instructions to delete all but the most common System Protection Restore Points.

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.

  • Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

  • Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system.
  • Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Bwaltman

Bwaltman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 16 July 2015 - 03:50 PM

Thanks for your help



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 17 July 2015 - 04:08 AM

You´re welcome! :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 17 July 2015 - 04:09 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users