Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Argh! The Curse Of The Hard To Kill Malware.


  • Please log in to reply
4 replies to this topic

#1 ZT-repairseek

ZT-repairseek

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 22 March 2007 - 02:04 PM

so after one day's worth of web browsing, I close the browser... and then I go to sleep. next morning: browser's opened on it's own, with two popups (one being an amaena.com thing). looked for info, wound up here, got the anti-vundo stuff, ran it, ran spybot(which found and apparently eliminated some smitfraud thing), ran ad-aware, went on with life. things seemed clear. then... the "browser opened itself for a popup" stunt happened again. did everything again, even added more anti-malware stuff. fought a bit and got rid of some trash pertaining to "MZKERNEL32.dll". again, thought it was clear. couple nights ago it happened again.

now... ad-aware, spybot, noadware, superantispyware... they're coming up clean. vundofix/fixvundo/smitfraudfix, blacklight,.... coming up clean. (although, blacklight refuses to be run in safe mode so for all I know it might be getting spoofed). catchme found nothing, gmer hasn't found anything it would remove... reanimator isn't finding anything that's malware...(most everything it's found in the last three days has been stuff where I know what it is)... sophos anti-rootkit didn't find anything it would touch(or considered a threat)

comboscan, run in safe mode, found five things that tell me to run a rootkit scanner. (it put them in the supplementary.txt)

If it happens ONE MORE TIME.... I'm going to go for broke and get out the logs.



why is it I cannot find a single, overarching program that seeks out all this crap and then does the following to it:
:thumbsup::trumpet: :flowers:
and solve all my malware issues in one run?


if anyone has an ideas what could be going on here, feel free to say something. x_x

BC AdBot (Login to Remove)

 


#2 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:05:33 PM

Posted 22 March 2007 - 07:25 PM

Download and scan with SUPERAntiSypware Free for Home Users

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* When done, select "Scan for Harmful Software".
* There are three scanning options. Choose "Perform Complete Scan" and click "Next".
* When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
* Make sure they all have a checkmark next to them and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* Click Preferences and then click the statistics/logs tab.
* Click the dated log and press View log. A text file will appear so you can see the results.
* Select close to exit the program.
* Scan in SAFE MODE
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

* Install AVG Anti-Spyware by double clicking the installer.
* Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
* On the main screen under Your Computer's security.
o Click on Change state next to Resident shield. It should now change to inactive.
o Click on Change state next to Automatic updates. It should now change to inactive.
o Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
o Wait until you see the Update succesfull message.
* Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
* Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Close ALL open Windows / Programs / Folders. Reboot in safe mode Please start AVG Anti-Spyware and run a full scan.

* Click on Scanner on the toolbar.
* Click on the Settings tab.
o Under How to act?
+ Click on Recommended Action and choose Quarantine from the popup menu.
o Under How to scan?
+ All checkboxes should be ticked.
o Under Possibly unwanted software:
+ All checkboxes should be ticked.
o Under Reports:
+ Select Automatically generate report after every scan and uncheck Only if threats were found.
o Under What to scan?
+ Select Scan every file.
* Click on the Scan tab.
* Click on Complete System Scan to start the scan process.
* Let the program scan the machine.
* When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
o Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
o At the bottom of the window click on the Apply all Actions button. (3)

Posted Image

* When done, click the Save Scan Report button. (4)
o Click the Save Report as button.
o Save the report to your Desktop.
* Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

THan
* Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Under Browsing History, click "Delete".
* Click "Delete Files", "Delete cookies" and "Delete history"
* Click Close below.

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu..
* Click the Clear now button below.. A new window will popup what to clear.
* Select all and click the Clear button again.
* Click OK to close the Options window

* Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

If that does not clear up matters than please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. About half way down are instructions for downloading HijackThis and creating a log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

#3 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 23 March 2007 - 08:07 AM

for starters, as I said, I *am* using SUPERantispyware. however, I'll add AVG's spyware killer to the pile I'm using.

also, I use ATFcleaner to eliminate all that temp file garbage on a daily basis.

anyway, it's happened again, so I'm going for broke and posting logs.

#4 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:11:33 PM

Posted 23 March 2007 - 08:47 AM

Smitfraud removal guide


After that, download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE using the F8 method.

Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

if this does not better please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. About half way down are instructions for downloading HijackThis and creating a log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

#5 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 23 March 2007 - 09:20 PM

hm... upon review of the stuff that AVG anti-spyware picked up...

it declared the ad-watch portion of ad-aware, as well as Daemon Tools, and the main portion of BCWipe(which is a file shredding program) to be "downloader.agent.awf"s... the first seems like an anti-competetive practice, and I'm not sure what to say about the other two...

false positives? infected/corrupted programs?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users