SpySentinel

June 21, 2011

Hi PW100,

Sorry for the delay.

On running RSIT AVG sees it as a threat.
I allowed AVG to remove it.
Could the source be compromised?
I can turn off AVG and run RSIT if you want me to.

Some AVs detect the tools we use as malicious when really they are not. No worries

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Adobe Acrobat 5.0

Java

June 21, 2011

Sorry for the delay.

although it doesnt report it it says they are all in comodo quarintine. I just looked in my antivir quarintine and it has one of he dr cureit web quarintined files quarintined in antivir. Its the TR\Crypt.ZPack one.

Since they are in quarantine, they cannot harm your system. Avira is just detecting them from the DrWeb and Comodo quarantine. The best way to stop the popups is to delete the files in both DrWeb and Comodo quarantine.

there are also 2 files from the system restore area that are trojans in the comodo quarintine. this is worrying.

These are not worrisome because once we reset your restore points, they will be gone.

Please let me know if you are successful at deleting the files in Comodo and DrWeb quarantine.

June 21, 2011

Hi Mwright,

You're very welcome

Yes your computer is clean from malware now, and I will be happy to answer any questions you may have.

however is there a way that I can make a contribution to cause?

If you like, you can contribute to your favorite local charity since I cannot accept donations as I am employed by Malwarebytes.

You could also take a look at Malwarebytes Anti-Malware PRO which is a one time cost for a lifetime license.

Posted June 20, 2011 · June 20, 2011

Hi musgam,

Muslimgamer is currently no longer in the database. Please update to the latest database version and try accessing the site again.

Thanks,

SpySentinel

June 17, 2011

We appreciate the feedback so far from everyone.

Like Marcin said, we are trying out some offers to see what our users like so stay tuned!

June 17, 2011

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

June 17, 2011

You're very welcome! Glad to hear your computer us running better

Your log looks clean, Great Job!

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Now for some cleanup..
Please download OTC and save it to Desktop.
- Please make sure you are connecting to the Internet
- Double-click OTC.exe
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
- Go to Start > Programs > Accessories > System Tools and click "System Restore".
- Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Then go to Start > Run and type: Cleanmgr
- Click "OK".
- Click the "More Options" Tab.
- Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

[*]I recommend you install an alternate web browser such as FireFox. FireFox is a more secure browser than Internet Explorer and it has some additional tools you can install to help secure it even more.

[*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

[*]Use a Firewall - I recommend using a firewall which will allow you to stay protected against hackers.

*Note: Starting with Windows XP SP2, Windows comes with a built in firewall, however, I recommend you choose one of the free firewalls listed below and install it.

[*]Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

[*]Install SpywareGuard - SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

[*]Malwarebytes

June 17, 2011

Please run ComboFix again and post the log.

June 16, 2011

Hi mwright12,

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Also, how is the computer running?

June 16, 2011

How is the computer running?

June 12, 2011

Hi mwright12,

Glad to hear your system is running much better

Just a few leftovers we need to take care of.

Run OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: doccentral.com ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: fnismls.com ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: getmedianow.com ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: paragonrels.com ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: rdesk.com ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: rexplorer.net ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: safemls.net ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: showingtime.com ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: sitexdata.com ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: spellchecker.net ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: transactionpoint.com ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: trpoint.com ([]* in Trusted Sites)
O15 - HKCU\..Trusted Domains: xmlsweb.com ([]* in Trusted Sites)
[2011/05/31 14:31:29 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Hxitujikapakuk.dat
[2011/03/30 11:08:11 | 000,014,634 | -HS- | C] () -- C:\Documents and Settings\XP_Pro\Local Settings\Application Data\r0t835ni0n1t18aj4n071sa4s7m
[2011/03/30 11:08:11 | 000,014,634 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\r0t835ni0n1t18aj4n071sa4s7m
[2011/03/29 22:33:28 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\XP_Pro\Application Data\124tre.ini
[2011/03/21 09:22:33 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\XP_Pro\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/19 12:50:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Java

June 12, 2011

You're welcome

Run OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - File not found
[2011/05/02 21:12:55 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Wtuyuqaza.dat
[2011/05/02 21:12:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Jjezosuwule.bin
[2009/10/04 18:29:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/04/22 17:31:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/04/14 11:24:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/04/14 11:27:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/03/22 17:22:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\AVG9
[2011/04/14 11:33:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\AVG10

:Services
AVGIDSDriver
Avgtdix
Avgrkx86
Avgmfx86
AVGIDSEH
AVGIDSShim
AVGIDSFilter
Avgldx86

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done

June 12, 2011

You're welcome

Please let me know how the downloads and installs go.

June 12, 2011

I don't drink at all.

I usually don't either, but since it was my 21st, I thought it would be a good occasion lol.

June 12, 2011

From our Terms of Use:

In addition you will not engage in any sort of spamming, whether it is comment spam (injecting a comment into a thread for the purpose of placing a link back to a website offering the same services offered here; or services totally unrelated to this website), the use of signature links deemed to be for the sole purpose of increasing web traffic to a site of interest by the member, or any combination of those two examples. This includes the Personal Message feature.

Like Ron said, the program needs to meet with the approval of the Research Team first.

June 12, 2011

Thanks for the birthday wishes everyone

Happy BurpDay SpySentinel

:lol:

Good news is I didn't have that much to drink

June 11, 2011

Thank you everyone for the warm birthday wishes

It is my big 21 so I had a good time today with family and friends.

I'm starting to feel old :lol:

June 11, 2011

You're welcome

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

June 11, 2011

Hi mwright12,

This infection family will hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

June 11, 2011

You're welcome

I can understand your frustration. Below, I posted a list of ways to help keep your computer secure in the future:

I recommend you install an alternate web browser such as FireFox. FireFox is a more secure browser than Internet Explorer and it has some additional tools you can install to help secure it even more.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Use AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Please only choose one.
Select one of these, or another of your choice. Download, install, and update definitions.
[*]Use a Firewall - I recommend using a firewall which will allow you to stay protected against hackers.
*Note: Starting with Windows XP SP2, Windows comes with a built in firewall, however, I recommend you choose one of the free firewalls listed below and install it.
[*]Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
[*]Install SpywareGuard - SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.
[*]Malwarebytes

June 10, 2011

You're welcome.

You had a nasty TDL4 MBR rootkit.

Launch Malwarebytes' Anti-Malware

Please check for updates, and if an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked , and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
2. Click on to download the ESET Smart Installer. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push
  
  You can refer to this animation by neomage if needed.

June 10, 2011

Hi mwright12,

You're very welcome

Launch Malwarebytes' Anti-Malware

Please check for updates, and if an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked , and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
2. Click on to download the ESET Smart Installer. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push
  
  You can refer to this animation by neomage if needed.

June 10, 2011

Hi ToniWayne,

Please boot into Normal Mode and run another scan with Malwarebytes Anti-Malware.

June 9, 2011

This infection family will hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

Launch Malwarebytes' Anti-Malware

Check for updates, and ff an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked , and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
2. Click on to download the ESET Smart Installer. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push
  
  You can refer to this animation by neomage if needed.

June 9, 2011

Hi mwright12,

The bulk of the infection has been taken care of, however there are some leftovers that need to be addressed first.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\XP_Pro\Local Settings\Application Data\txu2eftu.exe
c:\documents and settings\XP_Pro\Local Settings\Application Data\9cmk8hyz.exe
c:\documents and settings\XP_Pro\Local Settings\Application Data\um0tnw4sr.bat
c:\documents and settings\XP_Pro\Local Settings\Application Data\jilb6bw5.exe
c:\documents and settings\XP_Pro\Local Settings\Application Data\tlzsmw3rr.bat
c:\windows\Ohupevopebasus.bin

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Events

Profiles

Forums

Posts posted by SpySentinel

Important Information