Jump to content

1972vet

Experts
  • Content Count

    1,341
  • Joined

  • Last visited

Posts posted by 1972vet


  1. Here we go:

    Malwarebytes' Anti-Malware 1.39

    Database version: 2518

    Windows 5.1.2600 Service Pack 3

    7/28/2009 8:34:58 PM

    mbam-log-2009-07-28 (20-34-51).txt

    Scan type: Quick Scan

    Objects scanned: 87431

    Time elapsed: 3 minute(s), 42 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 1

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    d:\WINDOWS\system32\drivers\uti2mzm2.sys (Rootkit.Bagle) -> No action taken. [41345241302219216925692122172319196967216624252422671818186819262666242367]


  2. Uhmm...mbam was not running a scan when this happened, only it's active protection. It was the AVZ scan that was running. As soon as I clicked the AVZ scan button, mbam popped up the warning box that I mentioned previously. If I run mbam in developer mode, I suppose I need also to disable it's active protection? I'm thinking, what this would mean is that I would have to run the AVZ scan again, and while it is running, I should run mbam in developer mode?


  3. mbam reports the AVZ scan driver as bagel. The driver is peculiar to each machine and appears only during a scan. However, even as this is a free utility, I believe the user has the option available to enable the guard to run on system startup. If mbam is also on board and running it's real time protection, the action comes to a screaming halt.

    This morning, only during the AVZ scan, mbam halted the process and reported:

    uti2mzm2.sys as bagel...this is the same AVZ kernel driver that can be enabled to run on startup.

    Don't bother googling that file as it is peculiar to only my machine much like if you would install and run AVZ, the kernel driver for your installation would be a different name, also unique to that particular scan.

    Not having tested these settings, I suspect this would create a bsod on boot up since the mbam warning notice requires user interaction. I doubt the boot sequence would get that far before a bsod would occur...And having no idea how much (if any) AVZ (Russian) users make up your customer base, I wouldn't know if one may want to test this to see...since I've not noticed this before.

    I have no idea if it is because of mbam's latest update to the data base or not. The probability is that you may not even be concerned but I thought you might at least be interested to know about this.


  4. I'm not sure of the version number when it first appeared...it's been quite a while now but the version I have is "3.5.56968.437"...and I know it's installed with that one.

    The latest scan results:

    Malwarebytes' Anti-Malware 1.34

    Database version: 1770

    Windows 5.1.2600 Service Pack 3

    2/17/2009 11:42:38 AM

    mbam-log-2009-02-17 (11-42-38).txt

    Scan type: Quick Scan

    Objects scanned: 58718

    Time elapsed: 2 minute(s), 29 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

    ...Thanks Bruce!


  5. This issue appears resolved and the thread is closed to prevent others from posting here.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.


  6. To assist in the prevention of spyware infections:

    Immunize your browser by installing Spywareblaster. What does it do?

    • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
    • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
    • Restricts the actions of potentially unwanted sites in Internet Explorer.

    Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

    Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

    You should always have at least (but not more than ) one of these types of third party firewalls running on board:

    Kerio Personal Firewall

    Zone Alarm

    Outpost Free

    Comodo Beware of the "Ask" tool bar that's now included. If you don't want it, remove the check from the box during installation

    Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

    Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

    Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

    If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

    Become familiar with the MalwareBytes anti-malware application. Use it often especially if you begin to notice the system performance behavior is not what it should be. Learn more about the program Here where you can also request assistance if you have some concerns about the programs findings.

    ***Note***

    The licensed version provides real time protection and other automatic features otherwise not available.

    Comodo's BOClean utility is another very good "Free" malware cleaner that runs in the background to help prevent malware intrusions.

    Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...third download link at the bottom of that page)..

    Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

    Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

    So how did I get infected in the first place?

    Regards, and Happy Surfing!


  7. I'm not going to say it's a false positive...I couldn't. I'm not on the investigative team but I can say it is most definitely related to Comodo Internet Security.

    My scan came up with that too this morning:

    Files Infected:

    E:\WINDOWS\system32\guard32.dll (Trojan.Agent) -> No action taken.

    E:\WINDOWS\system32\cssdll32.dll (Trojan.Agent) -> No action taken.

    ...both of those are Comodo Internet Security. My guess is you have the latest version of CIS and mbam is complaining of the file as it relates to the "Safe Surf" feature. Safe Surf is one of Comodo's recent mistakes in my opinion. That feature works hand and glove with [Ask.com]...a browser search engine hijacker that is in my opinion (which by the way, is shared by most other security experts I know)...foistware in the sense that it is bundled with the download and is checked by default. You have to remove the check in order to prevent it's download. You should be able to uninstall it in your add/remove program listing but should also check your browser to see that the BHO is either disabled or uninstalled as well.

    In my case, I have Firefox designated as my default browser. I removed the check from the "Askdotcom" search bar installation but it nevertheless installed and hijacked my Internet Explorer. If you have multiple browsers, check them all. Once you've removed the search bar, you may have to look for the .dll file in your system32 folder. It would have an identical name but ending with the number "1":

    guard32.dll1

    ...that file is prior to the update you installed that included the Askdotcom garbage.


  8. This issue appears resolved and the thread is closed to prevent others from posting here.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.


  9. I took some time to go over your list of installed programs a bit more. I doubt any of them relate to your issue but I should run down the list of things I took note of for you:

    Adobe Reader 8.1.0 is out of date. You should uninstall it and install the latest version Here.

    AVG Anti-Rootkit Free is no longer supported so you may as well uninstall this one. Your AVG version 8 is sufficient...just remember to keep it updated if you don't have a paid subscription for it.

    The tool below is shareware...you need a license for it to work. Is this a paid subscription or are you still using it as a trial? If so, you should uninstall this since windows does the identical thing as this software claims to do...it's just not necessary and uses up more disk space than is required.

    HDD Regenerator

    The program below:

    Motherboard Monitor 5

    ...is no longer being developed by it's author. It's fine to leave it if it works for you but if your motherboard's manufacturer is one that refused to cooperate with the author of this program then you may as well uninstall this too.

    Mozilla Firefox (2.0.0.20) is out of date. Just open Firefox and it will download the latest version for you.

    The program OpenOffice.org 2.0 is an excellent product. I use it...however, the latest version is Here.

    Paltalk Messenger is a problem...you should uninstall this one too.

    The program RegCure 1.2.0.4 is overzealous in my opinion. These registry cleaners are all overrated. A user almost never even notices any improvement whatsoever from removing what these programs suggest. In many cases, and I believe RegCure is one of them, the entries presented for removal are legitimate and necessary registry entries. If it were me, I would restore every single backup that this program may have made then uninstall it.

    The program ShredIt PC is another needless program on your system. With the likes of trusted and time tested applications as Spybot Search and Destroy, you can use the shredding feature that it has available as well as take advantage of it's scanning and infection preventative features.

    You have many programs on your system that I would not have. You should go over the list and think to yourself..."Do I use this or not"...also take a look at the programs you installed that are trial versions. If you are no longer evaluating them uninstall them and uninstall the others that you decided upon.

    I believe this is also out of date...UltraVNC v1.0.2.

    Please run the MGA Diagnostic Tool and post back the report it creates:

    • Download MGADiag to your desktop.
    • Double-click on MGADiag.exe to launch the program
    • Click "Continue"
    • Ensure that the "Windows" tab is selected (it should be by default).
    • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
    • Paste the MGA Diagnostic Report back here in your next reply.

  10. This issue appears resolved and the thread is closed to prevent others from posting here.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.


  11. Your description of folder contents for those does not seem to me to be a completed installation. Here's what I'd like you to do...

    For each folder having the (2) beside it, copy it's contents and then open it's corresponding program folder (that is, the other folder with the same name without the number (2) beside it)...then right click anywhere inside that folder and select "Paste". Windows will alert you if any of the files that you are transferring are duplicates and ask you if you want to replace the existing file. Compare the dates and sizes of the files that windows tells you that already exist. If the existing file is newer (and probably larger) than the file you are transferring, then allow windows to transfer those to that folder.

    Continue in this manner until you've checked each duplicate folder. Then you can return to the folders you copied from (that is, those with the number (2) beside them) and delete each one. Let me know if you have any trouble with this instruction. Thanks!


  12. Computer and browser slowness are not always malware related

    Poor performance and other problems can be the result of disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.

    Listed below are a few things you can do to improve speed and system performance. Many of the these suggestions will apply if you're using Windows Vista but may be done a bit differently. Near the bottom of this thread there is a section specifically devoted to Vista Users.

    For browser problems, see:

    If your having connectivity issues or errors such as Page cannot be displayed see

    If you're using Vista or Internet Explorer 7, see

    If you have a lot of toolbars and add-ons attached to Internet Explorer, you could try improving performance by disabling those which are unecessary. See:

    [*]Control Internet Explorer Add-ons with Add-on Manager

    [*]Troubleshooting and Internet Explorer


  13. Please take a look at each of these folders:

    c:\program files\QuickTime(2)

    c:\program files\iTunes(2)

    c:\program files\iPod(2)

    c:\program files\Bonjour(2)

    ...the number "(2)" which follows each folder indicates that there is another folder in the same location with the same name. In other words, your windows explorer program file tree might look something like this:

    Bonjour

    Bonjour(2)

    iPod

    iPod(2)

    iTunes

    iTunes(2)

    QuickTime

    QuickTime(2)

    ...the original installation should not have the number (2) beside it. The folders with the number (2) indicate a duplicate. When you post back, tell me what you find in those folders.

    Please open a blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

    KILLALL::

    File::

    c:\program files\eknw.txt

    Rootkit::

    c:\windows\system32\gajulebi.dll


  14. As long as you have nlite installed and are using it for system settings, you should leave those entries alone.

    You can run HijackThis again and check this one:

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

    Don't forget to close all windows before clicking Fix Checked...then reboot to properly record the changes to the hard disk.

    Run your disk clean manager and a defrag. Reboot again when you finish and post back a fresh HijackThis log. Advise how the system behaves now. Thanks!


  15. Your Java application is out of date and causes a slight security risk as a result.

    Please follow these steps to remove older version Java components:

    • Close any open programs you may have running, especially your web browser.
    • Click Start-->Control Panel-->Add or Remove Programs.
    • Click once on any item having Java Runtime Environment in it's name then click the "Remove" button.

    Not every version of Java will begin with "Java" so be sure to read each entry in the list.

    Repeat the third step above as many times as necessary to remove all versions of Java.

    ***NOTE***

    If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.

    • Navigate to and delete: C:\Program Files\Java<--the Java folder indicated in Bold Red Text (if found)
    • Then go to this page. Scroll down to the first download link, "Java SE Runtime Environment (JRE) 6 Update 12" and click the "Download" button to the right. Select the platform for "Windows".
    • Check the box that says: "I agree to the Java SE Runtime Environment # License Agreement", then click Continue...The page will refresh

    Then, click on the link to download Windows Offline Installation. Save it to your desktop.

    Now, from your desktop, double-click on the executable to install the newest version.

    We need to disable Tea Timer so it won't interfere with our removal efforts:

    1) Run Spybot-S&D

    2) Go to the Mode menu, and make sure "Advanced Mode" is selected

    3) On the left hand side, choose Tools -> Resident

    4) Uncheck "Resident TeaTimer" and OK any prompts

    5) Restart your computer.

    Please open a blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

    KILLALL::

    File::

    E:\LaunchU3.exe

    FileLook::

    c:\program files\eknw.txt

    Folder::

    c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

    c:\documents and settings\All Users\Application Data\~0

    REGNULL::

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

    Registry::

    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]


  16. Please download combofix from This Webpage...and read through the instructions there for running the tool.

    ***Important Note***

    Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

    If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

    The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

    Once installed, a blue screen prompt should appear that reads as follows:

    The Recovery Console was successfully installed.

    When you see that screen, please continue as follows:

    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please post back the following on your next reply:

    C:\ComboFix.txt

    New HijackThis log.


  17. Looks good. I have just one more concern. Your HP tool box references a very old version of Java that has been exploited ages ago. Let's see an uninstall log:

    Open HijackThis. Click-->Open the Misc Tools section-->Open Uninstall Manager-->Save list...and save the list to your Desktop, then close HijackThis.

    A notepad file will open. Copy and paste the content of that text file back here on your next reply. By the way, how's it running for you now? Are you having any other issues? Thanks!


  18. These entries are pruduced from the nlite utility:

    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')

    ...in each instance, the program indicated between the brackets, "nlpo...", the nl portion stands for the nlite utility.

    Is the computer yours? You didn't answer this question:

    Did you install the Smart Keystroke recorder program?
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.