Jump to content

So how unclean am I?!?!


Mags

Recommended Posts

Hello all

REcently checked my laptop afte helping anothe person with theirs and lo and behold MBAM found and dealt with 9 issues - log below along with more recent clean log

It also highlighted to me that Norton had elapsed withourt any notification!!!

I have read other threads and have now uninstalled Norton altogether, installed Outpost and Windows Security Essentials as well as Spyware Blaster and checked all my software and updated where necessary as well as updating windows...

I just need to knwo how bad the original findings of MABAM were. whether I am really clean or not and if there are other steps I ened to take on this

Many many thanks for all of you who give your time to this

Mags

Malwarebytes' Anti-Malware 1.44

Database version: 3534

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18865

10/01/2010 17:24:51

mbam-log-2010-01-10 (17-24-51).txt

Scan type: Quick Scan

Objects scanned: 106895

Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Users\Margaret\AppData\Local\Temp\E_4 (Worm.AutoRun) -> Quarantined and deleted successfully.

Files Infected:

C:\Users\Margaret\AppData\Local\Temp\E_4\com.run (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\Margaret\AppData\Local\Temp\E_4\dp1.fne (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\Users\Margaret\AppData\Local\Temp\E_4\eAPI.fne (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\Users\Margaret\AppData\Local\Temp\E_4\krnln.fnr (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\Margaret\AppData\Local\Temp\E_4\shell.fne (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\Users\Margaret\AppData\Local\Temp\E_4\internet.fne (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\Users\Margaret\AppData\Local\Temp\E_4\RegEx.fne (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\Users\Margaret\AppData\Local\Temp\E_4\spec.fne (Worm.AutoRun) -> Quarantined and deleted successfully.

Second 'Clean' Log:

Malwarebytes' Anti-Malware 1.44

Database version: 3537

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18865

10/01/2010 23:02:57

mbam-log-2010-01-10 (23-02-57).txt

Scan type: Quick Scan

Objects scanned: 107640

Time elapsed: 10 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi all

I thought I'd better just ask if I may have been overlooked for help as I would really like to check out what caused my infections and if my computer is now clean

Would love to hear from someone when you are free to assist and appreciate how busy you all are

Thanks in advance

Mags

Link to post
Share on other sites

Hello Kenny

So good to hear back - thank you!! :)

I have run DDS and atatch both logs. DDS is below and Attach is attached as a zip file

Hope that's all ok. I'll wait to hear...

Mags

DDS (Ver_09-12-01.01) - NTFSx86

Run by Margaret at 20:04:23.33 on 18/01/2010

Internet Explorer: 8.0.6001.18865

Microsoft

Attach.zip

Link to post
Share on other sites

The infection might have came from a flash drive. Did you use a flash drive when you helped your friend?

Make sure you plug in all your removable devices, otherwise you could spread this infecton into another computer.

Flash Drive Disinfector

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

Next:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your next reply, please include these log(s):

EsetOnlineScanner\log.txt

checkup.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

Hi again

Thanks so much for the quick reply!

We did use a removeable hard drive to store some crtical info from the other computer and it;s a drive I also use. Can I just check whther there is any risk to the foldes on the drive when cleaning it using your suggestions as it has precious photos stored o it which I would hate to see go... :):)

Thanks...

Link to post
Share on other sites

Phew that was a scan and a half!!! :(

Finally got through it and found 5 things that, to my naiive eye, don;t seem horrific...

Should I cleanse the drive as you suggetsed originally? Happy to do so just desperate not to lose the pics stored on it...

Malwarebytes' Anti-Malware 1.44

Database version: 3595

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18865

18/01/2010 22:38:23

mbam-log-2010-01-18 (22-38-23).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 309117

Time elapsed: 1 hour(s), 37 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

F:\ACER\Users\Margaret\AppData\Local\Temp\aupd.exe (Adware.AdRotator) -> Quarantined and deleted successfully.

F:\ACER\Users\Margaret\AppData\Local\Temp\s41g (Adware.TrafficSol) -> Quarantined and deleted successfully.

F:\ACER\Users\Margaret\AppData\Local\Temp\s7gs (Adware.AdRotator) -> Quarantined and deleted successfully.

F:\ACER\Users\Margaret\AppData\Local\Temp\Low\aupd.exe (Adware.AdRotator) -> Quarantined and deleted successfully.

F:\Future Stuff\Files\SmileyCentralPFSetup2.2.60.9.ZNfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

On another note... you mentioned that the original things picked up may have come from a flash drive. what were the infections and what were they designed to do?!?

Thank you so much for your valuable time I'm sure you have better things to do than assist simpletons like me but I want you to know it is appreciated :)

Mags

Link to post
Share on other sites

Sorry to be hard work...

Downloaded Flash_Disinfector but cannot get it to run. First of all it said ti may not have installed correctly so tied saying it had but nothing happened on running. Tried reinstalling with recommended settings but still no run and tried running as administrator but nothing... :)

Link to post
Share on other sites

Hello again!!

I have run the eset online scan but the log reprot looks very strange to my untrained eye... I have pasted it belwo but also attached a screen grab fromt eh end of the scna as it ran for 1 hour and 20 mins and scanned without crashing showing no problems foudn but the log doesn't look complete

shoudl I try and run it again??? :)

Eset Log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

Also ran security check - results below:

Results of screen317's Security Check version 0.99.1

Windows Vista Service Pack 2 (UAC is enabled)

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Outpost Firewall 2009

WMIC entry does not exist for antivirus; attempting automatic update.

``````````````````````````````

Anti-malware/Other Utilities Check:

SpywareBlaster 4.2

Java 6 Update 17

Adobe Flash Player 10

Adobe Reader 9.3

``````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

With regard the system now I am not seeing any serious problems though the system is running slow so prob needs clearing out and defragging etc.... Any advice gratefully received! :)

Also I had alerts from MSE yesterday regarding Trojan clickers and Trojan downloaders ASX/Wimad whcih were deleted...

Let me know if anything else is needed now and if any progress on flash disinfect...

Thanks so much for all your time Kenny :)

Mags

post-29502-1263901894_thumb.jpg

Link to post
Share on other sites

Your logs looks good Mags. EsetOnlineScanner finished and shown on virus's as well.

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from to help speed up your computer.

As for Flash_Disinfector I don't know. But next time to not plug your external drive into a infected computer.... :)

Some final items:

It's a good idea to Flush your System Restore after removing malware and create a new restore point.

For help with Vista visit: http://www.bleepingcomputer.com/tutorials/tutorial143.html

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

Malware And Spyware Tips

Also see here for system improvement: Help! My computer is slow!

It was a pleasure working with you Mags.

Kenny (Kenny94)

Link to post
Share on other sites

Hi Kenny

Just to say a great big thank you fro your assistance! Good to know it all looks clean. You guys are amazing for giving your time up to help fight these problems - perhaps I can one day learn enough to help others too... :)

I am just working my way through the extra security now and I have already learned heaps from this forum about what can cause these problems in the first place so that can only be a good thing before I got caught by a big one!!

Do I need to do anything with Winpatrol or does it take a snapshot automatically on install then keep a running eye after that?

One final final question to check with you... I have two Outlook profiles and when I close one to go to the other I get an annoying pop up all the time saying that there have been changes to normal.dot and do I want to save the changes, if I say no it pops open a word doc and when I close it it pops up the templates folder asking me to save normal.dot. If you try to save it it says it's in use by another programme so you just have to keep clicking the red x's til it all clsoes down... Any clues on what I can do to stop going through that processs??

Thanks again for everything - you are a first rate star!

Mags

:):):)

Link to post
Share on other sites

Sorry I do not use Outlook. So I really don't know to much about it.

Do I need to do anything with Winpatrol or does it take a snapshot automatically on install then keep a running eye after that?

Winpatrol will look at your installed programs and and will add these to its list, so Scotty will not bark.

Winpatrol warns you for changes in your system as in new programs. So you have the option to accept it or not. This covers you in case a bad program used by malware ( Browser Helper Object) that's attempting to install on your computer. Scotty barks, when you download a program just to let you know he's watching your PC.

Link to post
Share on other sites

Hi there

Sorry to be back but wanted to check something out...

I get regular alerts from Outpost saying that SVChost.exe is requesting an inbound connection..

I block it but is this usual as I know there is a SVChost virus knocking aorund...

Thanks once again for any help / advice - prob being over cautios!!! :)

Mags

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.