Jump to content

Nasty begger / AV7 related - Trojan Horse Generic 17


Recommended Posts

  • 2 weeks later...

Hello Little John,

Have the issues with the rogue Antivirus 7 (av7.exe) been resolved or not?

If they have not, please do the following:

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At -this time- of posting, the current definitions are # 3983 and the latest program version is 1.45

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Next, you already have DDS. Then start a new run of DDS.

Reply with copy of the latest MBAM scan log

and the new DDS.txt report

Link to post
Share on other sites

Hello Little John,

Have the issues with the rogue Antivirus 7 (av7.exe) been resolved or not?

If they have not, please do the following:

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At -this time- of posting, the current definitions are # 3983 and the latest program version is 1.45

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Next, you already have DDS. Then start a new run of DDS.

Reply with copy of the latest MBAM scan log

and the new DDS.txt report

Hello Maurice,

I am not convinced that I managed to get on top of the malware.

Below is a copy of the MBAM log and the DDS.txt report. MBAM did not uncover anything, so nothing had to be removed.

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3985

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

14/04/2010 00:05:32

mbam-log-2010-04-14 (00-05-32).txt

Scan type: Quick scan

Objects scanned: 110103

Time elapsed: 9 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

The DDS.txt report-

DDS (Ver_10-03-17.01) - NTFSx86

Run by Grant at 0:17:31.57 on 14/04/2010

Internet Explorer: 8.0.6001.18882

Microsoft

Link to post
Share on other sites

DDS -does- show AG9 running. Have you had any messages regarding any trojan?

Which version of ZoneAlarm does this have? and does it have any antivirus component?

Let's get some fresh reports:

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. I just need log.txt and Checkup.txt from Security Check.
    Please post the contents of log.txt and Checkup.txt

Link to post
Share on other sites

Maurice,

thanks for your help. No, no messages from AVG, other than at the outset. I did notice that Onenote wished to open at the same time as I was having problems with the malware, before I ran combofix.

Running ZoneAlarm version:8.0.298.000 as a firewall - it does not have any anti-virus element to it.

Below are the Security Check text file and the log.txt file from RSIT.

Security Check -

Results of screen317's Security Check version 0.99.3

Windows Vista Service Pack 2 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

AVG Free 9.0

SonicStage Mastering Studio Audio Filter Custom Preset

ZoneAlarm

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

CCleaner

Java 6 Update 11

Java SE Runtime Environment 6

Out of date Java installed!

Adobe Reader 8

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Spybot Teatimer.exe is disabled!

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

Zone Labs ZoneAlarm zlclient.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

RSIT log.txt -

Logfile of random's system information tool 1.06 (written by random/random)

Run by Grant at 2010-04-21 00:51:59

Microsoft

Link to post
Share on other sites

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader.

Exit Control Panel.

Older versions of Adobe Reader pose a potential security risk.

Get latest Adobe Reader version 9.3

http://get.adobe.com/reader/

Be sure to un-check the box for Free McAfee Security Scan

Next, javaicon.gif See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=43792

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

  • Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please right click the icon for OTL.exe otlDesktopIcon.png and select Run as Administrator to start it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

We are finished here. Best regards.

Link to post
Share on other sites

Maurice,

thank you for checking these logs. I'll carry out the various steps suggested later today.

I am still a little puzzled about the behaviour of GMER, when some versions have crashed after I had downloaded and run Combofix. Has GMER been changed lately? What I am trying to get my mind around is why, when we have not changed anything, sometimes GMER would crash but the version linked to your mail did run. It makes me fear that something on my computer was stopping some of those versions, and that we have not yet found it.

I did also see something in some sort of an error log - I'll have to try to find it - where it was saying something along the lines that another named computer thought that it was meant to be accessing my computer (or vice versa) and then forcing a change (although it did not say if it was successful or not). Does this make any sense? It will be a struggle for me to find it through Event Viewer.

Regards

LJ

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.