PeterLuu Posted May 29, 2010 ID:258648 Share Posted May 29, 2010 So the other day I was infected by a virus but I believe I removed all of them. Here's a log of it:___________________________Malwarebytes' Anti-Malware 1.45www.malwarebytes.orgDatabase version: 4006Windows 5.1.2600 Service Pack 3 (Safe Mode)Internet Explorer 8.0.6001.187025/22/2010 11:33:37 PMmbam-log-2010-05-22 (23-33-37).txtScan type: Quick scanObjects scanned: 145709Time elapsed: 10 minute(s), 55 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcxgqtjn (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcxgqtjn (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Peter\Local Settings\Application Data\weilthtyc\bedxreutssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.______________________________________But ever since that day my computer has been acting all weird. The windows and button style switches to classic everytime I restart/shutdown the computer. And the internet stops working when it works on my laptop/iphone. Only when I do a system restore that the internet works again. And I get random pop ups when I go on google. I've ran full scans a bunch of times but nothing ever comes up so the virus probably hiding somewhere. Link to post Share on other sites More sharing options...
negster22 Posted May 29, 2010 ID:258686 Share Posted May 29, 2010 Hi PeterLuu,Malwarebytes' Anti-Malware 1.45www.malwarebytes.orgDatabase version: 4006You need to remove MBAM 1.45 and install the latest version which is 1.46.Update the definitions.The current definition database is 4154. Please verify You have that one or an even higher version before running your scan. Then run a Quick Scan in Normal Mode not safe mode, and post back that log please! Link to post Share on other sites More sharing options...
PeterLuu Posted May 30, 2010 Author ID:258843 Share Posted May 30, 2010 Here ya go.Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4155Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187025/29/2010 9:42:22 PMmbam-log-2010-05-29 (21-42-22).txtScan type: Quick scanObjects scanned: 173646Time elapsed: 14 minute(s), 25 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Peter\Local Settings\Temp\79bc5164.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
negster22 Posted May 31, 2010 ID:259229 Share Posted May 31, 2010 Please download ATF Cleaner by AtribuneClose Internet Explorer and any other open browsersDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.RebootNext, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.Disable the active protection component of your antivirus by following the directions that apply here:http://www.bleepingcomputer.com/forums/topic114351.htmlNext, please perform a rootkit scan:Double-click the randomly named EXE located in the C:\ARK folder that you just downloaded to run the program. When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.When this "quick" scan is finished (a few seconds), copy the Quick scan report to the windows clipboardOpen Notepad or a similar text editor Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl VExit the ProgramSave the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.Please read the Combofix Guide at Bleeping Computer aka A guide and tutorial on using ComboFixhttp://www.bleepingcomputer.com/combofix/h...se-combofix#use In the event you already have Combofix, please delete it as this is a new version.Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Please download Combofix from one of these locations:HERE or HERE Using ComboFix -> I want you to rename Combofix.exe as you download it to rayman.exeNotes:It is very important that save the newly renamed EXE file to your desktop.You must rename Combofixe.exe as you download it and not after it is on your computer.You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:Open FirefoxClick Tools -> Options -> MainUnder the downloads section check the button that says "Always ask me where to save files".Click OK[*]For Internet Explorer:Choose to save, not open the fileWhen prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:Running Combofix 1. Launch Combofix (rayman.exe) from the Run Line, as follows: Navigate to Start --> Run, and copy/paste this command exactly as shown, then hit Enter:"%userprofile%\desktop\rayman.exe" /killall 2. When finished, it will produce a logfile located at C:\ComboFix.txt 3. Post the contents of C:\Combofix.txt in your next reply with rkill.txt and ARKQ.txt. Note: Do NOT mouseclick combofix's window while it is running. That may cause your system to stall/hang. Link to post Share on other sites More sharing options...
PeterLuu Posted May 31, 2010 Author ID:259359 Share Posted May 31, 2010 GMER 1.0.15.15281 - http://www.gmer.netRootkit quick scan 2010-05-31 00:24:20Windows 5.1.2600 Service Pack 3Running: l1vm1brr.exe; Driver: C:\DOCUME~1\Peter\LOCALS~1\Temp\uwtoapow.sys---- Devices - GMER 1.0.15 ----AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)Device -> \Driver\atapi \Device\Harddisk0\DR0 86DC7D01---- Files - GMER 1.0.15 ----File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification---- EOF - GMER 1.0.15 ---- Link to post Share on other sites More sharing options...
PeterLuu Posted May 31, 2010 Author ID:259625 Share Posted May 31, 2010 ComboFix log attached.ComboFix.txt Link to post Share on other sites More sharing options...
negster22 Posted June 1, 2010 ID:259786 Share Posted June 1, 2010 I have to review your Combofix log. In the meantime, I need You to perform a more in depth ARK scan with the Anti-Rootkit Program (ARK) Program that you downloaded and ran previously as follows:First, disable the active protection component of your antivirus/antimalware by following the directions that apply here:http://www.bleepingcomputer.com/forums/topic114351.htmlPlease relaunch Anti-Rootkit Program (ARK):Double-click the randomly name EXE located in the C:\ARK folderWhen the program opens, it will automatically initiate a very fast scan of common rootkit hiding places. If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NOThen use the following settings for a more complete scan.. In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ... IAT/EAT Drives/Partition other than System drive (typically C:\) Show All (don't miss this one) Click the image to enlarge it[*] Then click the Scan button & wait for it to finish. [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt" [*]Save the log where you can easily find it, such as your desktop.**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries Please copy and paste the report back into your Post.Please let me know if there is any improvement in Your computer's symptoms!Re-enable any active protection that you disabled before performing the scan. Link to post Share on other sites More sharing options...
PeterLuu Posted June 1, 2010 Author ID:260333 Share Posted June 1, 2010 I tried running the Ark scan but it gave me the blue screen of death couple times during the scans. =/ Link to post Share on other sites More sharing options...
negster22 Posted June 2, 2010 ID:260443 Share Posted June 2, 2010 Let's do this:Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled). Copy/paste the text in the code box below into Notepad.KillAll::Driver::erekndumhiegfcheetah1DADriv1diskchksejt1vtanyxhunter1xp1zenx1npggsvcsaruenXDva007XDva008XDva037XDva119XDva121XDva201XDva202XDva279AWF::c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exec:\program files\iTunes\bak\iTunesHelper.exeRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ares"=""Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk or any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.Referring to the picture above, drag CFScript.txt into renamed ComboFix.exe (rayman.exe)This will cause ComboFix to run again.Please post back the log that is opens when it finishes (C:\Combofix.txt), and also let me know how your PC is running now!===============================================================================================Download RootRepeal:http://rootrepeal.googlepages.com/RootRepeal.zipExtract the Zip File (archive) to a folder you create such as C:\RootRepealDouble-click RootRepeal.exe to launch the program Click Settings -> Options, select the Driver Tab, and Check "Verify Digital Signatures (Experimental)" Close the Settings WindowIn Main Program screen, click the "Drivers" Tab (located at the bottom of the RootRepeal screen)Click the "Scan" buttonWhen the scan is done, Click the "Save Report" ButtonSave the log file to your Documentsor the RootRepeal folderPost the content of the RootRepeal file scan log in your next reply. Link to post Share on other sites More sharing options...
PeterLuu Posted June 6, 2010 Author ID:262584 Share Posted June 6, 2010 Sooo sorry for the late lagging reply. Here are the logs that you asked for attached.ComboFix.txtRootRepealLogpL.txt Link to post Share on other sites More sharing options...
negster22 Posted June 8, 2010 ID:263759 Share Posted June 8, 2010 That's OK!Your Rootkit Repeal Log looks Ok!Can You check out this folder and see if it's empty or not?c:\documents and settings\Peter\Local Settings\Application Data\weilthtycOpen Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled). Copy/paste the text in the code box below into Notepad.Save this to your desktop as AWF.bat by setting the "Save as Type" to "All files" in the pull down menu.Double-click on AWF.bat to run this batch filecopy /y "c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe" "c:\program files\Common Files\InstallShield\UpdateService\issch.exe"Copy /y "C:\program files\iTunes\bak\iTunesHelper.exe" "c:\program files\iTunes\iTunesHelper.exe"dir /a "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" > output.txtdir /a "c:\program files\iTunes\iTunesHelper.exe" >> output.txtnotepad output.txtCopy/Paste the log file output.txt into your next replyLet me know if You have any errors when running the batch (BAT) Link to post Share on other sites More sharing options...
PeterLuu Posted June 8, 2010 Author ID:263787 Share Posted June 8, 2010 That's good to hear hahah.Yes, "c:\documents and settings\Peter\Local Settings\Application Data\weilthtyc" is empty.&This is the notepad text that popped up after running the batch. (Not sure if that's the log): Volume in drive C has no label. Volume Serial Number is 28A3-89EB Directory of c:\program files\Common Files\InstallShield\UpdateService07/27/2004 03:50 PM 81,920 issch.exe 1 File(s) 81,920 bytes 0 Dir(s) 99,779,457,024 bytes free Volume in drive C has no label. Volume Serial Number is 28A3-89EB Directory of c:\program files\iTunes04/28/2010 03:06 PM 142,120 iTunesHelper.exe 1 File(s) 142,120 bytes 0 Dir(s) 99,779,457,024 bytes free Link to post Share on other sites More sharing options...
negster22 Posted June 9, 2010 ID:264325 Share Posted June 9, 2010 Delete this folder:c:\documents and settings\Peter\Local Settings\Application Data\weilthtycThe rest looks good! How is your computer acting now? Link to post Share on other sites More sharing options...
PeterLuu Posted June 9, 2010 Author ID:264373 Share Posted June 9, 2010 It's working great now, no more pop ups and random desktop changes. Thanks negster22! Link to post Share on other sites More sharing options...
negster22 Posted June 9, 2010 ID:264734 Share Posted June 9, 2010 Good job!!. We have a few steps to finish up now.You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 20, if you have not done that already.You can check your currently installed JRE version here.If you find you need to update to the Java Runtime Environment (JRE) 6 Update 20, then follow these steps: 1. Download the latest JRE version at the http://java.sun.com/javase/downloads/index.jsp Sun Microsystem's website 2. Select the option that says: "Java Platform, Standard Edition JDK 6 Update 20 (JDK or JRE)" and click the "JRE Download" button. 3. Select your platform: Windows, in the pull down menu. 4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement." 5. Click Continue. 6. Under the Windows Platform - Java SE Runtime Environment 6 Update 20section, click on the link to download the Windows Offline Installation and save the installer to your desktop. 7. Close any programs you may have running - especially your web browser. 8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities). 9. Reboot your system 10. Then from your desktop double-click on jjre-6u20-windows-i586-p.exe to install the newest version of the Sun Java Platform 12. If the Yahoo Toolbar is prechecked for installation be sure to UNCHECK it, if you do not care to have it, or already have it installed - it is not part of the JRE install and totally unnecessary. 13. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.Now clear the Java cache:After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button.Next, click on the Delete Files buttonThere are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files[*]Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*] Click OK to leave the Temporary Files Window[*]Click OK to leave the Java Control Panel.-If I asked you to download and run one or more ARKs (Antirootkit program, then please uninstall them by doing all that apply as follows:Delete the contents of the folder C:\ARKDelete the C:\ARK folderDelete the contents of the folder C:\RootRepealDelete the C:\RootRepeal folderClick Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:"%userprofile%\desktop\rayman.exe" /uninstallThis will do the following:Uninstall Combofix and all its associated files and folders.Flush your system restore points and create a new restore point.Rehide your system files and foldersReset your system clock---Here are some additional measures you should take to keep your system in good working order and ensure your continued security.1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs. Note: If your firewall prompts you about access, allow it.2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer. 4. You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Updates. However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment. Happy Surfing! Link to post Share on other sites More sharing options...
Staff screen317 Posted June 26, 2010 Staff ID:275041 Share Posted June 26, 2010 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts