Jump to content

I Cleaned Up Something, but it's hanging on by it's teeth.


Recommended Posts

Good Evening - -

At least, I hope yours is, mine sucks ....

I'm new at this, so let me know if there are 'better ways'. Thanks in advance.

My laptop 'acquired' this very aggressive 'sales pitch', which took control of it and (apparently) would not release it unless I purchased it's product. This also happened to me 9 or 12 or ? months ago and in the process of cleaning it up, had (through another XP computer on our LAN), downloaded and copied the setup program through the LAN to the hi-jacked laptop. In SAFE MODE, I installed it and ran it, still in SAFE MODE, then again after rebooting (after renaming it). All was well with the world! Yea!

This time, Mbam was still installed, but no accress. In SAFE MODE it ran and cleaned (apparently), but after rebooting (normally), I couldn't get Mbam to run, so I renamed it. That worked. Rebooting, still no access to Mbam or the NET. "OK, let's get on line and fix this" - Opps, no access, "that is a possibly dangerous site" . . . .

In the previous occurance, NOTHING (hardly) would run, THIS time almost anything would still run (and install?). so, using another computer, I accessed your site, downloaded the latest & greatest didn't change much, apparently, except the original 'kidnapper' was gone.

I re-ran Mbam, perhaps, 6 times or more. Some full scans, some quick scans. After each time, in thinking about how I went about it, I kept coming up with somethime else I either forgot to do or did twice or skipped steps, or SOMETHING. Finally, I decided to 'get more informed'.

Here, I've learned that these kidnappers have become much more complex and cunning. In looking through your site, I found several pages that looked promising. The first was "Mbam won't run(Fix), SystemSecurity". Some days after the original hijack, I discovered that I was no longer sure about the description of the original 'bad guy', but SystemSecurity's description fit what I could remember the best, so I checked it out first. Most everything it told me I already knew and/or had tried - down to what had to be done in order to INSTALL Mbam.

It told me I needed to kill the SS process and to do that, I needed to use something called 'Process Explorer'. I downloaded it to my trusty thumb drive, moved it over to the laptop, installed the program and ran it. Guess what? It looked like the screen on your site, but there was no sign of SystemSecurity. I ran the program 3 times and using [PRINT SCRN] made some pictures of my screen.

The directions I was following, told me to run Mbam again, reboot and all would be well. I did and it wasn't. Reading further was quite interesting, ....

**Subnote**

If after removing System Security you are experiencing MBAM finding Trojan.Agent and Rootkit.Trace but it is failing to remove them then you have been infected with a blended(multiple) infection and also have the CLB WinNT/Alureon rootkit active on your computer.

Here is the canned fix/solution for removing that rootkit>>>

Of course, I had to go check it out.... It's all about 'RootRepeal', a new rootkit detector currently in public beta. Reading further, "RootRepeal is currently in public beta. Whereas every effort has been made to ensure compatibility with every system configuration on Windows 2000, XP, 2003 and Vista, it cannot be guaranteed. There is always some risk when scanning for rootkits. Before running RootRepeal, please make sure you have backups of all important data and have saved all open documents." O boy!!! OK, I'm desperate. Downloading, moving, installing and executing as before, using my thumb drive, There were no results. Nothing. Zilch. Another [PRNT SCRN] picture. OK, I'm at the end of your 'fixit' description and it doesn't seem I'm any further along than before. 'Obviously, I picked the wrong solution - right? Who knows. Anyway, I choose another - "Malware Removal - HijackThis Logs". I'm not sure what the 'HijackThis' is, but, reading, everything seems like it's down my alley.

Starting with the download (and using my ThumbDrive), I followed the directions. first uninstalling and removing all signs of any previous Mbam installations (except for the logs, which I copied to my Thumb Drive). Same results as described, above.

"Now that my system is clean" the directions tell me to update the software and scan again, then install an Anti-Virus. This step I skipped, thinking that I didn't have control yet, what good would an Anti-Virus do until I did?

"If you're still experiencing issues" - Yes I am, "Disable the CD Emulation Software". Using Defogger (and my Thumb Drive), I did, keeping the caution uppermost in my mind. "Do not re-enable these drivers until otherwise instructed."

"Download DDS and save it to your desktop from ... here ....

Disable any script blocker, and then double click dds.scr to run the tool." With my Thumb Drive, I did (only it was named dds.com). It created the two text files, DDS & Attach (Attach.txt, I zipped up).

"Download the following GMER Rootkit Scanner from here</SPAN>". "It will be randomly named". It was. Using my Thumb Drive, I executed it on my infected laptop (it gave me no warnings) after ensuring the appropriate check boxes were set as the instructions specified. The results, I saved to 'ark.txt' subsequently, zipping it up.

"

<LI>Please start a Newtopic here and post the most recent Malwarebytes' Anti-Malware log file and DDS/GMER log files.", say the directions. Hey!! Thats where I am, posting a new topic - but I am not sure just how I should proceed. I have executed Mbam several times, each with it's own results text file. I have run a bunch of supporting software, most of which has it's own report - so which of these do you want to see (if any)? Maybe I need to run some other diagnostic?

Rather than giving you (who is you?) a bunch of unneeded stuff, I'll await your instructions so I can get this situation cleaned up. And, by the way, thanks SO MUCH for helping - not only me, but all of us....

- Flailing about in the dark

Link to post
Share on other sites

RPMcMurphy -

Sorry it's taken me so long to get back here, Life, you know ...

Anyway, yow wanted the logs for DDS and GMER ... OK, here is DDS.txt, but somewhere on this site, I remember being cautioned not to post both Attach.txt and ark.txt, instead to ZIP them up and post them.

So, now I'll attach the DDS.txt file.

Not seeing the file displayed in the preview of this communication, I'll add the attach.zip file and the ark.zip file.

According to 'Manage Current Attachments' they are there - whereever 'there' is - :)

DDS1.txt

Attach1.zip

ark.zip

Link to post
Share on other sites

Freddy02,

report.gif You are infected with a trojan know to sometimes have backdoor properties. Backdoor Trojans are very dangerous because they use advanced techniques (backdoors) to steal sensitive information which they send back to the hacker. All passwords should be changed immediately using a different computer and, if necessary, banking and credit card institutions should be notified of the possible security breach.

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log
  • Do you use a router?

Link to post
Share on other sites

RPMcMurphy,

WOW!! Your last post was certainly informative ... and rather unexpected. The implications (to my wife and I, anyway) at first glance, seem to be quite extensive.

All that imformation has generated a 'few' questions:

  1. When you say "All passwords", do you mean ANY & ALL, no matter how infrequently used, or how it's been since the last use? What about Facebook? Have all my 'friends' been exposed? Do I need to inform them? What about the professional networks to which I connect, through my job - do I need to inform them, too? I guess, basically, I'm trying to get my head wrapped around the limits of the possible infection vs exposeure, so my responses will be complete and sufficient.
  2. In your last post (#4), you indicated that ComboFix, upon discovering that the infected computer (IC) did not have MS Windows Recovery Console installed, would download it and install it.
    Add/Remove Programs, on the infected computer (IC), did not list the recovery console as having been installed. I was prevented from accessing the internet on the IC (infected computer) every time I tried, which makes me wonder how ComboFix is going to do it.
    However, if the install file for the recovery console is on the IC's (infected computer's) desktop (or some other known folder), will ComboFix be able to access it?
  3. The only way (that I know of) the install file can be placed on the IC's desktop, is to download it using a seperate computer, to a Flash Drive (FD), move the Flash Drive (FD) to the IC, and copy the recovery console's installation file to the IC's desktop. Am I incorrect?
  4. The above bring up some other questions:


    1. About my use of FDs (flash drives) ..., are they in danger of being infected? Can they carry the infection to another computer?
    2. Which begs the question, How is this trojan spread?
    3. Which also makes me wonder if other computers on our network are infected, even though they are not exhibiting any symptoms?



      In your last post (#4), you wanted to know if we use a router. Yes, we do. Our cable modem is connected to it, a Netgear Wireless Router, model WPN824. The IC is connected to the LAN wirelessly, and this computer, through which I can connect the internet (and communicate with you, and download, etc) is connected to the same router via Cat 5 Ethernet cable.
      In spite of the above questions, I still don't understand how ComboFix is going to install the recovery console.
      Thanks for putting up with my ignorance,
      Freddy02
Link to post
Share on other sites

Freddy02,

I'll do my best to address all of your questions/concerns. Understand though, that nothing is absolute - I had to inform you of the worst case scenario though.

When you say "All passwords", do you mean ANY & ALL.... - I'd change them all as there is no way to be sure which, if any have been compromised.

Re: ComboFix installing Recover Console - If this machine isn't able to connect ComboFix will not be able to install the RC. I would deal with that after the initial ComboFix run.

The only way (that I know of) the install file can be placed on the IC's desktop.... - You are correct. Until we get your internet access restored you will need to transfer the files via CD or USB drive. I assume you've done that already to run the diagnostic tools (DDS & GMER).

About my use of FDs (flash drives).... - If the clean machine you are using to download the files for transfer has Windows XP there is a tool you can run on it to prevent cross infection (instructions below). If the clean PC runs Vista or Windows 7, just don't allow anything to autorun when you insert the drive.

How is this trojan spread? - There are many possibilities here. You could have picked it up in an e-mail attachment, a website, a bad download, etc. etc. Several of the bad files came into your system on July 3, just after 7PM if that helps.

...if other computers on our network are infected... - If they are running fine and your security programs aren't finding anything it's not likely that they are infected.

Re: Router - I asked because your DNS traffic on the infected PC is being routed to rogue servers in the Ukraine. If you did not change the default login ID and password for your router when you set it up it's possible that it's DNS setting may have been altered also. If you changed the login ID and password it's probably fine. We'll be able to see later.

If the clean computer you are using to download tools runs Windows XP, do this:

Download Flash_Disinfector.exe from HERE and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

If you have any other questions or concerns, fire away. Otherwise please continue on with the ComboFix run.

Link to post
Share on other sites

I wrote a posting to you previously today, but while I was trying to upload the log file (the upload failed twice), all of a sudden everything was gone. In the upload box was a message saying that the webpage had expired.

In addition, I couldn't find the posting I'd just typed, so now, I'm re-typing it in Notepad.

Previously, I had asked some questions (and you had answered them), but I forgot some - they are as follows:

  1. My wife has an account on Facebook. Does she need to notify her 'friends' of this infection and if so, what should she say?
  2. Similarly, what about my corporation's intranet? Any chance it has been compromised? Do I need to inform them?
  3. E-mail. We use Outlook. have we unwittingly compromised the computers of others? What is the possible extent? How do we notify them?
  4. Misc 'plain, ordinary' files. Has our sharing or using them on other computers compromised those computers - and have they, in turn, compromised still others, etc., etc.? How do we notify THEM?

Thanks, in advance...

OK, now to ComboFix

I downloaded ComboFix to the desktop of the IC (infected computer) from BleepingComputer on the CC (clean computer) via a FD (flash drive) and tried to execute it. It didn't seem to execute. MBAM exibited the same behavior, so I changed the name of ComboFix and tried executing it again.

Two beeps, then a Disclaimer window, which also provided a path to a tutorial for ComboFix. "No" on the Disclaimer halted execution. I saved the tutorial on BleepingComputer to the FD on the CC. Then, with the FD connected to the IC, I double-clicked on the .mht tutorial file, the browser executed it, the tutorial came up and I printed it.

During the printing, I realized that in order to get the .mht file up, the browser had to be running. Up to now, everytime I had tried running a .mht file or the browser, it refused to run, but now it was, now! That meant that ComboFix would probably have success when it tried to download the recovery console - which I had thought would be impossible.

I re-executed the renamed ComboFix and clicked YES at the Disclaimer. Rightaway, an ERROR dialogue came up, saying "Some files could not be created. Close all applications, reboot & restart".

While I was writing down the details of the ERROR message thinking execution would wait until I clicked OK, a DOS window came up: "Please Wait. ComboFix preparing to run". Now, I thought I should halt execution, but, then I remembered something about "if any errors received, let the program run...". While I was trying to decide whether to interrupt ComboFix's execution (and if so, just exactly, how?), the DOS window added "Attempting to create a new system restore ...". I decided to let the program run.

A colored "System files copied ..." window came up ... and went away again.

The DOS window added, "...no recovery console ... YES to download it ..."

A 'Windows XP Home Edition SP2 CD ...' window came up. Clicked "Yes"

Extracting.

"Console Install Successful."

DOS: "Scanning for infected files..."

Stages completing, 1-50.

DOS: "... deleting files" (whole bunch of .dll files - and others?).

DOS: "Preparing Log Report"

Now, in Notepad. Saved the report and exited. Back on the desktop. Program ended? I guess.

When I tried to upload the log file to this post on the CC via the FD from the IC (twice), it wouldn't.

Now, I'm trying again.

Looks like it worked.

Thanks again.

Freddy02

ComboFix.txt

Link to post
Share on other sites

Freddy02,

The ComboFix run worked fine.

Re: Questions 1 & 2 - There are many Facebook exploits out there. I would think that she would have heard from one of her friends if she had spread something. I suppose she could make a general status post stating that you've had an infection and to be cautious with any previous correspondnance. It's not likely that you caused an issue with your intranet, but it's not impossible either.

Re: Question 3 - It's hard to say. If you picked up the infection through an e-mail attachment (say a video) that you then forwarded to others it's entirely possible (if they opened the attachment) that the malware was spread. Again, it's likely someone would have mentioned it to you if that had happened, but you could always send a message out to your contacts advising them that you had a problem and they need to beware of any e-mail attachments received from you.

Question 4 is a little vague (I'm not sure what you consider to be a plain, ordinary file). Regardless, the answer is essentially the same as above.

Q.gif Are you able to access the internet on the infeced PC now? ComboFix successfully installed the Recovery Console which requires internet access.

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\windows\Bgyqoa.exe
Folder::
c:\documents and settings\Harry Potter\Local Settings\Application Data\kruwewbwb
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log
  • Can you connect to the internet with the infected PC now?

Link to post
Share on other sites

Thanks for the answers. I had anticipated them, but I wanted to be sure. :)

OK, now to ComboFix.

I thought that there was internet access, too. Just to facillitate things a bit, I had made a link to this page and placed it on my FD (flash drive), so I copied it onto the IC's (infected computer's) desktop and double-clicked. It took an interminable time to access your site/page, but finally did.

I copied the script into Notepad as directed, saving it on the desktop as CFScript.txt.

11:06 As directed, I dropped the script, CFScript.txt, onto the ComboFix.exe's (cat) icon. Briefly, an hourglass appeared and went away. Then, nothing - no apparent activity. I waited.

11:14 Still no (apparent) activity.

11:15 Dropped the script, CFScript.txt, onto the (renamed) ComboFix.exe's (cat) icon.

An hourglass briefly appeared, then a notice of the date executed,

A green progress bar, then ... nothing.

An empty blue DOS window came up, then ... nothing.

A dialogue saying there was a newer version available, did I want it? I clicked 'YES'.

The dialogue is gone and "Connecting to ... servers" appeared in the DOS window.

A dialogue saying 'ComboFix restarting' and was gone.

Another green progress bar showed up briefly.

11:19 Nothing - no apparent activity. I waited.

The entire screen 'blinked'

11:21 2 beeps, then the Disclaimer window.

I clicked YES.

11:23 DOS: "Please Wait. ComboFix preparing to run"

11:24 DOS added: "Attempting to create a new system restore ..."

11:25 A colored "Backing up Registry ..." window came up ...

11:26 and went away again.

11:27 DOS 'Auto Scan': "Scanning ... 10 minutes ... double."

11:28 DOS: Stages completing, 1-2, 3 working ...

11:34 DOS: Stages 3-50 completed.

Waiting.

11:40 DOS: "Deleting Files:" (1)

"Deleting Folders:" (1)

Waiting.

11:42 DOS, Title='ComboFix-Find 3M': "Preparing Report. Do not run ..."

11:47 Now, in Notepad. Saved the report and exited.

Back on the desktop. Program ended?

I guess.

Ha! Guess what? This latest experience generated some more questions ...:

  1. During this last execution, my display kept going into 'screen saver' mode. How can I prevent this?
  2. That ComboFix would update itself was not mentioned by you, so when it asked if I wanted the update, I almost clicked "NO", but trusting you'all, I didn't. My question is: Is there any possibility that the update was a deviation to the 'rogue' site(s) from which the rest of the execution was controlled, producing a 'doctored' output?
  3. When I double-clicked on "My Computer", a window came up with a 'flashlight' waving around, 'looking for files'. It took a while - over a minute. Usually, the contents of that window come up right away - no delays. Also, when I double-clicked on the icon to your website, there was a very long delay - over a minute, before the window filled up with your site's contents. This amount of delay is also unusual. Why the delays?

Because of the above delays, and because dropping the script onto the ComboFix icon didn't run and dropping it on the renamed icon DID run, I suspicion that 'all is not well in Smallville', and decided to keep track of the times that the various events took place.

Uploading the C:\ComboFix.txt file...

... Even choosing a folder from which the attachment file was chosen took a 'really long' time to display...

Ta ta,

Freddy02

ComboFix.txt

Link to post
Share on other sites

Freddy02,

This forum can run very slowly at times, so don't use it as a gauge of how your connection is. Are you able to browse to other sites?

ComboFix updates frequently. That message was normal and you chose correctly.

Check your screensaver settings and extend the time is you wish.

There are a number of reasons your computer may be slower than normal at the moment. For now, let's continue cleaning and see how it's running when we get done.

Please run these next:

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    KasReport.png

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • MBAM log
  • Kaspersky log

Link to post
Share on other sites

RPMcMurphy -

Well, at long last, the light at the end of the tunnel doesn't look like the headlight of the train!

After the run of Mbam (which I had to rename in order to get it to run), two things were true:

  1. The computer wasn't so sluggish as before
  2. I could run Mbam using it's own name.

The Kaspersky run was interesting .... :angry:

Here are their respective reports and ... thanks again.

Freddy02

mbam_log_2010_07_16__16_20_36_.txt

KasReport.txt

Link to post
Share on other sites

Freddy02,

Most of those Kaspersky detections are already in quarantine, or in your System Restore points. We will clean those up shortly.

report.gif Two of the infections identified by Kaspersky are in your Outlook email. Unfortunately Kaspersky is unable to identify which particular email is infected, so delete any emails from anyone you don't know or any that have attachments, such as jokes, videos etc. (don't open them to check).

icon11.gif Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Files
    C:\Documents and Settings\Harry Potter\Desktop\Bill\Software Possibilities\installer_00510.exe
    C:\Documents and Settings\Harry Potter\My Documents\Pay Pal Problem.htm
    :Commands
    [EmptyFlash]
    [EmptyTemp]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please include the following in your next post:

  • OTM log
  • How is the computer running now?

Link to post
Share on other sites

RPMcMurphy -

Happy to find out that most Detections were 'under control'. Not happy to find out that the emails must be deleted. Many are there for 'historical' documentation purposes, including some with attachments.

Would it be 'safe' to copy them to a CD and open them only if necessary and then only in a 'safe' environment (what is that - really) - such as a newly installed Windows 98se, then when finished, reformatting the HD (or some other, more simple solution)?

I ran OTM without working on the e-mail. Enclosed is the log file.

Freddy02

Link to post
Share on other sites

Freddy02,

The OTM log wasn't attached; Please post it again.

As far as your e-mails go I would be very leery hanging on to them, especially those with attachments. I suppose you could scan each individual mail/attachment, but not knowing how many you have that may or may not be feasable. Scanning brings me to my next point:

icon11.gif Install an anti-virus program. I don't see any anti-virus software running on your computer. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, AVG, Avira and Microsoft all offer free AV products.

Please include the following in your next post:

  • OTM log
  • How is the computer running now?

Link to post
Share on other sites

RPMcMurphy -

Ha! Yes, I knew about the file as soon as I posted my response (I attempted to attach it, but something went wrong), but I remembered reading not to post twice in a row because that makes it look like you are waiting on a response from me (or something like that), so I waited.

The computer (really a laptop) is \much more snappy, now.

Here is the OTM log ...

Freddy02

OK, I know what happened. Your attachments uploader will not accept a *.log file.

F.

07172010_104742.txt

Link to post
Share on other sites

Freddy02,

Your logs look good! All that we have left to do are some important updating and cleanup, (these steps will take care of those infected restore points and empty the quarantine):

icon11.gif Your Java is out of date.

Java 6 Update 15 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

icon11.gifJavaRa ...by: Paul McLain and Fred de Vries

Please download JavaRa (Copyright

Link to post
Share on other sites

RPMcMurphy -

Well, I got partway through the instructions, anyway.

I did the Java 6 Update 15 install.

Called up the Java Control Panel

On the General tab [Temporary Internet Files]. Settings

{Check} Keep temporary files on my computer

[Location] (not changed)

[Disk Space]

... compression level ... NONE

... amount of disk space ... 1000 Mb

<Delete Files> {Click}

{Check} Apps...Applets

{Check} Trac...Files

<OK> {Click} (deletes temp files)

<OK> {Click} (exit Temp Files Settings)

<OK> {Click} (exit Java Control Panel)

Downloaded JavaRa.zip to desktop.

Unzipped JavaRa.zip to desktop

Closed all browsers (& all other apps)

Executed desktop/JavaRa.exe

Chose English, clicked Select

JavaRa up; clicked on Remove Older Versions

Clicked YES

While executing, a Microsoft Execution Error Window came up, wanted to know if I wanted to report it to Microsoft.

Before deciding, displayed all available info, took a pic (attaching)

Finally decided not to report the error, clicked 'NO'.

The JavaRa window went away.

I decided to report this state of affairs to you (also attaching the gpl-2.0 txt file in case it might be helpful). There was no other log file.

Freddy02

post-21885-1279430144_thumb.jpg

gpl_2.0.txt

Link to post
Share on other sites

Freddy02,

If you successfully updated your Java application you should have JRE 6 update 20 or 21 showing in Add/Remove programs. Finish the rest rest of the cleanup steps, then download a fresh copy of JavaRa and try again. If JavaRa still crashes, manually uninstall any older Java applications via Add/Remove programs.

Link to post
Share on other sites

RPMcMurphy -

OK, thanks for the green light.

I would like to understand why the crash. Whenever a program crashes, I get nervous when I can't discern a reason why .... I can always guess, but knowing is comforting.

OK, continuing with the Adobe update....

Adobe completed, continuing.

Secunia Online Software Inspector found 4 INSECURE installations:

Apple iTunes 7.x (have) 7.6.2.9

Apple QuickTime 7.x (have) 7.4.5.67 Update to 7.66.71.0

(Upgrading required installing latest iTunes. We don't use iTunes, so we'll

remove both of them instead.)

Adobe Flash Player 10.x (have) 10.0.45.2 (ActiveX) Update to 10.1.53.64 (ActiveX)

Adobe Flash Player 10.x (have) 10.0.42.34 (NPAPI) Update to 10.1.53.64 (NPAPI)

Ran Secunia Online Software Inspector again - found 0 INSECURE installations:

ComboFix un-installed

Executing OTM: In addition to whatever else, it cleaned up itself. Manually deleting other tools, logs, etc.

. DDS.com

. ark.txt & zip

. GMER (random).exe

. Flash_disinfector.exe

. attach.txt & zip

. Defogger.exe

. JavaRa.exe & def & zip + gpl-2.0.txt (uploading JavaRa.log.txt, then deleting it)

. Kasperskey (on-line)

. mbam (1.46).exe

. OTM.exe

. RootRepeal.exe & rar

What about the recovery console? Save it or get rid of it? If get rid of it - how?

C:\i386\DDS_100x100 (<--- What do I do with this? Is it connected with DDS.com?

gpl-2.0.txt & JavaRa.def created 11:01:43

Running JavaRa ....

. Running JavaRa 1.15

. Old version's removed.

. I'll be posting the log file

. Searching for updates using Sun Java's Website

. Scroll down to 'JRE' next to latest V# [DONE]

. Download [CLICKED]

. Entire JRE [CLICKED]

. JDK 6 Update 21 (JDK or JRE)

. Wanted me to log in or register (Skipped)

. Available files .... jre-6u21-windows-i586.exe

<< NOTE: So far, no mention of an option to use Sun's Download Manager or Sun's website >>

. "Welcome to Java"

. "downloading from cds-esd.sun.com"

. "... installed successfully"

. "Updates will automatically ... to change this, see http://java.com/autoupdate"

The installation went well, but there was no cleanup afterwards, so I did it. I am attaching the log file, JavaRa.log.txt.

Some questions:

In post #1, I followed some directions to "Disable the CD Emulation Software". Using Defogger. Do I need to re-able the CD Emulation Software? How?

(This is a long one, please bear with me) When I leave the computer (laptop) alone for a great while, it puts itself to sleep in such a way that (there are NO activity LEDs) I must push the On/Off button to get it's attention. Then, it presents a dialogue requiring me to type my password before I can gain access to the computer. As soon as I press [ENTER], after typing the password, my desktop is presented on the screen and I can hear whirring and buzzing indicating the hard drive is very busy for a short while. Sometimes, there is an application sitting there requiring my attention before it will go away (this also often happens at boot time) . Usually, it is some sort of notice from some software that I have installed, asking me if I want to buy an upgrade. Other times, it is the result of some program installing "bloatware" (such as a Google toolbar, or a program that is always indexing my files in the background, or some such thing) and now, it starts up every time I use the computer, stealing CPU time and slowing the computer (needlessly) all the time.

I have tried to determine which process it is, so I can do something about it, but the Task Manager will only tell me the Application name or the Process Image Name, but it doesn't link them together. How can I figure out which process(es) are connected to which application and how they get started?

Simarly, whenever I plug a flash drive in, a program called 'Musicmatch jukebox" pops up trying to update itself. Shortly afterwards, a little error dialogue pops up titled, "Musicmatch Update", telling me that "Error: Could not install for UPSELL channel" and presents an [OK] button. Pressing OK does nothing, the program's window is still there. I have to kill (X) the window to get rid of it. Why does the flash drive insertion cause the program to run? How can I get rid of it (it seems to be the result of some sort of automatic update situation)?

Windows Internet Explorer keeps popping a dialogue up asking me if I want to upgrade to version 8. The version I have is 8.0.6001.18702. How can I get the popup to go away?

In addition to MS Internet Explorer, we have Mozilla Firefox installed. In the months before this problem showed up, most of the shortcuts to the internet

. a) had the Mozilla Icon (not the MS IE 'e') and ....

. :) Firefox would execute whenever one of the shortcuts was double-clicked.

Now, double-clicking on a shortcut causes MS IE to run, although the icon of the shortcuts is still that of Firefox. I suspect the behavior is due to Firefox being in 'safe mode'. How do I get it back to 'normal'?

Also, are there any other programs that have been disabled, either partially or completely, that I have no knowledge of? One program I am wondering about is DeFogger. On the following page:

'http://forums.malwarebytes.org/index.php?showtopic=9573'

are these instructions:

---------------------------------------------------------------------------------------------------------------------

JavaRa.log.txt

Link to post
Share on other sites

Freddy02,

I would like to understand why the crash. - I understand, but I don't have an answer for you. There are too many possibilities. The fact that it ran successfully the second time tells me it's nothing serious.

What about the recovery console? Save it or get rid of it? If get rid of it - how? - I'd leave it (it won't use any resources). That way it's there if you ever need it again

C:\i386\DDS_100x100 (<--- What do I do with this? Is it connected with DDS.com? - That appears to be part of your Dell software - it's not from the DDS tool I had you run. I'd leave it alone.

Do I need to re-able the CD Emulation Software? - I forgot you ran DeFogger, sorry. If you have emulation software (ie: Daemon Tools and Daemon Tools Lite, Alcohol 120% and 52%, AstroBurn, StarBurn) you will need to do this:

icon11.gif Please download DeFogger to your desktop. To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled. You can then delete the tool.

When I leave the computer (laptop) alone for a great while...... It sounds like the computer is set to hibernate after a certain time of inactivity. You can change that if you wish in the Power Settings. This link may have some useful information for you. Your logs do show quite a few startups. Try running StartUpLight. The program allows you to disable or remove unnecessary startup entries from your computer. The MusicMatch problem sounds like a file on your USB drive trying to autostart MusicMatch, which then wants to update. I have no experience with that program though, you may want to check their support page.

In addition to MS Internet Explorer, we have Mozilla Firefox installed...... - Make sure Firefox is set as your default browser. Instructions are HERE. Simply exiting Firefox and rebooting should take it out of SafeMode.

Also, are there any other programs that have been disabled, either partially or completely Not that I am aware of (assuming you re-enabled your security software as instructed).

You mentioned once, that there was a possibility that the trojan had taken over the DNS assignments of my router. - Your initial logs showed your DNS traffic being routed to rogue servers. That can be done both through the PC or the router (or both). If your router had been affected the rogue servers would still be showing up in your logs (they are not), and you'd be having symptoms (web redirects, unable to update, etc.). Resetting your router isn't a bad idea. I would recommend that you change your wireless security from WEP to WPA. WEP is quite old and as I understand it can be cracked fairly easily. You will have to make sure that your individual devices all support WPA, but unless they are very old they should. The presence of the switch shouldn't change anything.

WOULD I BE ABLE TO USE THIS COMPUTER (LAPTOP) AS A 'CLEAN' COMPUTER IN THE CLEANUP OF THE INFECTED COMPUTER - Yes

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.