Jump to content

Malware Still Returns


Recommended Posts

Hola,

I've been trying to get rid of the malware for almost a year! It goes away & then comes back a few months later everytime. I ran the scans & I give up! Please help. The logs are below as needed:

======================================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4386

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18928

8/3/2010 8:18:36 PM

mbam-log-2010-08-03 (20-18-36).txt

Scan type: Full scan (C:\|E:\|)

Objects scanned: 261261

Time elapsed: 47 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suuwbjub (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Carlos\AppData\Local\hcnhslqsg\ikhhixntssd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Users\Carlos\AppData\Local\Temp\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

==========================================

DDS (Ver_10-03-17.01) - NTFSx86

Run by Carlos at 22:21:49.92 on Tue 08/03/2010

Internet Explorer: 8.0.6001.18928

Microsoft

Attach.zip

ark.txt

Link to post
Share on other sites

  • Staff

Hello and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hello and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

I ran ComboFix & DDS again. Here are the logs:

ComboFix -

ComboFix 10-08-03.04 - Carlos 08/04/2010 8:33.1.2 - x86

Microsoft

Attach2.zip

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Folder::

c:\users\Carlos\AppData\Local\hcnhslqsg

c:\users\Carlos\AppData\Local\ckvarufpe

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

OK, I d/l the new version of ComboFix & ran it again w/ the CFScript, but didn't ask me to reboot. Please see the ComboFix & DDS logs below:

ComboFix 10-08-04.05 - Carlos 08/05/2010 2:24.2.2 - x86

Microsoft

Attach.zip

Link to post
Share on other sites

  • Staff

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Are you using an Administrator account??

Try this online scanner instead:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Yes, I ran F-Scan as an admin. But ESET worked fine. Found no errors.

Here's the ESET log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

Here's the log for Security Check:

Results of screen317's Security Check version 0.99.5

Windows Vista Service Pack 2 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

AVG Free 9.0

ESET Online Scanner v3

Norton Internet Security

McAfee Security Scan Plus

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 11

Out of date Java installed!

Adobe Flash Player 10.1.53.64

Adobe Reader 9.3.3

Mozilla Firefox (3.6.6) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java

Link to post
Share on other sites

  • Staff

Hi,

Your ethernet controller is a part of your motherboard and isn't something you install. It is likely that you installed a driver for it, but I don't see any issue with that.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

Coolness! Thank you for all your time & help. I've d/l the programs you recommened & all is good to go!

I only have one final question. Why am I getting Data Execution Prevention errors so much? It's only when I am working on IE. And it is telling me IE had to be shut down.

Just wondering if I should turn off the feature or leave it on.

Muchas Gracias amigo!!! :)

Link to post
Share on other sites

  • Staff

Hi,

Yes leave it on. You can make it so it doesn't pop up for Internet Explorer though:

1. Click Start, click Run, type sysdm.cpl, and then click OK.

2. Click the Advanced tab, click Performance, and then click Settings.

3. In Performance Options, click the Data Execution Prevention tab, and then click Add.

4. In the Open dialog box, locate and then click the program. ( C:\program files\Internet Explorer\iexplore.exe )

5. Click Open, click Apply, and then click OK. When you are prompted to restart your computer, click OK.

Let me know if that fixes it. :)

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.