Security Tool /Spyware/Trojan/Rootkit

[Klinker]

Everything seems to be working fine (knock on wood, cross fingers, etc.)

1.) ComboFix and Security Check uninstalled per instructions.

2.) Existing Java products removed and replaced with newest version of Java per instructions.

3.) Also updated Adobe Reader, Flash and Shockwave programs with security patches that have come out over the last several days.

4.) Do I still need to run the Defogger to un-defog, re-fog (or whatever the correct verbiage is) to undo the Defogger I ran at the very beginning of cleanup process?

5.) Is it OK to delete remaining programs and logs we ran throughout this cleanup process?

Thanks.

[screen317]

4.) Do I still need to run the Defogger to un-defog, re-fog (or whatever the correct verbiage is) to undo the Defogger I ran at the very beginning of cleanup process?

Yes, have Defogger re-enable your drive emulation software.

5.) Is it OK to delete remaining programs and logs we ran throughout this cleanup process?

Yes please do.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
  
• Yellow for caution
  
• Red to stop
  

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

[Klinker]

All programs and logs used for this cleanup deleted, all existing programs updated, and additional security programs installed per instructions.

Everything seems to be running smoothly.

Thanks for your help.

[Klinker]

Possible problem came up after I posted the above. I hope it is nothing, but don't know for sure:

There are two user accounts on this PC. I am the main user (probably 90%) and have done all of the cleanup on my user "side" of the computer. The other person has not used this computer under the other user account since before this whole infection started. In fact, I have been the only one on this computer for two weeks plus. As part of the new security protocol, I logged on to the other user account for the first time today and was showing her how to use MBAM to do a quick scan after internet use. I let MBAM run so I could show her what the logs would look like, etc. Unfortunately, after running a quick scan it detected Trojan.Ertfor in the log below. I am not experiencing any problems under this user account---so far--.

Questions:

1.) The machine was clean as you saw from the logs during the cleanup process. I have not done anything even remotely questionable on the internet or download files during or since the cleanup process. Why would MBAM find this trojan when running under this other user name? I ran MBAM shortly before logging on to the other user account and nothing came up. I'm confused as to why everything was clean under my user account and then this trojan shows up under the other user account because I thought the cleanup would have handled the entire system regardless of other user accounts.

2.) Is this some kind of remnant from a previous infection? This was the first time today that MBAM has ever been run under the other user account so maybe it was picking up something leftover from a long time ago? It seems like I have seen this trojan before (long time ago), but I think it was located in a "....\Run" directory not a "....\ext\stats" directory. We obviously did not run across this in our cleanup so I don't don't what it is , how it got there, or what it means.

3.) My user account has been running problem free. Scans showed nothing before or after the other user account MBAM scan. Is it still safe?

4.) If this is a problem, then how to I address it from one user account to the other? Why is the entire machine not clean?

Please let me know what steps I should take now after it looked like everything was fixed. The fact that something came up under the other user account has me concerned. If it is just some sort of left over from some previous infection that was never detected before, I still don't understand why our cleanup would not have shown something.

Like I said above, I'm concerned that something is screwed up after we went though all of this effort.

Help!!

Thanks for taking a look into this.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4503

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/29/2010 4:06:08 PM

mbam-log-2010-08-29 (16-06-08).txt

Scan type: Quick scan

Objects scanned: 165771

Time elapsed: 9 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a9ba40a1-74f1-52bd-f431-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[screen317]

Hi,

That is definitely a remnant, and definitely not part of an active infection. It is only an orphaned Registry Key, and does not even have a file associated with it.

The user account appears safe from my end; most malware infections are global and are not profile-specific, so our removal tools are effective across all profiles that vast majority of the time.

I do not believe it is cause for concern.

Let me know if that answered your question, and if there is anything else I can do for you.

-screen317

[Klinker]

Hi,

That is definitely a remnant, and definitely not part of an active infection. It is only an orphaned Registry Key, and does not even have a file associated with it.

The user account appears safe from my end; most malware infections are global and are not profile-specific, so our removal tools are effective across all profiles that vast majority of the time.

I do not believe it is cause for concern.

Let me know if that answered your question, and if there is anything else I can do for you.

-screen317

Good!!! I was hoping it was a remnant, but I kind of freaked out when I ran that MBAM scan from the other user account and found that. Sorry for the false alarm.

Thanks again for everything.

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!