Jump to content

Fake Java update followed by Antivirus Software Alert


Recommended Posts

Hi, so i recently got this malware thats called Antivirus Software Alert and i remove the stuff it creates with malwarebytes however it keeps coming back i'm guessing i haven't deleted the source of the problem not sure how. Usually around several hours of computer usage this java program called Java 6 Update 11 appears on the bottom right corner of my screen next to the time display i can't exit the java only allows me to hide it a few mins later the Antivirus Software Alert icon appears on the bottom right corner of my screen as well. I run Rkiller to terminate the malware only temporarily stops it though and run malwarebytes scan to get rid of the malware. Malware picks up trojan droppers, trojan fake alerts and rogue malware or something.

Also when i go control panel to delete this Java 6 Update 11 theres a pop up message saying and unidentified publisher wants to access your computer seemed very suss so i canceled it afraid that if i allow it it might screw my comp up

I use Windows Vista btw after i temporarily terminate the malware i hav to reset my internet explorer to default to access the browser

Help on how to get rid of this thanks :)

Link to post
Share on other sites

Well my computer is running fine none of that malware as i am typing this post but i'm sure that it'll pop up later on

This is my most recent log i hav several few others not sure if i need to post em up

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18928

12/07/2010 9:14:55 AM

mbam-log-2010-07-12 (09-14-55).txt

Scan type: Quick scan

Objects scanned: 118096

Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 2

Files Infected: 20

Memory Processes Infected:

C:\Users\Ming\AppData\Local\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmakjpoviwoqh (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fgobevusu (Trojan.Agent.U) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bvihovaruyu (Trojan.Agent.U) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.

Folders Infected:

C:\Recycle\P-1-3-64-8794238531-8742492-9897532 (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAkjpoviwoqh (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\Recycle\P-1-3-64-8794238531-8742492-9897532\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Recycle\P-1-3-64-8794238531-8742492-9897532\Furio.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAkjpoviwoqh\pragmabbr.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAkjpoviwoqh\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAkjpoviwoqh\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAkjpoviwoqh\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAkjpoviwoqh\pragmaserf.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAkjpoviwoqh\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\ProgramData\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Users\Ming\AppData\Local\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Users\Ming\AppData\Local\Temp\PRAGMA3091.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Users\Ming\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Users\Ming\AppData\Local\Temp\dhdhtrdhdrtr5y (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Ming\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\Users\Ming\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\Users\Ming\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\Users\Ming\AppData\Local\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Ming\AppData\Local\bmbner.dll (Trojan.Agent.U) -> Quarantined and deleted successfully.

C:\Users\Ming\AppData\Local\iwuzikequw.dll (Trojan.Agent.U) -> Quarantined and deleted successfully.

C:\Users\Ming\AppData\Local\Temp\0.4392339897401414.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

This is my exehelper log

exeHelper by Raktor

Build 20100414

Run at 11:48:58 on 01/06/11

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

ComboFix.txt

ARKQ.txt

Link to post
Share on other sites

Please copy/paste ALL logs into your topic - do NOT attach them!!

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

Run ExeHelper again before running the next run of Combofix!!!

Do NOT reboot!!

Now we have to run Combofix again to get rid of infection remnants:

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt

3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,

KillAll::

Driver::
fmnrahrc
GarenaPEngine
GGSAFERDriver
XDva288
XDva349
XDva351
XDva370

Folder::
c:\programdata\iHjHi05200

File::
c:\windows\system32\tmp9040.tmp
c:\windows\system32\tmp1787.tmp

DirLook::
c:\users\Ming\AppData\Local\temp
c:\users\Default\AppData\Local\temp
C:\gamigo

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8074

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe (or renamed Combofix.exe)

This will cause ComboFix to run again.

If the run does not finish or You have problems, please launch Combofix in safe mode following the same directions as above.

If ComboFix prompts you to:

  • Update to a newer version, make sure you allow it to update.
  • Upload infected files for analysis, please allow it to do so.

Please copy/paste the log (C:\Combofix.txt) that opens when it finishes (Do NOT attach it).

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Run a fully updated MBAM Quick scan, Remove all threats found and post the scan log. You are going to have to completely update MBAM to a new version 1.50.1 and a database version at least 5466!!!

So I need to see in your next reply (copied and pasted)

1. The latest Combofix.txt

2. The TDSSKiller Scan Log

3. A New MBAM v. 1.50.1 log

Link to post
Share on other sites

By the way after i did all the things you mentioned in your post the java thing malware popped up and i ran rkiller to stop it and ran anothermbam scan heres the mbam log after rkiller terminated it im definite the fake java is part of the malware

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5468

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18999

6/01/2011 3:17:36 PM

mbam-log-2011-01-06 (15-17-36).txt

Scan type: Quick scan

Objects scanned: 143202

Time elapsed: 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\qni8hj710fdl (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwxvgywm (Trojan.FakeAlert) -> Value: dwxvgywm -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Ming\AppData\Local\temp\bqudptsep\miftfejlajb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Ming\AppData\Local\temp\00350890.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Ming\AppData\Local\temp\1.542290153888173e8.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Combo fix log here

ComboFix 11-01-05.01 - Ming 06/01/2011 14:34:43.2.2 - x86

Microsoft

Link to post
Share on other sites

That looks good.

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Approve the installation of the ActiveX control that's required to enable scanning
  • Make sure the box to
    • Remove found threats is CHECKED!!
    • Click "Start"

    [*]Allow the definition data base to install

    [*]Click "Scan"

When the scan is done, please post the scan report in your next reply. It can be found in this location:

C:\Program Files\EsetOnlineScanner\log.txt

Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Link to post
Share on other sites

Let's try this:

Click Start (W7 Orb) -> type run into the "Start Search" box

Under Programs, select Run

When the run line opens:

Copy/Paste the following into the Open: Box:

C:\Program Files\EsetOnlineScanner\log.txt

Click OK

The log should open in Notepad or your default TXT file editor.

Link to post
Share on other sites

OK we won't worry about it then because a single detection which was probably in System volume or quarantine stores of another anti-malware program is not much to worry about.

Excellent job!!! We have a few steps to finish up now.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 23, if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 23, then follow these steps:

1. Download the latest JRE version clicking the "Agree and Start Free Download" button.

2. Save the installer to your desktop.

3. Close any programs you may have running - especially your web browser.

4. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

5. Reboot your system

6. Then from your desktop double-click on jxpiinstall.exe to install the newest version of the Sun Java Platform

7. "Install the Yahoo Toolbar' is prechecked by default, so be sure to UNCHECK it, if you do not care to have it, or You already have it installed - it is NOT part of the JRE install and it is NOT required for any Java applications.

8. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*] Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

As Java Cache can be an infection repository, You can quickly scan it periodically for infectious elements, by right-clicking the following folder and selecting the "Scan with <Your antivirus>" option:

The location of this folder usually is:

In XP:

C:\Documents and Settings\<user_name>\Application Data\Sun\Java\Deployment\cache\

In Vista and Windows 7:

C:\Users\<user_name>\AppData\LocalLow\Sun\Java\Deployment\cache\

==

Lets remove the tools we used in your clean-up now:

If I asked you to download and run an ARK (Antirootkit program) such as Gmer, Rootkit Unhooker, or Root Repeal, then please uninstall it by doing the following:

  • Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
  • Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)

If I asked You to download OTL, TDSSKiller, MBRCheck or mbr.exe, please delete these programs from your Desktop (or their download location).

To remove Combofix and it's quarantine folder:

Click Start -> type Run into the Start Search Box, Click "Run", and copy/paste the following bolded text (including the quotes) in the Open: box and select OK:

"%userprofile%\desktop\combofix.exe" /uninstall

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • Flush your system restore points and create a new restore point.
  • Rehide your system files and folders
  • Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing! :blink:

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.