Jump to content

Recommended Posts

Hello there,

I have tried to follow the steps in the 'I'm infected' post above but each time I run the GMER programme by computer shuts down before coming up with a log.

My latest Malware Bytes scan report is posted below. I have attached the DDS report in a .zip file

What should I do next?

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6674

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.19048

25/05/2011 21:39:45

mbam-log-2011-05-25 (21-39-45).txt

Scan type: Full scan (C:\|)

Objects scanned: 329032

Time elapsed: 4 hour(s), 1 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\CL2GFOKBC9 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\Users\James\AppData\Roaming\desktop security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Roaming\microsoft\Windows\start menu\Programs\desktop security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

Files Infected:

c:\Users\James\AppData\Roaming\microsoft\Windows\start menu\Programs\desktop security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Roaming\microsoft\internet explorer\quick launch\desktop security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Local\Temp\kilslmd.exex (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Local\Temp\ppddfcfux.exxe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Roaming\desktop security 2010\mfc71.dll (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Roaming\desktop security 2010\MFC71ENU.DLL (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Roaming\desktop security 2010\msvcp71.dll (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Roaming\desktop security 2010\msvcr71.dll (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Roaming\microsoft\Windows\start menu\Programs\desktop security 2010\activate desktop security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Roaming\microsoft\Windows\start menu\Programs\desktop security 2010\desktop security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Roaming\microsoft\Windows\start menu\Programs\desktop security 2010\help desktop security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

c:\Users\James\AppData\Roaming\microsoft\Windows\start menu\Programs\desktop security 2010\how to activate desktop security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Thank you for all of your help with this.

My MBAM scan log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6716

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.19048

29/05/2011 18:46:37

mbam-log-2011-05-29 (18-46-37).txt

Scan type: Quick scan

Objects scanned: 178717

Time elapsed: 18 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS.txt

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_21

Run by JK at 18:21:33 on 2011-05-29

Microsoft

Link to post
Share on other sites

  • Staff

Hi,

I notice that you are using more than one antivirus program (AVG and McAfee). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hello,

I thought I had removed McAfee - is there anything I might be missing in trying to uninstall it?

I've posted the DDS report below but the ComboFix report made the post too large.

The problem does appear to have been fixed so thanks - i'm extremely grateful!

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_21

Run by JK at 21:03:35 on 2011-06-01

Microsoft

log.txt

Link to post
Share on other sites

  • Staff

Hi,

Download the McAfee Removal Tool.

Double click on MCPR.exe to launch it, then Click Run. A window should appear and disappear, this is normal. A new window should popup and begin the uninstall. When prompted to reboot your computer type Y.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

The Eset scan won't complete - i tried to run it and it spent about 10 hours at 93%. It did say it had removed 9 threats.

The log file didn't contain anything in the end except what i've pasted below. Should I still run your scanner? There don't appear to be any problems with my browser atm.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

Link to post
Share on other sites

  • Staff

Hi,

Run this scanner instead please:

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

I am. Sorry - I didn't have internet access for a short while.

I am running the scans now and will post updates later this evening.

Sorry,

The F-Secure Online Scanner won't work - it scanned, identified 12 things and then said it didn't have enough rights to clean the system. What do I need to do to get it work?

Thanks,

Link to post
Share on other sites

It works now - thanks

Results from F-Scanner

Sunday, June 26, 2011 12:47:03 - 15:29:33

Computer name: JAMES-PC

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

13 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Adform (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.WebTrendsLive (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

Trojan-Downloader:Java/OpenConnection.AW (virus)

C:\USERS\JK\APPDATA\LOCALLOW\SUN\JAVA\DEPLOYMENT\CACHE\6.0\54\5BC107F6-5B7276E1 (Renamed & Submitted)

Statistics

Scanned:

Files: 68485

System: 4789

Not scanned: 36

Actions:

Disinfected: 12

Renamed: 1

Deleted: 0

Not cleaned: 0

Submitted: 1

Files not scanned:

C:\HIBERFIL.SYS

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM

C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM

C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

C:\USERS\JK\APPDATA\LOCAL\TEMP\HSPERFDATA_JK\4908

C:\USERS\JK\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\C38348424F7F\DBDAO

C:\USERS\JK\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\C38348424F7F\DBEAO

C:\USERS\JK\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\C38348424F7F\DBM

C:\USERS\JK\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\C38348424F7F\DBDAM

C:\USERS\JK\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\C38348424F7F\HP

C:\USERS\JK\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\C38348424F7F\DBEAM

C:\SYSTEM VOLUME INFORMATION\{143F8D00-208F-11E0-8966-00238BF9E0FC}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{7CC9266A-1CE0-11E0-8919-00238BF9E0FC}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{B685F860-0D3A-11E0-8C11-00238BF9E0FC}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{B685F86E-0D3A-11E0-8C11-00238BF9E0FC}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{B685F874-0D3A-11E0-8C11-00238BF9E0FC}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{D79E3667-1500-11E0-840A-00238BF9E0FC}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{DF9B1D9E-1C0D-11E0-A917-00238BF9E0FC}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{EE6300DE-1A9D-11E0-B02D-00238BF9E0FC}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{EFE278AB-270F-11E0-970D-00238BF9E0FC}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{EFE278B1-270F-11E0-970D-00238BF9E0FC}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{FFDAF3BA-2209-11E0-8527-00238BF9E0FC}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\BOOT\BCD

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

Security Check

Results of screen317's Security Check version 0.99.16

Windows Vista Service Pack 1 (UAC is enabled)

Out of date service pack!!

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

AVG 2011

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 21

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.0.32.18

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

JK AppData Local Temp\OnlineScanner\Anti-Virus\fsgk32.exe

JK AppData Local Temp\OnlineScanner\Anti-Virus\fssm32.exe

JK AppData Local Temp\fsonlinescanner.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Please download ATF Cleaner by Atribune from here, and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the whole lot, check Select All.

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Adobe Flash Player 10.0.32.18

Java™ 6 Update 21

ESET Online Scanner v3

Restart your computer.

Get the latest version of Java and Adobe Flash Player.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.