Jump to content

Failure to remove malware

MarcelBurger

By MarcelBurger
in Resolved Malware Removal Logs

 Share

Recommended Posts

MarcelBurger

MarcelBurger

Posted
Posted

I have a AVG for virus protection, Malwarebyte Antimalware for malware protection and SuperAntiSpyware against spywares.

Neither the AVG nor the Malwarebyte has detected any problem with the system or my files. But the SuperAntiSpyware detected adware in my PC and every time I select to delete them, the system does so and asks to reboot the PC to get rid of them completely. Afterwards I run the program again and it turns out that the adware is still there. I updated both the SuperAntiwareSpyware and Malwarebyte.

Here is the snapshot of the results by Malwarebyte:

The scan completed successfully. No malicious items detected. A log file has been saved to the logs folder. Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7750

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

20/09/2011 1:01:05 AM

mbam-log-2011-09-20 (01-01-05).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 253907

Time elapsed: 1 hour(s), 9 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here are the results by SuperAntiSpyware:

Adware.Zango/ShoppingReport [15 items]

Registry keys:

HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}

HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\ProxyStubCIsid

HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\ProxyStubCIsid32

HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\TypeLib

HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\TypeLib#Version

HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}

HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\ProxyStubCIsid

HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\ProxyStubCIsid32

HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\TypeLib

HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\TypeLib#Version

HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}

HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\ProxyStubCIsid

HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\ProxyStubCIsid32

HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\TypeLib

HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\TypeLib#Version

Any advice what I could do? Many thanks.

post-94719-0-95401800-1316510268.png

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hello and :welcome:

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hi again,

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hi again, I wouldn't worry about these syper antispyware detections, they are just some clsid's; I see no Zango on your computer (which btw is quite harmless).

P2P WARNING

-------------------

Going over your logs I noticed that you have eMule and Limewire installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.

I would recommend that you uninstall eMule and LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "JDK 7 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    2. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    3. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    4. Check "YES, I accept the Terms of Use."
    5. Click the Start button.
    6. Accept any security warnings from your browser.
    7. Under scan settings, check "Scan Archives" and "Remove found threats"
    8. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites
MarcelBurger

MarcelBurger

Posted
  • Author
Posted

Hi Elise,

Many thanks again for a speedy response.

Couple of comments/questions:

1) I rarely use P2P and I haven't used those for a long time.

2) After I installed ForoSpyware, once I log in the PC, I am asked to activate Windows or do so later. There is also a message that this is not the genuine Windows. Why is it so?

3) I deleted JRE and J2SE but I still have old JAVA folders but that do not contain JRE or J2SE. Is it recommended to delete these as well?

4) I scanned the PC, here are the results. It was cleaned.

C:\Windows.old\Documents and Settings\RUSTY\My Documents\LONELY PLANET\Baja_Los_Cabos7th_Edition_August_2007.rar JS/Exploit.Pdfka.PAV trojan deleted - quarantined

C:\Windows.old\Documents and Settings\RUSTY\My Documents\LONELY PLANET\Mexican_Spanish1st_Edition_October_2003.rar JS/Exploit.Pdfka.PAV trojan deleted - quarantined

C:\Windows.old\Documents and Settings\RUSTY\My Documents\LONELY PLANET\Panama4th_Edition_November_2007.rar JS/Exploit.Pdfka.PAV trojan deleted - quarantined

C:\Windows.old\Documents and Settings\RUSTY\My Documents\LONELY PLANET\Puerto_Vallarta_Pacific_Mexico2nd_Edition_August_2006.rar JS/Exploit.Pdfka.PAV trojan deleted - quarantined

Look forward to the next posting.

Link to post
Share on other sites
MarcelBurger

MarcelBurger

Posted
  • Author
Posted

Hi,

Originally I had Windows XP Vista capable but recently I decided to reinstall the operating system and I was sent by the PC manufacturer a CD with Windows Vista. As I wrote in my previous message, that was never an issue. It started to appear once I installed ForoSpyware.

I installed all latest updates including Service Pack 2 for Vista but still I get the message "Activate now or later" and there is a sign that Windows used is not genuine.

Another question re JAVA:

I installed the version that you suggested - Java Runtime Environment (JRE) Version 7, however, now when I start the PC, I get an automatic message from Limewire: "LimeWire need the Java Runtime Environment 6.0 or above. Click OK to go to www.java.co, where you can install Java". How come I get this message?

As I wrote in the previous post I deleted JRE and J2SE but I still have old JAVA folders but that do not contain JRE or J2SE. Is it recommended to delete these as well?

I ran the checkup again and everything seems fine now.

Look forward to the next post.

Link to post
Share on other sites
Elise

Elise

Posted
Posted

If you have Genuine Windows, and you tried to activate but it says it is not genuine, best contact microsoft, as they may be able to help you.

As for java, you may try JavaRa.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites
MarcelBurger

MarcelBurger

Posted
  • Author
Posted

Many thanks, Elise.

Just to understand, if I download the Java link you sent me, do I have to delete old JAVA folders but that do not contain JRE or J2SE?

Regarding the Windows activation, I was confused cause before I installed the combofix I had not been asked to activate Windows, but now I am. Just to make it clear, I have not tried to activate the system coz I thought I'd better enquire first. But when I am asked to activate it, there is a sign at the bottom of the screen that says it may be not a genuine Windows. You still think I'd better contact Microsoft?

Link to post
Share on other sites
Elise

Elise

Posted
Posted

No, JavaRa should take care of older installations.

As for activation, this needs to be done within 30 days after installation. It will not prompt you for this until the activation period is about to expire. If you have a legit windows version and product code, you can just contact MS about this so they can verify why the activation fails.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.