Go Back   Cyber Tech Help Support Forums > Software > Malware Removal Forum

Notices

Reply
 
Topic Tools
  #16  
Old December 10th, 2009, 07:41 AM
flubo flubo is offline
New Member
 
Join Date: Dec 2009
Posts: 19
Malwarebytes' Anti-Malware 1.42
Database version: 3336
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/10/2009 2:37:59 PM
mbam-log-2009-12-10 (14-37-59).txt

Scan type: Quick Scan
Objects scanned: 99945
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf0a1ff4-bbaf-487f-bc85-a24ef8f443a8} (Adware.Comet) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Reply With Quote


  #17  
Old December 11th, 2009, 01:20 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,868
Very good. Now one additional scan to make sure nothing remains.

Go here and follow the steps to download and run the ESET Uninstaller. Be sure to reboot after.


Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications


Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.
Reply With Quote
  #18  
Old December 11th, 2009, 04:14 AM
flubo flubo is offline
New Member
 
Join Date: Dec 2009
Posts: 19
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.16574 (vista_gdr.071008-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=32759843ce48574988235835e66671ee
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-12-11 03:06:20
# local_time=2009-12-11 11:06:20 (+0800, Malay Peninsula Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775141 100 98 0 196786182 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=74094
# found=7
# cleaned=7
# scan_time=2951
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-2016887525-6947164093-421455569-7460\windll.exe.vir a variant of Win32/Kryptik.BDR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\msvmcls64. exe.vir a variant of Win32/Kryptik.BDR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{838D002D-2F9F-4EEC-A02F-4B2D0EA04E5C}\RP544\A0064210.exe a variant of Win32/Kryptik.BDR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{838D002D-2F9F-4EEC-A02F-4B2D0EA04E5C}\RP555\A0065936.exe a variant of Win32/Kryptik.BDR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{838D002D-2F9F-4EEC-A02F-4B2D0EA04E5C}\RP556\A0066229.exe a variant of Win32/Kryptik.BDR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\autorun.inf Win32/Peerfrag.FI worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\filesystem\pagefile.exe a variant of Win32/Kryptik.BDR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
Reply With Quote
  #19  
Old December 11th, 2009, 05:02 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,868
Mostly infection already removed by ComboFix to it's Qoobox quarantine in that, but one autorun.inf on that G drive. Let's "safe" that, then check with Eset again. Be sure to leave any external drives (usb/flash/thumb etc) installed until all this work is completed.


Click here and download Flash_Disinfector.exe and save it to your desktop.

Doubleclick on Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program.

The utility may ask you to insert your flash drive and/or other external/removable drives. Please do so and allow the utility to clean up those drives as well.

Then leave any drives installed until all repairs here have been completed.

This will also create autorun.inf folders on all drives there, which serves to block autoloading infection from creating some of their bad files they need to infect other drives and systems.

And although it may just take out some of the autorun.inf's Flash Disinfector just added run a new Eset scan again, and post that log please.
Reply With Quote
  #20  
Old December 13th, 2009, 09:10 AM
flubo flubo is offline
New Member
 
Join Date: Dec 2009
Posts: 19
# version=7
# IEXPLORE.EXE=7.00.6000.16574 (vista_gdr.071008-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=32759843ce48574988235835e66671ee
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-12-12 12:54:30
# local_time=2009-12-12 08:54:30 (+0800, Malay Peninsula Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775125 100 98 0 196907687 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=59312
# found=0
# cleaned=0
# scan_time=3134
# version=7
# IEXPLORE.EXE=7.00.6000.16574 (vista_gdr.071008-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=32759843ce48574988235835e66671ee
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-12-13 06:15:08
# local_time=2009-12-13 02:15:08 (+0800, Malay Peninsula Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775125 100 98 0 196969888 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=72891
# found=0
# cleaned=0
# scan_time=3372
esets_scanner_update returned -1 esets_gle=53251
# version=7
# IEXPLORE.EXE=7.00.6000.16574 (vista_gdr.071008-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=32759843ce48574988235835e66671ee
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-12-13 07:44:29
# local_time=2009-12-13 03:44:29 (+0800, Malay Peninsula Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775125 100 98 0 196975360 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=72891
# found=0
# cleaned=0
# scan_time=3261
Reply With Quote
  #21  
Old December 13th, 2009, 04:14 PM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,868
Good verification things were removed, and looks like they are now. Before we do some final cleaning up steps here post back on how the system is running now please. Any problems we still need to address?
Reply With Quote
  #22  
Old December 16th, 2009, 11:35 AM
flubo flubo is offline
New Member
 
Join Date: Dec 2009
Posts: 19
My computer is working much better now. Recently got a malicious threat coming from djkkvip.zziyuan.com/dj. Network shield managed to detect and block it off. I did another round of Eset virus scan and there's nothing wrong. So far so good...
Reply With Quote
  #23  
Old December 16th, 2009, 02:01 PM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,868
Very good. Just need to clean up what our work added there to finish now.


Eset, if you don't plan to use it again, uninstalls through Add/Remove Programs.


You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTM.exe by OldTimer to your desktop. This will help by automatically removing some of the tools we used.

Click OTM.exe to run it and click on Cleanup. You'll be asked if you want to begin cleanup process? Select Yes.

OTM will search for and delete/uninstall many of the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step resetting Restore.

---------

Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.


In addition, I like to recommend reviewing the information Here to make sure you stay malware free.
Reply With Quote
  #24  
Old December 22nd, 2009, 08:26 AM
flubo flubo is offline
New Member
 
Join Date: Dec 2009
Posts: 19
Just to play safe, I did another round of anti virus scan and here are the results:

# version=7
# IEXPLORE.EXE=7.00.6000.16574 (vista_gdr.071008-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=32759843ce48574988235835e66671ee
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-12-22 06:18:44
# local_time=2009-12-22 02:18:44 (+0800, Malay Peninsula Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 538574 538574 0 0
# compatibility_mode=769 16775141 100 98 0 197747821 0 0
# compatibility_mode=8192 67108863 100 0 127080 127080 0 0
# scanned=75652
# found=0
# cleaned=0
# scan_time=3256
Reply With Quote
  #25  
Old December 22nd, 2009, 08:27 AM
flubo flubo is offline
New Member
 
Join Date: Dec 2009
Posts: 19
Unfortunately 3 objects were infected under the anti-malware scan:

Malwarebytes' Anti-Malware 1.42
Database version: 3407
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/22/2009 3:14:43 PM
mbam-log-2009-12-22 (15-14-43).txt

Scan type: Full Scan (C:\|E:\|G:\|)
Objects scanned: 183621
Time elapsed: 32 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{838D002D-2F9F-4EEC-A02F-4B2D0EA04E5C}\RP555\A0065973.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{838D002D-2F9F-4EEC-A02F-4B2D0EA04E5C}\RP556\A0066149.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{838D002D-2F9F-4EEC-A02F-4B2D0EA04E5C}\RP556\A0066311.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Reply With Quote
  #26  
Old December 23rd, 2009, 01:17 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,868
Good news actually - just malware that had been held harmless in System Restore (System Volume Information\_restore), so nothing active being found there now. Looking cleaned up, and you did well there. Before we move to some last steps to clean up what our work added to your computer, post back how things are running now please.
Reply With Quote
  #27  
Old December 23rd, 2009, 02:53 AM
flubo flubo is offline
New Member
 
Join Date: Dec 2009
Posts: 19
After OTM cleanup I still have the application files: 456out (Combofix), ESETUninstaller, sogm0sgj (Gmer), Flash_Disinfector and mbam_setup (anti-malware). Should I delete them manually?
Reply With Quote
  #28  
Old December 23rd, 2009, 02:59 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,868
Yes, go ahead and just manually delete those. All those specialty tool files become quickly outdated anyway, so over time can do the wrong changes in the wrong situation.
Reply With Quote
  #29  
Old December 24th, 2009, 05:45 AM
flubo flubo is offline
New Member
 
Join Date: Dec 2009
Posts: 19
All done! Things are working fine now, not experiencing anything unusual. It is safe enough to rely on anti-virus protection and run the anti-malware software now and then?
Reply With Quote
  #30  
Old December 24th, 2009, 11:20 PM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,868
Yes, that is a good choice. Unless you wish to purchase the anti-malware software you have chosen then you have to stay true to the schedule of regular updates and scans.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 03:05 AM.