thanks for the help - double-check, please?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dcaz, Apr 15, 2009.

  1. dcaz

    dcaz Private E-2

    Hi, all--

    Thanks for all the help in this forum, especially the malware removal tutorials. I went through them over the last few days, and I think the suggested tools fixed my problem.

    Two things. I'm going to attach my logs to make sure that everything was fixed. I'd appreciate it if someone had a chance to check them out. Second, I'm concerned about reinfection. It wasn't until I ran ComboFix and MGTools that my infection was even recognized, so my anti-virus, anti-spyware and anti-adware tools let the infection slip by.

    Background. I first noticed something when clicking on Google search results started sometimes taking me briefly to a page that said "Anti DDOS Filter" with a button that said "Click here to start site." Most of the time the page refreshed on its own and took me to the right page, so I didn't realize for a while that it was a browser hijack symptom.

    Then, AVG started having a problem that caused Firefox to stop being able to load pages. So I installed the newest version of AVG, which solved that problem. Somewhere along the way, probably because Firefox started crashing frequently, I decided I had an infection, and guessed that the "Anti DDOS Filter" page was related.

    In doing research on the problem, I discovered that I was unable to load any pages from bleepingcomputer.com in either Firefox or IE, although my laptop had no problem with it. AVG also was unable to automatically update, although I could reach their website, and manually download and install the updates.

    Finally, I found and went through your Read & Run Me First tutorial (most of it, anyway), as well as similar tutorials on similar sites. I initially resisted running ComboFix, since the warnings were a little intimidating, but eventually decided I had to do it. Went smoothly and fixed the problem, so Yay!

    My system is WinXP. I run Foxfire by default, with NoScript, so java script is turned off.
    Anti-virus: AVG Free 8.5
    Anti-spyware: Spybot with Teatimer (I haven't noticed problems with Teatimer); and Spyware Blaster
    Anti-adware: Ad-Aware
    Firewall: Windows. (I know, I need to upgrade. I'll start researching that.)

    Those were my standard tools until this incident. AVG ran every night, and I tried to run the rest at least monthly. I now have SuperAntiSpyware and Malwarebytes' Anti-Malware, and will add them to the repertoire.

    Again, though, none of them found the infection. Is it just a matter of the malware arms race, and I just happened to be on the front lines? Or is there another tool that might have prevented or detected this sooner? Any suggestions would be appreciated.

    Thanks again for all the help. :wave

    dc

    PS: I'd prefer not to upload the MGlogs.zip file. Looks like a lot of details I'd rather not share so widely if not necessary.
     

    Attached Files:

    dcaz, Apr 15, 2009
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome. If you prefer not to attach the mglogs.zip that's your decision, and we respect that, however they are the logs I will be needing to see most in order to assist you properly.

    It's the only way we get a good look inside your machine. If you like I will request that the logs be taken down as soon as we have had a look? Entirely up to you but to complete the procedures we will be needing them.
     
    Kestrel13!, Apr 18, 2009
    #2
  3. dcaz

    dcaz Private E-2

    Sounds reasonable. Thanks! Here you go.

    dc
     

    Attached Files:

    dcaz, Apr 20, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Kes will check your logs and have them double checked. MGLogs do not reveal any info that could compromise your personal identity. If after we deem your system clean, we can then remove your logs. But again, feel confident that there is nothing to worry about.
     
    TimW, Apr 20, 2009
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    FYI:

    The following softwares are out of date and you should uninstall them and after rebooting install the most up to date versions.

    SpywareBlaster 4.1 New Version

    Spybot - Search & Destroy 1.5.2.20 New Version

    The below software is not as effective as SAS or MBAM that you installed during the R&R

    • Ad-Aware

    And this:

    WinPcap 3.1 <--- did you install this intentionally if not please uninistall

    Your logs are basically clean, but we can do some non-malware related things.

    1. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.


    2. Now we need to use ComboFix to remove a dead BHO

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    
KILLALL::

DirLook::
c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    4. Now please download the latest version of MGTools from the Read and Run First instructions, then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix

    5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    Last edited by a moderator: Apr 21, 2009
    Kestrel13!, Apr 21, 2009
    #5
  6. dcaz

    dcaz Private E-2

    Thanks! I will attend to this tonight after work. Quick question - you mentioned:

    WinPcap 3.1 <--- did you install this intentionally if not please uninistall

    I believe I did install it intentionally. If I recall correctly, it was needed for either DownloadHelper or maybe URL Snooper, so that I can save .flv videos. I just checked, and can't find any mention of it at the DownloadHelper site, and I don't seem to have URL Snooper any more, so maybe I uninstalled URLS and forgot to do the same to WinPcap. I'll uninstall now.

    thanks!
    dcaz
     
    dcaz, Apr 22, 2009
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're welcome! I shall be here waiting when you are ready. :)
    It will have nothing to do with your youtube download helper, so yes, do uninstall.
     
    Kestrel13!, Apr 22, 2009
    #7
  8. dcaz

    dcaz Private E-2

    Hey, sorry for the long delay. I haven't had the time or headspace to deal with this, but I still hope to.

    thanks!
    dcaz
     
    dcaz, Apr 28, 2009
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No problem. I'm always here :-D
     
    Kestrel13!, Apr 29, 2009
    #9
  10. dcaz

    dcaz Private E-2

    So I finally started this... I got rid of WinPcap. I already had newer versions of Spyware Blaster and Spybot - not sure why my logs reflected older versions.

    I tried doing the other instructions as well. I was able to run MGTools as requested, but when I tried to put the txt file on ComboFix I got a warning that AVG was still running. I don't really know how to disable it, I guess. When I originally ran ComboFix, I thought that just exiting AVG shut it down, but I later read that it always stays resident, even when you shut down the interface. This time, I hit Ctrl-Alt-Del and ended the process on everything that started with avg..., but one thing wouldn't stop. I hoped that would be close enough, but apparently not. I got a warning not to run it until I ended AVG, and since I couldn't figure out how, I hit the X on the window, hoping that stop it from running. Instead it started running, with an additional window saying essentially you were running it against advice. However, it didn't do much at all other than freezing my machine, which I had to manually restart.

    When it came back up, there was a message that Sys Config Util had been enabled and I would see this message every time unless I checked to see what was running at startup and turned off the message. So I checked, and it looks like everything is running at start-up - all the categories were turned on. So I turned off the message.

    So now I'm wondering if I can properly run Combofix. Is there a way to prevent AVG from starting at start-up, or a way to disable it later?

    I also think there's still some problem with my machine. There were a few days when AVG wasn't able to connect to its server to update itself, which is one of the problems that brought me here in the first place. After running MGTools and removing that BHO reference, that seems to have corrected itself. I was also experiencing some browser redirect behavior, though I can't recall the details, unfortunately. If it happens again, I'll note the site I'm being sent to.

    So I'm wondering if I should go through the Read & Run First stuff again? Or just run all the anti-virus / malware utilities, and see if that fixes it? Suggestions appreciated, as is your help.

    Thanks!
    dcaz
     
    dcaz, May 18, 2009
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please re-scan with the following fixing anything they find:

    • SUPERantispyware
    • Malware Bytes

    ...and attach logs from each.

    Please see the below for how to disable AVG8.

    AVG 8
    Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.

    • Click on Tools.
    • Select Advanced.
    • In the left hand pane, scroll down to "Resident Shield".
    • In the main pane, deselect the option to "Enable Resident Shield."
    • To re-enable AVG 8, please select "Enable Resident Shield" again.

    Then with AVG8 successfully disabled I would like for you download a fresh copy of combofix and run it again (DO NOT run my previous script from before)

    Then I would like for you to re-run MGTools.exe and attach the C:\mglogs.zip that it generates into your next reply.

    So I need logs from:

    • SUPERantispyware
    • Malware Bytes
    • Combofix
    • MGTools
     
    Kestrel13!, May 19, 2009
    #11
  12. dcaz

    dcaz Private E-2

    Thanks again for all the help. :wave

    Here are the logs you requested.

    Hope you have a good Friday, and a fun long weekend ahead.

    dcaz
     

    Attached Files:

    dcaz, May 22, 2009
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ad-Aware <-- not as effective as SAS or MBAM ... uninstallation of this software is your choice.

    I see the below in your uninstall list:

    • LiveUpdate 2.6 (Symantec Corporation)

    Did you once have Symantec anti virus installed and have since abandoned it for avg 8.5? Let me know because if this is the case we will need to run the Norton removal Tool to be rid of any remnants.


    What do you know about the below bold files?
    Dates of:


    • Apr 19 2009
    • Apr 17 2009

    1. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.


    2. I see that you still have Spybot search and destroy's Teatimer function running. This needs to be disabled before we continue. refer to the below for how to do so.

    How to disable Spybot's TeaTimer


    3. Now we need to use ComboFix.

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    
KILLALL::

File::
c:\windows\DUMP7be6.tmp

DirLook::
c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    Last edited by a moderator: May 23, 2009
    Kestrel13!, May 23, 2009
    #13
  14. dcaz

    dcaz Private E-2

     
    dcaz, May 24, 2009
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi with regards to removing all traces of Norton:

    Please give the Norton Removal Tool (SymNRT) a run > reboot your machine and then run it again for good measure.
     
    Kestrel13!, May 24, 2009
    #15
  16. dcaz

    dcaz Private E-2


    Done, thanks! Also turned off TeaTimer. About to run ComboFix. I'll report back soon.

    thanks!
    dcaz
     
    dcaz, May 24, 2009
    #16
  17. dcaz

    dcaz Private E-2

    OK, here are the logs. Everything seems good so far.

    There is one thing that I wanted to mention, but I have no idea if it's related to malware or not.

    I use Exact Audio Copy to rip cds, and it uses freedb to look them up. In the last couple weeks, I get a Server Error every time. I also use foobar, and it can reach freedb just fine. Any thoughts?

    thanks!
    dcaz
     

    Attached Files:

    dcaz, May 24, 2009
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You can ask the good folks in software about this :)


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    Kestrel13!, May 24, 2009
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds