flash player Malware attack part1

[yabasha71]

Hello -
I have been hit by a variety of malware which I thought I had removed using the READ & RUN Summary sheet but it has returned.

Am running XP SP3 and Computer performance had been deteriorating for about 2 weeks. I assumed it was aging laptop but ran Sophos and SAS and found some malware.

Performed the Read and Run on the main user account in normal mode and the Admin account under safe mode. Within each log I have attached the Admin data at the bottom of the log.

Perfromance began to deteriorate again after 72 hours. ran SAS to confirm my suspicions and there Adware flash tracker file. Would appreciate some help as I am suspicious that I have not rooted out the problem as this is similar to previous issues noted in attached log.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2010 at 07:42 AM

Application Version : 4.26.1006

Core Rules Database Version : 5045
Trace Rules Database Version: 2857

Scan type : Complete Scan
Total Scan Time : 00:58:26

Memory items scanned : 548
Memory threats detected : 0
Registry items scanned : 5398
Registry threats detected : 0
File items scanned : 20664
File threats detected : 1

Adware.Flash Tracking Cookie
C:\Documents and Settings\Mai\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\38FRGBP8\BROADCAST.PIXIMEDIA.FR

[yabasha71]

Hello -
I have been hit by a variety of malware which I thought I had removed using the READ & RUN Summary sheet but it has returned.

Am running XP SP3 and Computer performance had been deteriorating for about 2 weeks. I assumed it was aging laptop but ran Sophos and SAS and found some malware.

Performed the Read and Run on the main user account in normal mode and the Admin account under safe mode. Within each log I have attached the Admin data at the bottom of the log.

Perfromance began to deteriorate again after 72 hours. ran SAS to confirm my suspicions and there Adware flash tracker file. Would appreciate some help as I am suspicious that I have not rooted out the problem as this is similar to previous issues noted in attached log.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2010 at 07:42 AM

Application Version : 4.26.1006

Core Rules Database Version : 5045
Trace Rules Database Version: 2857

Scan type : Complete Scan
Total Scan Time : 00:58:26

Memory items scanned : 548
Memory threats detected : 0
Registry items scanned : 5398
Registry threats detected : 0
File items scanned : 20664
File threats detected : 1

Adware.Flash Tracking Cookie
C:\Documents and Settings\Mai\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\38FRGBP8\BROADCAST.PIXIMEDIA.FR

[Kestrel13!]

Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.

[Kestrel13!]

1. Before we continue I would like for you to rename ComboFix2.exe back to combofix.exe.

2. Important Notice: A new version of SUPERAntiSpyware is available, and I would like for you to run it on both accounts and attach logs once done.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this log later.

3. Why did you run scans in safe mode on the admin account? What issues did you experience that scans could not be run in normal mode?

Normal user account:

1. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Quote:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

After clicking Fix exit HJT.

2. Now use Windows Explorer to find and delete the below bold folder:

Quote:

C:\Documents and Settings\Mai\Local Settings\Application Data\fjkfdyofd

3. Also delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

Quote:

C:\Documents and Settings\Mai\Local Settings\temp

4. Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

5. Run the new C:\MGTools.exe and attach the C:\Mglogs.zip that it creates.

Admin Account:

Delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

Quote:

C:\Documents and Settings\Administrator\Local Settings\temp

Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

5. Run the new C:\MGTools.exe and attach the C:\Mglogs.zip that it creates.

6. Let me know how things are running now.

[yabasha71]

Hi Kestrel13 -

thank you for all the help. Its much appreciated. Answers to your points below

Did all the steps you required. logs attached. SAS scan on the main account did pick up another flash issue. so not sure what is occurring.

To clarify why I scanned Admin account in safe mode. I incorrectly assumed that my admin account could only be accessed via safe mode. Based on your query I have now realised that my main account is my admin account and performing the extra scans in Safe Mode had no true advantage.


Please let me know how it looks.

Best Regards

Tarek

[Kestrel13!]

Now, using the admin account, I want you to do the following in normal mode:

Go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.C:\MGTools.exe and attach the C:\Mglogs.zip into your next reply. I am not seeing any malware in any of the logs but just want to see fresh logs from the most current version of MGTools before I give you final steps for both accounts.

[yabasha71]

Once again kestrel 13 I am very grateful for all your help.
Attached find the latest logs.

regards

[Kestrel13!]

All clean. Final steps for both accounts now:

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

[yabasha71]

Thanks again. I am grateful for your help

[Kestrel13!]

Most welcome. Safe surfing.