MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 06-08-10, 17:32
yabasha71 yabasha71 is offline
Private E-2
 
Join Date: Jul 2009
Posts: 11
Thanks: 1
Thanked 0 Times in 0 Posts
Default flash player Malware attack part1

Hello -
I have been hit by a variety of malware which I thought I had removed using the READ & RUN Summary sheet but it has returned.

Am running XP SP3 and Computer performance had been deteriorating for about 2 weeks. I assumed it was aging laptop but ran Sophos and SAS and found some malware.

Performed the Read and Run on the main user account in normal mode and the Admin account under safe mode. Within each log I have attached the Admin data at the bottom of the log.

Perfromance began to deteriorate again after 72 hours. ran SAS to confirm my suspicions and there Adware flash tracker file. Would appreciate some help as I am suspicious that I have not rooted out the problem as this is similar to previous issues noted in attached log.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2010 at 07:42 AM

Application Version : 4.26.1006

Core Rules Database Version : 5045
Trace Rules Database Version: 2857

Scan type : Complete Scan
Total Scan Time : 00:58:26

Memory items scanned : 548
Memory threats detected : 0
Registry items scanned : 5398
Registry threats detected : 0
File items scanned : 20664
File threats detected : 1

Adware.Flash Tracking Cookie
C:\Documents and Settings\Mai\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\38FRGBP8\BROADCAST.PIXIMEDIA.FR
Attached Files
File Type: log SUPERAntiSpyware Scan Log - 06-04-2010 - 13-01-13.log (736 Bytes, 1 views)
File Type: txt mbam-log-2010-06-04 (13-28-16).txt (1.8 KB, 2 views)
File Type: txt combfixlog.txt (25.9 KB, 1 views)
File Type: txt rrlog.txt (1.6 KB, 1 views)
Reply With Quote
Sponsored links
  #2  
Old 06-08-10, 17:33
yabasha71 yabasha71 is offline
Private E-2
 
Join Date: Jul 2009
Posts: 11
Thanks: 1
Thanked 0 Times in 0 Posts
Default flash player Malware attack part2

Hello -
I have been hit by a variety of malware which I thought I had removed using the READ & RUN Summary sheet but it has returned.

Am running XP SP3 and Computer performance had been deteriorating for about 2 weeks. I assumed it was aging laptop but ran Sophos and SAS and found some malware.

Performed the Read and Run on the main user account in normal mode and the Admin account under safe mode. Within each log I have attached the Admin data at the bottom of the log.

Perfromance began to deteriorate again after 72 hours. ran SAS to confirm my suspicions and there Adware flash tracker file. Would appreciate some help as I am suspicious that I have not rooted out the problem as this is similar to previous issues noted in attached log.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2010 at 07:42 AM

Application Version : 4.26.1006

Core Rules Database Version : 5045
Trace Rules Database Version: 2857

Scan type : Complete Scan
Total Scan Time : 00:58:26

Memory items scanned : 548
Memory threats detected : 0
Registry items scanned : 5398
Registry threats detected : 0
File items scanned : 20664
File threats detected : 1

Adware.Flash Tracking Cookie
C:\Documents and Settings\Mai\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\38FRGBP8\BROADCAST.PIXIMEDIA.FR
Attached Files
File Type: zip MGlogs.zip (114.3 KB, 2 views)
File Type: zip MGlogs admin.zip (104.0 KB, 2 views)
Reply With Quote
  #3  
Old 06-08-10, 17:56
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 27,092
Thanks: 686
Thanked 3,325 Times in 3,253 Posts
Default Re: flash player Malware attack part1

Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #4  
Old 06-09-10, 19:42
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 27,092
Thanks: 686
Thanked 3,325 Times in 3,253 Posts
Default Re: flash player Malware attack part1

1. Before we continue I would like for you to rename ComboFix2.exe back to combofix.exe.

2. Important Notice: A new version of SUPERAntiSpyware is available, and I would like for you to run it on both accounts and attach logs once done.
  • Please uninstall your current version (this is necessary).
  • Then download this SUPERAntiSpyware
  • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
  • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
  • Now run a new full scan of your system. And attach this log later.

3. Why did you run scans in safe mode on the admin account? What issues did you experience that scans could not be run in normal mode?

Normal user account:

1. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
Quote:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
After clicking Fix exit HJT.

2. Now use Windows Explorer to find and delete the below bold folder:

Quote:
C:\Documents and Settings\Mai\Local Settings\Application Data\fjkfdyofd
3. Also delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).
Quote:
C:\Documents and Settings\Mai\Local Settings\temp
4. Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

5. Run the new C:\MGTools.exe and attach the C:\Mglogs.zip that it creates.

Admin Account:

Delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).
Quote:
C:\Documents and Settings\Administrator\Local Settings\temp
Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

5. Run the new C:\MGTools.exe and attach the C:\Mglogs.zip that it creates.

6. Let me know how things are running now.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #5  
Old 06-11-10, 20:43
yabasha71 yabasha71 is offline
Private E-2
 
Join Date: Jul 2009
Posts: 11
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: flash player Malware attack part1

Hi Kestrel13 -

thank you for all the help. Its much appreciated. Answers to your points below

Did all the steps you required. logs attached. SAS scan on the main account did pick up another flash issue. so not sure what is occurring.

To clarify why I scanned Admin account in safe mode. I incorrectly assumed that my admin account could only be accessed via safe mode. Based on your query I have now realised that my main account is my admin account and performing the extra scans in Safe Mode had no true advantage.


Please let me know how it looks.

Best Regards

Tarek
Reply With Quote
Sponsored links
  #6  
Old 06-12-10, 07:40
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 27,092
Thanks: 686
Thanked 3,325 Times in 3,253 Posts
Default Re: flash player Malware attack part1

Now, using the admin account, I want you to do the following in normal mode:

Go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.C:\MGTools.exe and attach the C:\Mglogs.zip into your next reply. I am not seeing any malware in any of the logs but just want to see fresh logs from the most current version of MGTools before I give you final steps for both accounts.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #7  
Old 06-12-10, 17:15
yabasha71 yabasha71 is offline
Private E-2
 
Join Date: Jul 2009
Posts: 11
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: flash player Malware attack part1

Once again kestrel 13 I am very grateful for all your help.
Attached find the latest logs.

regards
Attached Files
File Type: zip MGlogs.zip (116.3 KB, 1 views)
Reply With Quote
  #8  
Old 06-13-10, 20:12
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 27,092
Thanks: 686
Thanked 3,325 Times in 3,253 Posts
Default Re: flash player Malware attack part1

All clean. Final steps for both accounts now:

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  7. Go to add/remove programs and uninstall HijackThis.
  8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
    related to MGtools and some other items from our cleaning procedures.
  9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work thru the below link:
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
The Following User Says Thank You to Kestrel13! For This Useful Post:
yabasha71 (06-14-10)
  #9  
Old 06-14-10, 16:03
yabasha71 yabasha71 is offline
Private E-2
 
Join Date: Jul 2009
Posts: 11
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: flash player Malware attack part1

Thanks again. I am grateful for your help
Reply With Quote
  #10  
Old 06-14-10, 17:44
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 27,092
Thanks: 686
Thanked 3,325 Times in 3,253 Posts
Default Re: flash player Malware attack part1

Most welcome. Safe surfing.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
XP-Pro,flash player 10 shockwave player 11 mikessmith Software 8 11-06-09 14:48
Flash Player 10 won't donload using IE 8 with Flash Player 7 add-on already installed ITgirl Software 3 10-18-09 13:47
Malware attack.. is it really gone? :S DomBray78 Malware Removal 6 01-15-09 01:27
Help! Malware attack CanadaGuy Malware Removal 9 03-25-08 01:05
malware attack rockerz Malware Removal 7 01-04-06 14:13


All times are GMT -5. The time now is 23:58.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger