Malware INVASION! Part 2 - THE RETURN

Discussion in 'Malware Help (A Specialist Will Reply)' started by J8son, Nov 25, 2008.

  1. J8son

    J8son Corporal

    Just when you thought it was safe to turn on your desktop. It'sssss Baaaaaack!

    OK, enough with the dramatics. I'm facing the same problem I did a few days back only this time I have no clue what has went wrong.

    My last Malware outbreak is outlined in this thread: http://forums.majorgeeks.com/showthread.php?t=174532

    Now, I get a pop up notice telling me to turn on my Microsoft Phishing Filter protection (which I suspect is fake) because when I select "Ask Me Later" or just "X" out to close it, I get a pop-up ad in IE. The link in the address bar is usually one of the following:


    I left all the scanning tools installed from the last time I had this problem and I have barley used the Internet since then, so I'm thinking perhaps it wasn't all removed the first time around (or I just go hit again from an outside source).

    But, alas, I went all the way back to the beginning of the cleaning guide and did EVERYTHING again from step one. Only problem is, this time it did not get rid of the problem (last time most the visible issues were removed by the posting phase).

    Here are my logs. Hopefully we can eradicate this thing for good (paging Dr. TimW) ;)
     

    Attached Files:

    J8son, Nov 25, 2008
    #1
  2. J8son

    J8son Corporal

    4th Attachment Added
     

    Attached Files:

    J8son, Nov 25, 2008
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to disable the guest account in user accounts, Then run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Why have you not installed any anti-virus programs? You will be reinfected over and over again unless you follow our guidelines that were given in your last thread on how to protect yourself from malware.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking fix, just exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    
KILLALL::

File::
c:\windows\system32\stu2.exe
c:\windows\system32\f273tMyK.exe
c:\windows\system32\oB1BJvs1.exe


Folder::
C:\Documents and Settings\Windows XP\Application Data\IUpd721
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    NOW INSTALL AN AV PROGRAM!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from cOMBO.
     
    TimW, Nov 25, 2008
    #3
  4. J8son

    J8son Corporal

    I checked this in my Control Panel and it said the Guest Account was already turned off.

    Done

    Done

    Done

    Done. How are things looking now? Am I totally clean?

    It wasn't that I just totally disregarded the advice as I am very appreciative of all the hard work the folks here at Major Geeks do and I value the suggestions greatly. It's just that I didn't have a lot of time to work on getting anything done plus I hardly used the internet since then. So I assumed that during such a short period of time a problem would not arise, and I'd have time later to install something. But we all see what happens when I assume don't we :-o

    This is the step that I am slightly reticent about. I'm not familiar enough with Malware to know which app offers the best real time protection in order to catch this type of thing in the future BEFORE it becomes a problem like this. I also am very active in several torrent communities and had to uninstall Norton because it was wreaking havocking by deleting files at random it falsly identities as threats.

    Can I get some suggestions for the best but also most un-intrusive real time protection. I'm open to freeware or purchased software.

    And thanks ;)
     

    Attached Files:

    J8son, Nov 26, 2008
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you not aware that it take less than 2 seconds after getting on the internet to be infected without an AV program?

    Download and install Avast.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    I don't want to have to come over there and install AV program myself!! I have turkey to eat!!
     
    TimW, Nov 26, 2008
    #5
  6. J8son

    J8son Corporal

    First, let me just say thanks again for the help and sorry it took me so long to get back to you. Just got back in town after a nice visit with family (and I hope everyone here had a great Thanksgiving). We had a record 6 pies...OH YEAH!

    Now back to business. I ran Avenger, and followed the steps listed. Both new logs are now posted.

    How are things looking? Any more work need doin'?

    P.S.

    Downloading and installing AV app now! ;)
     

    Attached Files:

    J8son, Nov 29, 2008
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean....now let me politely tell you that if you come back with malware and there is still no AV program installed and it shows that you have not followed our "How to Protect..." instructions, we will not assist you.

     
    TimW, Nov 29, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds