Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Malware Bytes & Hijack This are disabled

  1. #11
    Member
    Join Date
    Sep 2009
    Posts
    47

    Default

    i noticed rnamfler is back as well...i believe this file may be connected with the internet filter application naomi.exe i downloaded for the kids over a year ago. this filter has worked extremely well and i would be surprised if there was a virus association.

    ran ESET in explorer and here is the log:


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=6
    # iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
    # OnlineScanner.ocx=1.0.0.6050
    # api_version=3.0.2
    # EOSSerial=7355a6b722f21c49ae70a4aa6ba7cc7b
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2009-09-19 04:51:28
    # local_time=2009-09-18 09:51:28 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=5890 62 0 3 96755443779920
    # scanned=247306
    # found=28
    # cleaned=28
    # scan_time=4631
    C:\Documents and Settings\Matt 1\My Documents\Install_AIM.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir a variant of Win32/Kryptik.ANC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\Uninstall.exe.vir a variant of Win32/Kryptik.AGY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir a variant of Win32/Kryptik.AKT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\new.exe.vir Win32/Adware.SafetyCenter.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\protector.exe.vir Win32/Adware.SafetyCenter.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\start.exe.vir Win32/Adware.SafetyCenter.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\uninstall.exe.vir Win32/Adware.SafetyCenter.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir a variant of Win32/Kryptik.AIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir Win32/Small.EJX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\BegjQqru.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\BegjQqru.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir a variant of Win32/Kryptik.AIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\cnkberkj.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir Win32/Small.EJX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\desote.exe.vir Win32/Adware.WindowsAntivirusPro application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\fsperlak.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmqsklvvwh.dll.vir Win32/Olmarik.MF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir Win32/TrojanClicker.Punad.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\pybsjrbf.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir a variant of Win32/Kryptik.AGY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\wispex.html.vir Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir a variant of Win32/Kryptik.AKT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Kryptik.AIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kbiwkmcyahvkjt.sys.vir a variant of Win32/Olmarik.LR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kbiwkmxsaqllgo.sys.vir a variant of Win32/Olmarik.LR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\WINDOWS\system32\ppdisp10_1.dll Win32/Adware.BHO.BG application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


    ...self-replication in progress? advice? thank you.

  2. #12
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,

    All most 100% of what ESET found where backups of what Combofix removed, not to worry.


    You need to enable windows to show all files and folders, instructions Here

    Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

    C:\Program Files\rnamfler\naomf.exe
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #13
    Member
    Join Date
    Sep 2009
    Posts
    47

    Default

    hey ken, i believe this is the correct report...thank you!

    File naomf.exe received on 2009.08.22 06:43:31 (UTC)
    Current status: finished
    Result: 4/41 (9.76%)

    Antivirus Version Last Update Result

    a-squared 4.5.0.24 2009.08.22 -
    AhnLab-V3 5.0.0.2 2009.08.21 -
    AntiVir 7.9.1.3 2009.08.21 -
    Antiy-AVL 2.0.3.7 2009.08.21 -
    Authentium 5.1.2.4 2009.08.21 W32/Heuristic-210!Eldorado
    Avast 4.8.1335.0 2009.08.21 -
    AVG 8.5.0.406 2009.08.22 -
    BitDefender 7.2 2009.08.22 -
    CAT-QuickHeal 10.00 2009.08.21 -
    ClamAV 0.94.1 2009.08.22 -
    Comodo 2054 2009.08.22 -
    DrWeb 5.0.0.12182 2009.08.21 -
    eSafe 7.0.17.0 2009.08.20 -
    eTrust-Vet 31.6.6694 2009.08.21 -
    F-Prot 4.4.4.56 2009.08.21 W32/Heuristic-210!Eldorado
    F-Secure 8.0.14470.0 2009.08.21 -
    Fortinet 3.120.0.0 2009.08.22 -
    GData 19 2009.08.22 -
    Ikarus T3.1.1.68.0 2009.08.22 -
    Jiangmin 11.0.800 2009.08.21 -
    K7AntiVirus 7.10.824 2009.08.21 -
    Kaspersky 7.0.0.125 2009.08.22 -
    McAfee 5716 2009.08.21 -
    McAfee+Artemis 5716 2009.08.21 -
    McAfee-GW-Edition 6.8.5 2009.08.22 Heuristic.LooksLike.Win32.SuspiciousPE.H
    Microsoft 1.4903 2009.08.22 -
    NOD32 4357 2009.08.21 -
    Norman 6.01.09 2009.08.21 -
    nProtect 2009.1.8.0 2009.08.22 -
    Panda 10.0.0.14 2009.08.22 -
    PCTools 4.4.2.0 2009.08.21 -
    Prevx 3.0 2009.08.22 -
    Rising 21.43.50.00 2009.08.22 -
    Sophos 4.44.0 2009.08.22 Sus/UnkPacker
    Sunbelt 3.2.1858.2 2009.08.22 -
    Symantec 1.4.4.12 2009.08.22 -
    TheHacker 6.3.4.3.385 2009.08.22 -
    TrendMicro 8.950.0.1094 2009.08.21 -
    VBA32 3.12.10.9 2009.08.22 -
    ViRobot 2009.8.22.1896 2009.08.22 -
    VirusBuster 4.6.5.0 2009.08.21 -
    Additional information
    File size: 1253448 bytes
    MD5 : edbab1bd1ced1ab1429f79f1463b3952
    SHA1 : d23148030ce1c2ea1ec02713b99b8866ed67986f
    SHA256: e5e01902c85bd9c9237fdf75b6b10e0047c3e5a2d961fb993623855f9d3d0282
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x137060
    timedatestamp.....: 0x2A425E19 (Sat Jun 20 00:22:17 1992)
    machinetype.......: 0x14C (Intel I386)

    ( 9 sections )
    name viradd virsiz rawdsiz ntrpy md5
    CODE 0x1000 0x100670 0x100800 7.99 e2d27507f172fb228d13afffa02250f0
    DATA 0x102000 0x10790 0x10800 7.87 2012faab89f38f41fd5b9553fdd5c3d8
    BSS 0x113000 0xE4D 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
    .idata 0x114000 0x2A06 0x2C00 7.97 df3b3160ce2e34c804f05ae059fd13c0
    .tls 0x117000 0x10 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
    .rdata 0x118000 0x18 0x200 7.75 da72c30eee50a2ce98b3d1871524055c
    .reloc 0x119000 0x10AD0 0x10C00 6.50 286d962bfcf904b879710f077edf87a7
    .rsrc 0x12A000 0xC800 0xC800 6.49 fb06a4df4dd5e41fa2adede940fe335e
    Jc 0x137000 0x2000 0xA48 7.47 274e2a51bcfacbe3a30921f8458f9cdc

    ( 1 imports )

    > kernel32.dll: LoadLibraryA, GetProcAddress

    ( 0 exports )
    TrID : File type identification
    54.4% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
    17.4% (.EXE) Win32 Executable Generic (8527/13/3)
    15.5% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
    4.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
    4.1% (.EXE) Generic Win/DOS Executable (2002/3)
    ThreatExpert: http://www.threatexpert.com/report.a...9f79f1463b3952
    ssdeep: 24576:O0iAL67gsxJNBA89fHCn8tegKHPFpDksIqiap8k0+gzVlzA2JXA:O0iT75r9fjFULosIJFnBlzAL
    PEiD : -
    packers (Kaspersky): Yoda
    packers (F-Prot): Yoda
    CWSandbox: http://research.sunbelt-software.com...9f79f1463b3952
    packers (Authentium): Yoda
    RDS : NSRL Reference Data Set
    -

    how are we looking?

  4. #14
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    You said you had this installed ?
    http://www.bleepingcomputer.com/star...exe-12695.html

    I think its just a false positive and nothing to worry about.

    How are things running now ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #15
    Member
    Join Date
    Sep 2009
    Posts
    47

    Default

    Things are running very well - really appreciate your time.

    in this thread, can you recommend a reliable firewall? do you suggest running ESET from time to time?

  6. #16
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Great,.

    You can run ESET once in awhile if you wish, its a nice online scanner. I am looking at AVG AV running, open it up and I believe it includes a firewall.


    Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

    Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.




    • When shown the disclaimer, Select "2"


    The above procedure will:
    • Delete the following:
      • ComboFix and its associated files and folders.
      • VundoFix backups, if present
      • The C:\Deckard folder, if present
      • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.







    Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

    Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
    • Spybot Search and Destroy 1.6
      Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
    • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
    • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
    • IE-Spyad
      IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



    Safe Surfn
    Ken
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #17
    Member
    Join Date
    Sep 2009
    Posts
    47

    Default

    Thanks a lot for all your help Ken545 - my machine is running great.

    i have looked into all of your security recommendations and have installed most of them.

    Thank you again, ill know where to turn next time (providing...)

  8. #18
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Your very welcome,

    Take Care,

    Ken
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #19
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •