Exploit.Java.CVE-2009, Antimalware Doctor, FakeAlert, and others

[ken545]

Success,

This was the rootkit and the new updated version of Combofix fixed it

First part of the CF log

Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected
Restored copy from - Kitty had a snack :p

The redirects should be gone

[orleans_rob]

1) before your instructions to rerun combo fix, i had uninstalled McAfee and Ad-ware (lavasoft)
- then rebooted, maybe they were causing combo to crash the system

2) i download avg free last night after i ran combo b/c McAfee takes about 3 hours to setup through cox, and i wasn't gong to go through that at that hour of the night
- i'll keep running avg till the weekend and then go back to McAfee

3) i'd swear i've seen that line before
Kitty had a snack

maybe it came up when i was searching .exe that i didn't recognize in the process section of task manager and a website mentioned it

4) last night i was trying to recreate the redirects by oening numerous tabs in internet explorer (about 8-10 of them)
- internet explorer locked up and then a window popped up saying microsoft was reconfiguring the way data was processed through modemn (paraphrasing what i remember)
- don't know if that was normal

5) avg found something last night when it ran
"C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1526\A0318471.sys";"Virus identified Win32/Patched.DP";"Moved to Virus Vault"

[ken545]

Hi,

The author of CF likes cats and its a private joke

That bad file is in your system restore program, need to flush it all out.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

• Right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore on all Drives.
• Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

• Right-click My Computer.
• ClickProperties.
• Click the System Restore tab.
• UN-Check Turn off System Restore on all Drives.
• Click Apply, and then click OK.

This would also be a good time to reset Internet Explorer like I posted earlier.


Make sure you keep only one AV, two are going to cause issues.

How are things running now ?

[orleans_rob]

1) I forgot to mention. I reset internet explorer last night before running combo

2) I’ll do the restore instructions tonight

3) "Make sure you keep only one AV, two are going to cause issues."
- I assume you are referring to McAfee and Ad-Aware; I was just scanning with lavasoft. I didn't have it actively running. Liked it because it seems to find things that McAfee, Spybot, Malwarebytes miss

4) As for how it is going, "seems" to be fine.
- Startup and IE a lot faster without McAfee and lavasoft Ad-Aware
or maybe b/c I no longer have a kitty in my system

5) Tonight after I do the restore instructions, I’ll go through the process you suggested to clean up all stuff I downloaded during this experience. Hopefully I’m clean now and everything working as good as it can get for a 4 1/2 year old computer - guess I should start passively looking for a new one
- do you find prices on computers are better in August just before school starts?
- is there a particular time of year you would suggest buying a new one

Thanks for all your help and patients

[ken545]

Your welcome Rob,

You said you where scanning with AVG and uninstalled McAfee so I am not sure what you have installed at this point, if you reinstall McAfee then make sure you uninstall AVG.

We ran Malwarebytes, its the free version and yours to keep. I would keep that in lew of Ad Aware.

I know that Dell has sales right before each quarter, not sure on the other vendors.

Post back in a few days and let me know how its going, although you should be in good shape now

Take Care
Ken

[orleans_rob]

I an using AVG right now for active virus protection.
- WAS running McAfee as active with Lavasoft Ad-Ware scanning once every couple of weeks for malware.
I mentioned that becasue Lavasoft now has a virus protection aspect to its program, but i was just using it to scan for malware (not using 2 antivirus programs)
- will (may) uninstall AVG and reinstall McAfee over the weekend
(i think we are on the same page)

[ken545]

[orleans_rob]

Tried to uninstall Combofix last night.
As the process started, it suggested I disable AVG before it went any further to prevent damage to the antivirus program. I couldn't figure out how to do that.
So, how do you disable AVG?

[ken545]

Just go through with the uninstall, no need to disable AVG as your not going to run it, just uninstalling it

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK.

Note the space between the X and the /, it needs to be there.

• 

When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Now to remove most of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Ken

[orleans_rob]

thanks
helpful as always!!