Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 34

Thread: Click.GiftLoad and a System Restore -- Am I Clean?

  1. #21
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,173

    Default

    Hi.

    Okay, I dl'd AddRemoveCleaner and followed your instructions. Unfortunately, both Java programs are still in the list! *grr* Since I used the cleaner app, there's no longer a uninstall/change button in the control panel toolbar, though. (Not sure if that's relevant.)
    Do you mean for the Java related applications and or for all listed?

    Out of curiousity and in case this ever comes up again, what's the security line on this problem? What is it indicative of / tell you?
    If you mean the infection your machine had before you performed the System Restore, this particular type of malware has the ability to compromise a machine and inject several different types of Root-Kit. Plus being honest the Anti-Virus application you do have presently installed is not the best but I am always of the mind if something is not broken do not fix.

    Anyway for now please answer my query and we will go from there, thank you.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  2. #22
    Junior Member
    Join Date
    Apr 2011
    Posts
    19

    Default

    Just for the Java applications, everything else is normal.

    And thanks for the answer. I'm a curious sort who likes to look "behind the scenes," so to speak.

  3. #23
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,173

    Default

    Hi.

    Thanks for the update and you're most welcome!

    OK after some further consideration on my behalf I have decided to take a different approach as follows...

    ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause unpredictable results. Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.

    Next:

    Please go here then download the AVG Remover(32bit) 2011 and save to your Desktop.

    Then right-click on avg_remover_stf_x86_2011_1184.exe and select Run as Administrator >> follow the prompts and reboot your machine if advised too.

    Note: The above application will have created a notepad file/will be on the desktop. I do not need to review it at this time but do leave it on the desktop for the time being, thank you.

    Download/Run ComboFix:

    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    Please include the C:\ComboFix.txt in your next reply for further review.

    Note: If ComboFix detects Rootkit activitity and asks to reboot the system, please allow this to be done.

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
    This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


    Download/Install a AV:

    Please download just one only of the three free anti-virus programs listed below please and then:

    Install >> Update >> Carry Out a Complete Scan. Have it fix anything it finds.

    Note: If anything was removed by the AV you chose to install, please save a copy of the report created and post the contents in your next reply, thank you.


    When completed the above, please post back the following in the order asked for:
    • How is your computer performing now, any other symptoms and or problems encountered?
    • ComboFix Log.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  4. #24
    Junior Member
    Join Date
    Apr 2011
    Posts
    19

    Default Checking In

    I just now saw your reply, Dakeyras, so wanted to let you know I'll be implementing the latest fix ASAP. Will post back with the requested info.

    Thanks!

  5. #25
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,173

    Default

    No problem/fair play.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  6. #26
    Junior Member
    Join Date
    Apr 2011
    Posts
    19

    Default Done!

    Okay, I'm finished with the latest instructions. (Technically, I was done last night but sleep won out. )

    I haven't had any real symptoms since the system restore. No browser hijacks or warnings, etc -- but the Java programs are still there in the uninstall list.

    I decided to go with Avast and it scanned twice, one that I started and then again on reboot. Both came up clean.

    Here's the combofix log:

    <--- Log Starts Here --->
    ComboFix 11-04-22.01 - Jennifer Bowe 04/22/2011 23:10:29.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1341 [GMT -4:00]
    Running from: c:\users\Jennifer Bowe\Desktop\Security\Programs\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\audiograbber\audiograbber.exe
    c:\users\Jennifer Bowe\AppData\Roaming\Adobe\plugs
    c:\users\Jennifer Bowe\AppData\Roaming\Adobe\shed
    c:\windows\system32\AutoRun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-23 03:19 . 2011-04-23 03:19 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-04-18 21:59 . 2011-04-18 21:59 -------- d-----w- c:\users\Jennifer Bowe\AppData\Roaming\Malwarebytes
    2011-04-18 21:59 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-18 21:59 . 2011-04-18 21:59 -------- d-----w- c:\programdata\Malwarebytes
    2011-04-18 21:59 . 2011-04-18 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-18 21:59 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-13 20:16 . 2011-02-18 14:03 305152 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-04-13 20:16 . 2011-02-18 14:03 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-04-13 20:16 . 2011-02-18 14:03 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-04-13 20:16 . 2011-03-02 15:44 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
    2011-04-13 20:16 . 2009-05-04 09:59 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
    2011-04-13 20:16 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-04-13 20:16 . 2011-03-10 17:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
    2011-04-13 20:16 . 2011-03-10 17:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
    2011-04-13 20:16 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
    2011-04-13 20:16 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-13 20:13 . 2011-03-03 10:50 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-04-13 05:48 . 2011-04-18 22:04 -------- d-----w- c:\program files\ERUNT
    2011-04-12 18:40 . 2011-04-12 18:40 -------- d-----w- C:\_OTL
    2011-04-12 11:20 . 2011-04-12 11:20 -------- d-----w- c:\programdata\WindowsSearch
    2011-04-12 10:46 . 2011-04-12 10:46 -------- d-----w- C:\Temp
    2011-04-12 10:46 . 2011-04-12 10:46 232916 ---h--w- c:\temp\ee896009-2241-4d1a-94b7-8f476921cf1c\OfferApp-2538.exe
    2011-04-04 07:54 . 2011-04-04 07:54 -------- d-----w- c:\users\Jennifer Bowe\AppData\Roaming\GestaltGames
    2011-04-04 07:54 . 2011-04-04 07:54 -------- d-----w- c:\programdata\GestaltGames
    2011-04-02 06:46 . 2011-04-02 06:46 -------- d-----w- c:\programdata\Kristanix Games
    2011-04-02 01:32 . 2011-04-02 01:32 -------- d-----w- c:\users\Jennifer Bowe\AppData\Roaming\Sanna
    2011-04-02 01:31 . 2011-04-02 01:31 -------- d-----w- c:\programdata\The Legend of Sanna - Rise of a Great Colony
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
    .
    c:\users\Jennifer Bowe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Lunabar Taskbar Icon.lnk - c:\program files\Lunabar\Lunabar.exe [2010-5-10 369152]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "My Web Search Bar Search Scope Monitor"="c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3848025758-3258170917-2156027094-1000]
    "EnableNotifications"=dword:00000001
    "EnableNotificationsRef"=dword:00000002
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-28 136176]
    R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2007-06-18 19456]
    R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-28 12:28]
    .
    2011-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-28 12:28]
    .
    2011-04-22 c:\windows\Tasks\User_Feed_Synchronization-{0E589315-E2B8-4BBB-9AF0-0EED74048859}.job
    - c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    HKLM-Run-hpWirelessAssistant - %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    HKLM-Run-WAWifiMessage - %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    MSConfigStartUp-!AVG Anti-Spyware - c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
    MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    MSConfigStartUp-HP Software Update - c:\program files\Hp\HP Software Update\HPWuSchd2.exe
    MSConfigStartUp-jpg - c:\programdata\BPK\jpg.exe
    MSConfigStartUp-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
    MSConfigStartUp-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
    MSConfigStartUp-sysmain - c:\programdata\BPK\sysmain.exe
    MSConfigStartUp-system - c:\programdata\BPK\system.exe
    HKLM_ActiveSetup-{10880D85-AAD9-4558-ABDC-2AB1552D831F} - c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-22 23:19
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-04-22 23:22:49
    ComboFix-quarantined-files.txt 2011-04-23 03:22
    .
    Pre-Run: 83,184,562,176 bytes free
    Post-Run: 84,831,289,344 bytes free
    .
    - - End Of File - - 5587ADBABA7EADCD80EAA36D44822054

  7. #27
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,173

    Default

    Hi.

    the Java programs are still there in the uninstall list.
    OK, please download and install CCleaner from here.

    Note: If absouterly anything is offered during installtion apart form the application itself, decline such.

    Once installed, run the application in Admin mode...

    • Click on the Tools button on the left.
    • Select the Uninstall, then click once on Java(TM) SE Runtime Environment 6 to highlight.
    • Then click the on the Delete Entry button to remove the entry from the Programs and Features uninstall list.
    • Repeat as above to remove Java(TM) 6 Update 5 .
    Custom ComboFix-Script:


    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    Code:
    File::
    c:\temp\ee896009-2241-4d1a-94b7-8f476921cf1c\OfferApp-2538.exe
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring""=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.



    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    Caution: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  8. #28
    Junior Member
    Join Date
    Apr 2011
    Posts
    19

    Default Umm...

    Small problem. I'm unemployed right now and don't have the $ to buy CCleaner. Is there another, free program I can use?

    I can still run the ComboFix script, of course, if you say it's okay.

  9. #29
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,173

    Default

    Hi.

    You do not have to purchase CCleaner, merely download the freeware version. On the page the link resolves, scroll down to:-

    Version 3.05.1409 (2,979 kb)

    And download the installer from one of the links.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  10. #30
    Junior Member
    Join Date
    Apr 2011
    Posts
    19

    Default D'oh!

    I must have scrolled right by that. *facepalm* Thanks! Will get to fixin' now.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •