TechSpot

8-Steps Complete / Logs Posted / Help?

By joehorror
Dec 21, 2008
  1. My 8-steps have been completed. Below I've included the items McAfee and then AVIRA found as well as 4 logs (2 SAS logs). Please help me decide which things I should delete with McAfee & Avira, I'd rather not delete files I shouldn't:

    MCAFEE:

    Generic.PUP x

    AVIRA:

    C:\System Volume Information\_restore{46DE8921 - 1D39-44D2-A9E9-64119261F211}\RP250\A0213380.dll
    (Contains a recognition pattern of the (harmful) BDS/TDSS.KD back-door program)

    C:\Documents and Settings\*****\Desktop\SmitfraudFix\Agent.OMZ.Fix.exe
    (This file contains an executable program that is disguised by a harmless file extension [HIDDENEXT/Crypted])

    C:\System Volume Information\_restore{46DE8921 - 1D39-44D2-A9E9-64119261F211}\RP254\A0213552.exe
    (Is the TR/Agent.59904.B Trojan)

    C:\System Volume Information\_restore{46DE8921 - 1D39-44D2-A9E9-64119261F211}\RP254\A0213962.dll
    (Contains a recognition pattern of the (harmful) BDS/TDSS.JW back-door program)

    C:\System Volume Information\_restore{46DE8921 - 1D39-44D2-A9E9-64119261F211}\RP254\A0213963.dll
    (Contains a recognition pattern of the (harmful) BDS/TDSS.acs back-door program)

    C:\System Volume Information\_restore{46DE8921 - 1D39-44D2-A9E9-64119261F211}\RP254\A0213964.sys
    (Contains a recognition pattern of the RKIT/TDss.G.22 root kit)

    C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20081220-135759-E03B5177
    (Contains a recognition pattern of the (harmful) BDS/TDSS.acs back-door program)
     
  2. joehorror

    joehorror TS Rookie Topic Starter Posts: 40

    As a quick aside, an additional question I had was which antivirus/spyware/malware program should I use as my MAIN protective program? I currently have McAfee, Avira, AVG, Malwarebytes & SuperAntispyware. Which should "do the trick" and provide me with the protection I need? I'd like to be able to eliminate as many monitoring programs as possible without sacrificing protection. I'm also running Zone Alarm and using the Windows Firewall, good idea to use both? Should I just stick with ZA?

    Once I get help with my above logs, ANY help regarding my program dilemma would be greatly appreciated.
     
  3. joehorror

    joehorror TS Rookie Topic Starter Posts: 40

    My Avira is coming up with new Trojan infections each time I run it. Can somebody please check my logs out and give me some tips on what I need to do to get this thing clean? I'm behind on purchasing X-Mas presents and I've missed a magazine article deadline. This thing has me frazzled.
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Joe

    After reading thu all your different posts here is what you need to do.

    I am not sure you are clean of the TDSServ trojan.

    Also I noticed that you have had ComboFix installed. So we need to run it. Do the below.

    Start-Run
    type
    combofix /u

    then

    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.
    ----------------------------------------------------------------------------------------------------------------------------------
    Next

    D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
    No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

    Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

    Please make a note of what it found if any as it has no log.
    If it finds several things reboot to Safe Mode and run again before continuing below.

    Malware Removal Tool by Joe Pestro http://majorgeeks.com/Malware_Removal_Tool_d4632.html This tool will run almost instantly if it finds nothing.

    ----------------------------------------------------------------------------------------------------------------------------------
    DDS
    D/L to Desktop: DDS by sUBs from one of these locations:

    http://www.techsupportforum.com/sectools/sUBs/dds
    http://download.bleepingcomputer.com/sUBs/dds.scr
    http://www.forospyware.com/sUBs/dds

    double click DDS.scr to run

    When complete, DDS.txt will open.

    Click Yes for Optional Scan.
    Save both reports to your desktop.
    DDS.txt
    Attach.txt

    Attach the contents of both logs back here.

    Mike
     
  5. joehorror

    joehorror TS Rookie Topic Starter Posts: 40

    Thanks so much for the help! Here are my combofix and hjt logs...
     
  6. joehorror

    joehorror TS Rookie Topic Starter Posts: 40

    Ran everything, XClean_Micro found this and deleted it:

    Spy-Agent.ak

    HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\Control Panel\load

    I've also attached my DDS & Attach logs...
     
  7. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Joe

    Run HJT Scan only select and remove the below
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    Then..
    Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

    http://www.majorgeeks.com/ATF_Cleaner_d4949.html
    -------------------------------------------------------------------------------------
    The issues were found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.

    Post back your opinion of how system is running now, what do we have left?

    Mike
     
  8. joehorror

    joehorror TS Rookie Topic Starter Posts: 40

    Hey Mike! Well, I ran all the above and my system now appears to be running lightning fast. So does this appear to be the end of my viral issue? Would you like to look at any last logs before I let out that sigh of relief? If everything is good to go, should I remove all of the above programs we installed for this session and which Antivirus program and firewall would you recommend I keep? I'm running Avira Free and Zonealarm right now. Would it be better if I purchased Norton 2009 and kept Zonealarm?
     
  9. mflynn

    mflynn TS Rookie Posts: 2,655

    Great I think you are good to GO!

    Thread closing-------------------------------------------------------------------
    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.
    These tools update so often they require downloading again later if needed.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.

    If prompted to Reboot click Yes.
    OTCleanit will delete itself when finished, if not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

    http://www.majorgeeks.com/ATF_Cleaner_d4949.html
    -------------------------------------------------------------------------------------

    Every 2 weeks or so run mbam and sas until clean They take a while so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be schedules not to interfere with computer time.

    If they find something they can not clean then get back to us.

    Additionally run CCleaner.

    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to co-exist with other Virus scanners.

    Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
    Hostman http://www.abelhadigital.com/2008/07...-released.html

    A Disk scan and Defrag are in order.

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...