AVG secure search virus or clone mailer problem.

Solved
By glhglh
Feb 20, 2013
  1. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Turn computer off.
    Wait 1 minute.
    Restart and see how it goes.
  2. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    I gave up on the wireless. As windows has tried to make their program more "user friendly", it has become more difficult to track down the problem. The strange "drive Q" still shows, and when I tried to delete the program yahoo toolbar and the LG drivers, I was unable to.

    when I looked at the wireless network tree, it kept showing a "public network", and I tried to turn the public network off. I removed the Norton and want to go back and to the Combofix part. Is it OK to do that?

    I connected it to the wired network and can get to the internet.

    The reason I want to go to combofix is Combofix kept giving me the notice about the antivirus program, even though I had manually stopped all of the services in the program, and in the services section.

    So, shall I go on to eset.
  3. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    The rogue killer run is different that it was yesterday.

    Here is the log:

    ,RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Randy [Admin rights]
    Mode : Shortcuts HJfix -- Date : 02/23/2013 17:27:13
    | ARK || FAK || MBR |
    ¤¤¤ Bad processes : 1 ¤¤¤
    [SUSP PATH] Au_.exe -- C:\Users\Randy\AppData\Local\Temp\~nsu.tmp\Au_.exe [-] -> KILLED [TermProc]
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 0 / Fail 0
    Quick launch: Success 0 / Fail 0
    Programs: Success 0 / Fail 0
    Start menu: Success 0 / Fail 0
    User folder: Success 0 / Fail 0
    My documents: Success 0 / Fail 0
    My favorites: Success 0 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 0 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 1 / Fail 0
    Backup: [NOT FOUND]
    Drives:
    [C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
    [D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
    [E:] \Device\CdRom0 -- 0x5 --> Skipped
    [F:] \Device\HarddiskVolume5 -- 0x2 --> Restored
    [Q:] \Device\SftVol -- 0x3 --> Restored
    Finished : << RKreport[5]_SC_02232013_02d1727.txt >>
    RKreport[1]_S_02212013_02d1636.txt ; RKreport[2]_D_02212013_02d1648.txt ; RKreport[3]_S_02232013_02d1709.txt ; RKreport[4]_SC_02232013_02d1711.txt ; RKreport[5]_SC_02232013_02d1727.txt
  4. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Combofix will do this sometimes. Nothing to worry about.
    I still need Eset scan log.
  5. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    The rogues killer report I just ran is much different than the one I ran last night. this one found something au.exe, then was about to check each of the drives, including the Q, and restored it to something.
  6. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    Yesterday I was unable to receive the properties of the Q drive. after this rogue killer I can read some of the properties, and under the owner of the drive, the label is "unable to display current owner" with the box to change owner. shall I change it to me (administrator)?
    it is not the administrator, or the System (as is the recovery drive).

    I think this is wrong.
  7. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    It is also a [Q:] \Device\SftVol -- 0x3 --> Restored,

    in order to see the permissions, I have to change the "owner".
  8. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Leave that alone for now and give me Eset scan log.
  9. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    Eset found no threats, but eset spend 2 hours reviewing program files\wildtangent, and again in the users shortcut to it. it was also installed about the time the problems started.
  10. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Wild Tangent games usually come preinstalled. Nothing to worry about.

    What are the current issues?

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.
  11. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    I can't uninstall the "yahoo toolbar", this shows in Control Panel/Program and Features. It shows it was installed about the time the problems started, and does not show a size or version. It also does not show in the IE "manage add-ins" .

    when I try to uninstall it, I get nothing, but I cannot uninstall anything else.

    Also, The Q drive was created when the problem started. It is not a "system" file, has unknown owner, and using the "properties" box, I am unable to change the "owner". All other drives, show "SYSTEM" as the owner.
    I want to delete this. Can I do this through hijack this (although I think that OTL is almost the same.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Most likely it's just dead entry. If it doesn't show in any browser leave it alone.
    I you insist on removing that entry open "regedit", navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    and delete "Yahoo! Companion"entry.

    Where exactly do you see Q drive?

    For x86 (x32) bit systems please download Listparts
    For x64 bit systems please download Listparts64

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
  13. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    I'm frustrated,, On the RK report posted above, is shows:
    Drives:
    [C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
    [D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
    [E:] \Device\CdRom0 -- 0x5 --> Skipped
    [F:] \Device\HarddiskVolume5 -- 0x2 --> Restored
    [Q:] \Device\SftVol -- 0x3 --> Restored
    Finished : << RKreport[5]_SC_02232013_02d1727.txt >>

    Q: SFTVol.

    In windows explorer, it shows Q, named Bad Drive.

    but in the List64 report, I'm not sure it is there.

    ListParts by Farbar Version: 16-01-2013
    Ran by Randy (administrator) on 24-02-2013 at 13:49:41
    Windows 7 (X64)
    Running From: F:\RRR Virus 2-19-2013
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 40%
    Total physical RAM: 3561.37 MB
    Available physical RAM: 2109.09 MB
    Total Pagefile: 7120.92 MB
    Available Pagefile: 5487.66 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:445.3 GB) (Free:397.71 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    2 Drive d: (Recovery) (Fixed) (Total:20.16 GB) (Free:2.19 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: (USB20FD) (Removable) (Total:14.95 GB) (Free:14.89 GB) FAT32

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 0 B
    Disk 1 Online 14 GB 0 B

    Partitions of Disk 0:
    ===============

    Disk ID: 915B52F3

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 199 MB 1024 KB
    Partition 2 Primary 445 GB 200 MB
    Partition 3 Primary 20 GB 445 GB
    Partition 4 Primary 103 MB 465 GB

    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 SYSTEM NTFS Partition 199 MB Healthy System (partition with boot components)

    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 445 GB Healthy Boot

    ======================================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 D Recovery NTFS Partition 20 GB Healthy

    ======================================================================================================

    Disk: 0
    Partition 4
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 HP_TOOLS FAT32 Partition 103 MB Healthy

    ======================================================================================================

    Partitions of Disk 1:
    ===============

    Disk ID: C3072E18

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 14 GB 8104 KB

    ======================================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 F USB20FD FAT32 Removable 14 GB Healthy

    ======================================================================================================

    Windows Boot Manager
    --------------------
    identifier {bootmgr}
    device partition=\Device\HarddiskVolume1
    description Windows Boot Manager
    locale en-US
    inherit {globalsettings}
    extendedinput Yes
    default {current}
    resumeobject {cd0acc27-dcc8-11e1-b953-ddd0e9dd35cd}
    displayorder {current}
    toolsdisplayorder {memdiag}
    timeout 30
    customactions 0x1000085000001
    0x5400000f
    custom:5400000f {96f102d4-2f75-11e2-b4dc-74e543244a4e}

    Windows Boot Loader
    -------------------
    identifier {96f102d4-2f75-11e2-b4dc-74e543244a4e}
    device ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{96f102d5-2f75-11e2-b4dc-74e543244a4e}
    path \windows\system32\winload.exe
    description Windows Recovery Environment
    inherit {bootloadersettings}
    osdevice ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{96f102d5-2f75-11e2-b4dc-74e543244a4e}
    systemroot \windows
    nx OptIn
    winpe Yes

    Windows Boot Loader
    -------------------
    identifier {current}
    device partition=C:
    path \Windows\system32\winload.exe
    description Windows 7
    locale en-US
    inherit {bootloadersettings}
    recoverysequence {96f102d4-2f75-11e2-b4dc-74e543244a4e}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \Windows
    resumeobject {cd0acc27-dcc8-11e1-b953-ddd0e9dd35cd}
    nx OptIn

    Resume from Hibernate
    ---------------------
    identifier {cd0acc27-dcc8-11e1-b953-ddd0e9dd35cd}
    device partition=C:
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale en-US
    inherit {resumeloadersettings}
    filedevice partition=C:
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {memdiag}
    device partition=\Device\HarddiskVolume1
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-US
    inherit {globalsettings}
    badmemoryaccess Yes

    EMS Settings
    ------------
    identifier {emssettings}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {dbgsettings}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {badmemory}

    Global Settings
    ---------------
    identifier {globalsettings}
    inherit {dbgsettings}
    {emssettings}
    {badmemory}

    Boot Loader Settings
    --------------------
    identifier {bootloadersettings}
    inherit {globalsettings}
    {hypervisorsettings}

    Hypervisor Settings
    -------------------
    identifier {hypervisorsettings}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {resumeloadersettings}
    inherit {globalsettings}

    Device options
    --------------
    identifier {96f102d5-2f75-11e2-b4dc-74e543244a4e}
    description Ramdisk Options
    ramdisksdidevice partition=D:
    ramdisksdipath \Recovery\WindowsRE\boot.sdi


    ****** End Of Log ******

    I think the virus is off of this machine,, but want to make sure it cannot hurt our network again.

    I'll try to get it on the wireless network. (I think that drive was created by someone outside of the network.
  14. Broni

    Broni Malware Annihilator Posts: 46,123   +251

  15. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    Broni,

    It's clean. I wasn't able to delete the Q drive yet, but the link will help.

    I have to work tomorrow, but will try a couple of scans on the server tomorrow.

    Are there any of the scans you think will work on that old 2003 server?
  16. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    Start with our preliminary steps and see what works.

    Here...
    [​IMG] I assume your Norton Internet Security includes a firewall?
    If so make sure Windows firewall is off (Security Check log says "Windows Firewall Enabled!")

    [​IMG] Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    ========================================

    [​IMG] Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
  17. Broni

    Broni Malware Annihilator Posts: 46,123   +251

    The issue seems to be resolved.
  18. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    He hasn't brought me the computer. Call it solved.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.