Firewall switched off

[n2008]

Hi everyone

This history is constructed from memory/AVG 8.0 logs. It should be fairly accurate.

About a week ago (2008-09-01), while online, AVG resident shield notified me of a virus. From the AVG resident shield log, I think it was "dropper.bravix.a" located in {my profile}/Temp/qnopkjc.exe. I ran the AVG scan and it found "downloader.fraudload.n" located in {my profile}/Temp/nclincba.exe.

The next morning (2008-09-02) I ran another AVG scan and it found 4 instances of "downloader.generic7.akat" located in scvhost (one of them listed with a 5304) and a registry key with reference to the infected file.

I think (it's been a week so the order might be a little off) I noticed after the 2nd AVG scan (morning of 2008-09-02) windows firewall was off. I’m not sure if any malware can turn this off and I can't think of any reason I would have turned off the firewall but...
I turned windows firewall on and (a few days later) installed Zone Alarm (which also turns off windows firewall)

Also, I was starting to get a little spooked, so I installed Avast (with AVG also running-I understand this is bad and just removed it). Avast installation reboots the computer and performs a scan before windows loads. This scan found 2 infections (one in a restore point) but I can't find a log file to list them.

Later that night (2008-09-02), AVG resident found another copy of "downloader.generic7.akat" in a system restore point.

Since then, no issues have been found, but I've been afraid to use the computer so it does not have a lot of usage.

I followed the instructions in the preliminary removal thread.

Panda root kit found nothing.
MBAM found one listing from PeoplePC (pre-loaded on the computer when purchased-I think this is a false positive).

I've attached the requested log files (MBAM log from after PeoplePC issue was removed). Any help is very much appreciated.



Update (2008-09-09 8:57pm US EST)

I don't know if this should be an edit or new post (or if this even matters...)
I updated AVG and ran a scan (nothing found). Then I updated Adaware and ran a scan. Not sure if AVG resident would cause any issues with the Adaware scan so I turned the wireless switch on my laptop off, and turned of AVG resident scan off while adaware was running (Adaware found some tracking cookies and MRUs).

After turning the AVG resident shield back on, I turned the wireless switch on the laptop on and repaired the connection. A few minutes later, ZoneAlarm notified me I was pinged from 98.243.11.73 which ARIN WHOIS lists as Comcast Cable (someone else's ISP?).

How can I be pinged if my Linksys WRT54G router has "Block Anonymous Internet Requests" enabled?
Do I need to be concerned?

 

[Blind Dragon]

You need to only have 1 anti-virus - so pick one and uninstall the other - I would recommend keeping Avast! out of those 2.

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update Tab at the top of the Java console
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 7) Follow the on screen instructions (uncheck the yahoo toolbar option)
• After it installs the newest version Go back to Control Panel -> Add/remove programs (programs and features in vista)
• Uninstall any older versions of Java

==========================================

CCleaner

• Download from HERE
• Close all browsers.
• Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
• Click the run cleaner button.

==========================================

Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[n2008]

Dragon, thanks for your response (and other posts).

Before last post (and logs), I removed Avast using Add/remove programs.
I saw it in the HJT and it is still on the hard drive but Add/Remove programs does not list it. Thus far, I have not deleted it.

Why do you recommend Avast? I’ve read AVG is a resource hog but it has some rootkit protection, antispyware and Avast does not (CNET).

CNET AVG
reviews.cnet.com/internet-security-and-firewall/avg-antivirus-8/4505-3667_7-32887573.html

CNET Avast
reviews.cnet.com/internet-security-and-firewall/avast-antivirus-4-7/4505-3667_7-32425819.html

Avast does seem to scan a little better per av-comparatives.
On-demand
av-comparatives.org/seiten/ergebnisse_2008_02.php

Pro-active (on-access?)
av-comparatives.org/seiten/ergebnisse_2008_05.php

(sorry-can't post links yet)

Again, I am very new to this (had 2 AVs running at the same time), so if you have other info, I’d like to learn.

After last post, I updated Java (but did not know to uninstall old java).

I included today’s HJT along with the kaspersky log.
Why does kaspesrsky mean with "Infected: not-a-virus:"?


I am a little concerned how I got pinged through the router (see above post). I do use this computer for online banking etc and read the warning post. Unfortunately, backups are in another city a hundred miles away (painfully obvious how useless that is). Also, AVG logs show a virus was found on one the files from the last time I used the backups (I think it was a boot sector issue, had issues coming out of hibernation-no reason to think it was a virus-but that doesn’t prove it wasn’t caused by a virus). The identified virus was a trojan SHeur.ASR. It was found twice in a setup file and I wonder if it was a false positive.

Also, my D drive is my “install” disks. How do I know it is also not infected?
If I were to re-install, is there anyway I can keep music and know that it’s not infected (maybe d/l to an external drive…)?

Also no detections/symptoms since 1st post (please delete duplicate below)

 

[n2008]

Also, no detections/symptoms since 1st post.

 

[Blind Dragon]

Well if you really want my recommendation I suggest neither Avast or AVG but rather Avira Antivir - you can also get Avira Anti Rootkit for free if that's what you are interested in. The real time protection is great and doesn't use the resources of the others. After you add/remove Avast you still have to delete C:\program files\Avast - if Avast is still fully installed but not listed in add/remove let me know and we can sort that

======================================

I can't say for sure that your music is/isn't infected but usually kaspersky will detect infected music files.

======================================

I would delete these 2 files:
C:\Documents and Settings\hp\Desktop\Downloads\Software\Nero-7.7.5.1_eng.exe
C:\Documents and Settings\hp\Desktop\noah\Desktop\vnc-4_1_2-x86_win32.exe

======================================

I am not sure about you being pinged from that IP, very strange - often after removing malware and installing a 3rd party firewall you can sit there and watch it block intrusion attempts - It could be a number of things that I can think of - possibly another infected machine trying to spread the love - or possibly somebody trying to steal your info - there is really no way for me to tell you what it is, the important thing is to block the request - thats why you have a firewall installed

I find this entry interesting in your CF log
2008-09-07 16:05 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll

reason is because it is used by programs to work with the Windows LSP chain. Unfortunately this file is also sometimes used by malware

I don't see the malware that would use it - but it may have already been removed and that is why combofix is showing it recently modified

 

[n2008]

I deleted C:\program files\Avast. Don’t know how to tell if it is “still fully installed”. It is removed from the start menu.

I deleted the Nero file (windows had its last update listed as Jan 2007).
I deleted the VNC file (windows had its last update listed as Mar 2008).
Since these have old mod dates, does this mean they were not infected (its not a problem, VNC is free to replace and I like logmein better, and I have never opened the Nero file)?

By deleting-I mean these have been placed in the recycle bin. Do I need to do more (empty bin, shred files with ZA), or is the recycle bin good enough?

I would prefer to make a backup once this is sorted out. Is there any way I can monitor the CF file or HJT to make sure this is resolved?

Also, Kaspersky requests the real-time scanner is off but the scan takes a long time. Do I need to be connected to the internet while this scan is running?

What firewall do you recommend? I have been using ZoneAlarm for a week, but have run into the vsmon issue many seem to complain about (resource hog).

 

[Blind Dragon]

you should always keep your recycle bin empty

for me zone alarm is one of the less resource hungry firewalls out there

Comodo is a good alternative and probably a better overall firewall - it will nag you constantly at first until it learns what is safe and whats not - it is a little more advanced and has a heuristic which will monitor a programs behavior for malicious intent, meaning it doesn't rely strictly on a set of definitions.

==========================================

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------

OTCleanit! by Oldtimer

• Download OTCleanIt
• Click the CleanUp! button.
  • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

---------------------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Set correct settings for files
   • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
   • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
   • If unchecked please check Hide protected operating system files (Recommended)
   • If necessary check "Display content of system folders"
   • If necessary Uncheck Hide file extensions for known file types.
   • Click OK
   
   clear system restore points
   • 
     This is a good time to clear your existing system restore points and establish a new clean restore point:
     • Go to Start > All Programs > Accessories > System Tools > System Restore
     • Select Create a restore point, and Ok it.
     • Next, go to Start > Run and type in cleanmgr
     • Select the More options tab
     • Choose the option to clean up system restore and OK it.
     This will remove all restore points except the new one you just created.
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
        
      • Change the Download unsigned ActiveX controls to Disable
        
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
        
      • Change the Installation of desktop items to Prompt
        
      • Change the Launching programs and files in an IFRAME to Prompt
        
      • Change the Navigate sub-frames across different domains to Prompt
        
      • When all these settings have been made, click on the OK button.
        
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.
   
   
7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software