Virus/spyware computer logs

[mojave123]

i use the free avg 8 , and on it said HKLM\SOFTWARE\Classes\WR

i went through the procedure highlighted "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions"

super antispyware, first i did not reboot the computer so i scanned again ,and then rebooted it that is the reason for 2 logs.

do i have to reinstall windows? is the problem serious?

thank you.

 

[mojave123]

Second step?

i went through the process again,and superantispyware says there is adware vundo variant....i cant get rid of it...what do i have to do...? also in the malwarebytes quarantine section their seems to be many trojans, do i press delete all....

 

[Blind Dragon]

There are a number of traces of it in the hjt log.

First:
Disable Avira Real time protection by right clicking it in the system tray and unchecking "Antivir Guard Enabled"

Next:

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[mojave123]

combo fix and hjt logs

sorry for being a bit late...

thank you for replying and your help. i still c some pop ups when i visit particular sites

 

[mflynn]

As you did with MBAM and SAS run Combofix a second time to confirm it comes up clean.

Then SAS again and it should now be clean also.

Then await BlindDragon!

Mike

 

[mojave123]

i did combofix a second time and SAS,sadly SAS showed that there is still some bugs..

here are the logs

 

[Blind Dragon]

Combofix is not a tool that needs to be run more then once, as we can see everything that it is going to found in the first log.


Upload a File to Virustotal
Please visit Virustotal found HERE

• Click the Browse... button
• Navigate to the file C:\sccfg.sys
• Click the Open button
• Click the Send button
• Copy and paste the results back here please.

 

[mojave123]

im sorry but i cant seem to find the file..i tried searching it....i have something called sqm and hook file

 

[mflynn]

All of those files are related to a program called Folder Lock. But should not be in the Root of drive c:

Have you had Folder Lock installed before.

If so and you have uninstalled then find and delete all of these.

Mike

 

[mojave123]

must i uninstall folderlock and the hook and sqm files?

 

[mflynn]

Folder Lock itself is not a problem but something is not right about it now!

I would until clean then reinstall.

The file in the root of C: should not be there.

Mike

 

[Blind Dragon]

The file is hidden, we need to investigate it. It is probably related to folder lock, but I would still like to check it out.


Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders
• Remove the checkmark from the checkbox labeled Hide protected operating system files
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types
• Put a checkmark in the checkbox labeled Display the contents of system folders.

Now try again to upload the file please and paste the results here

 

[mojave123]

sorry, i did what u mentioned but i still couldnt find the file.

 

[Blind Dragon]

Ok, we will see if it gets picked up in an online scan

Go to add/remove programs and uninstall
AskSBar

Then delete the following folder:
c:\program files\AskSBar

==============================

Run a temp file cleaner such as CCleaner or ATF cleaner

==============================

Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[mojave123]

thank you for replying blind dragon and mike

1)i went to add/remove programs, i did not see anything called asksbar but i saw ask tool bar which i uninstalled , the computer needed to be rebooted to uninstall it,which i did.

2)went to c drive program files , did not see a folder called ask bar but saw a file related to the ask toolbar called uninstall which i sent to the recycle bin, which i think got deleted when i did the cc cleaner.

3)did the kaspersky scan.

4) uninstalled folderlocker

 

[Blind Dragon]

Good work

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------

OTCleanit! by Oldtimer

• Download OTCleanIt
• Click the CleanUp! button.
  • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Any other tools not removed can be removed manually

---------------------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Set correct settings for files
   • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
   • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
   • If unchecked please check Hide protected operating system files (Recommended)
   • If necessary check "Display content of system folders"
   • If necessary Uncheck Hide file extensions for known file types.
   • Click OK
   
   clear system restore points
   • 
     This is a good time to clear your existing system restore points and establish a new clean restore point:
     • Go to Start > All Programs > Accessories > System Tools > System Restore
     • Select Create a restore point, and Ok it.
     • Next, go to Start > Run and type in cleanmgr
     • Select the More options tab
     • Choose the option to clean up system restore and OK it.
     This will remove all restore points except the new one you just created.
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
        
      • Change the Download unsigned ActiveX controls to Disable
        
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
        
      • Change the Installation of desktop items to Prompt
        
      • Change the Launching programs and files in an IFRAME to Prompt
        
      • Change the Navigate sub-frames across different domains to Prompt
        
      • When all these settings have been made, click on the OK button.
        
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.
   
   
7. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

 

[mojave123]

thanks blinddragon... i was doing what u said i uninstalled combofix went through ot clean it and was in clearsystem restore when i went to c drive and i saw the elusive file sccfg(could it have appeared after i uninstalled folderlocker) i sent it to virustotal ... what should i do now ..should i go throught the process of clean up....

Antivirus Version Last Update Result
AhnLab-V3 2008.5.10.0 2008.05.13 -
AntiVir 7.8.0.17 2008.05.13 -
Authentium 5.1.0.4 2008.05.14 -
Avast 4.8.1195.0 2008.05.13 -
AVG 7.5.0.516 2008.05.13 -
BitDefender 7.2 2008.05.08 -
CAT-QuickHeal 9.50 2008.05.13 -
ClamAV 0.92.1 2008.05.13 -
DrWeb 4.44.0.09170 2008.05.13 -
eSafe 7.0.15.0 2008.05.13 -
eTrust-Vet 31.4.5786 2008.05.14 -
Ewido 4.0 2008.05.13 -
F-Prot 4.4.2.54 2008.05.14 -
F-Secure 6.70.13260.0 2008.05.14 -
Fortinet 3.14.0.0 2008.05.14 -
GData 2.0.7306.1023 2008.05.14 -
Ikarus T3.1.1.26.0 2008.05.14 -
Kaspersky 7.0.0.125 2008.05.14 -
McAfee 5294 2008.05.13 -
Microsoft 1.3520 2008.05.14 -
NOD32v2 3097 2008.05.14 -
Norman 5.80.02 2008.05.13 -
Panda 9.0.0.4 2008.05.14 -
Prevx1 V2 2008.05.14 -
Rising 20.44.12.00 2008.05.13 -
Sophos 4.29.0 2008.05.14 -
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.14 -
TheHacker 6.2.92.309 2008.05.13 -
VBA32 3.12.6.6 2008.05.13 -
VirusBuster 4.3.26:9 2008.05.13 -
Webwasher-Gateway 6.6.2 2008.05.13 -
Additional information
File size: 20 bytes
MD5...: 441018525208457705bf09a8ee3c1093
SHA1..: 6768033e216468247bd031a0a2d9876d79818f8f
SHA256: de47c9b27eb8d300dbb5f2c353e632c393262cf06340c4fa7f1b40c4cbd36f90
SHA512: d296b892b3a7964bd0cc882fc7c0be948b6bbd8eb1eff8c13942fcaabf1f3877
2dd56ba4d8ecd0b626ff5cef1cd045a1b0a76910396f3c7430b215a85950e9c3
PEiD..: -
PEInfo: -


MD5: 441018525208457705bf09a8ee3c1093
First received: 03.02.2008 15:20:28 (CET)
Date: 05.14.2008 04:34:32 (CET) [>214D]
Results: 0/32
Permalink: analisis/894b6816704aefeef7451c24fa6c2580

it said it has been analysed i reanalysed it

Antivirus Version Last Update Result
AhnLab-V3 2008.12.12.2 2008.12.14 -
AntiVir 7.9.0.45 2008.12.14 -
Authentium 5.1.0.4 2008.12.14 -
Avast 4.8.1281.0 2008.12.14 -
AVG 8.0.0.199 2008.12.14 -
BitDefender 7.2 2008.12.14 -
CAT-QuickHeal 10.00 2008.12.13 -
ClamAV 0.94.1 2008.12.14 -
Comodo 754 2008.12.14 -
DrWeb 4.44.0.09170 2008.12.14 -
eSafe 7.0.17.0 2008.12.14 -
eTrust-Vet 31.6.6258 2008.12.12 -
Ewido 4.0 2008.12.14 -
F-Prot 4.4.4.56 2008.12.14 -
F-Secure 8.0.14332.0 2008.12.14 -
Fortinet 3.117.0.0 2008.12.14 -
GData 19 2008.12.14 -
Ikarus T3.1.1.45.0 2008.12.14 -
K7AntiVirus 7.10.553 2008.12.13 -
Kaspersky 7.0.0.125 2008.12.14 -
McAfee 5463 2008.12.13 -
McAfee+Artemis 5463 2008.12.13 -
Microsoft 1.4205 2008.12.14 -
NOD32 3691 2008.12.14 -
Norman 5.80.02 2008.12.12 -
Panda 9.0.0.4 2008.12.14 -
PCTools 4.4.2.0 2008.12.14 -
Prevx1 V2 2008.12.14 -
Rising 21.07.62.00 2008.12.14 -
SecureWeb-Gateway 6.7.6 2008.12.14 -
Sophos 4.36.0 2008.12.14 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.14 -
TheHacker 6.3.1.4.187 2008.12.13 -
TrendMicro 8.700.0.1004 2008.12.12 -
VBA32 3.12.8.10 2008.12.14 -
ViRobot 2008.12.12.1515 2008.12.12 -
VirusBuster 4.5.11.0 2008.12.14 -
Additional information
File size: 20 bytes
MD5...: 441018525208457705bf09a8ee3c1093
SHA1..: 6768033e216468247bd031a0a2d9876d79818f8f
SHA256: de47c9b27eb8d300dbb5f2c353e632c393262cf06340c4fa7f1b40c4cbd36f90
SHA512: d296b892b3a7964bd0cc882fc7c0be948b6bbd8eb1eff8c13942fcaabf1f3877
2dd56ba4d8ecd0b626ff5cef1cd045a1b0a76910396f3c7430b215a85950e9c3
ssdeep: 3::
PEiD..: -
TrID..: File type identification
OpenGL object (44.3%)
Lotus 123 Worksheet (generic) (22.2%)
Targa bitmap (Original TGA Format - No Image ID) (11.1%)
Adobe PhotoShop Brush (11.0%)
BONK lossless/lossy audio compressor (11.0%)
PEInfo: -

 

[Blind Dragon]

continue with the clean up and secure process, it's not malicious

 

[mojave123]

im sorry blind dragon but i want to ask you one more thing...

when i type start-run and enter cleanmgr , the select drive box opens , with all the drives listed,i dont see a more options tab...

 

[Blind Dragon]

yea they changed cleanmgr a bit, simply disabling and enabling system restore should clear old restore points - and set a new fresh restore point