[bebanito]

Hello, everybody...

My problem started a few days ago when my anti virus (Avast) trial period expired and I had to uninstall it and reinstall it again. I think in between I caught a virus because after first scan with the new Avast it prompted me that I am infected with Win 32:Alureon-CU(Rtk) virus and since I have a slow computer , especially when it comes to start programs from desktop. It takes sometimes over a minute to open a program. Another problem: I can't open the SuperAntispyware log file. It shows me I have 2 of them(after scanning twice) but when I double click the file or the radio button no window is opening. The results of the scan says that it founded some files with ad aware.tracking cookies and 1 file with ad aware.vundo/variant.I also ran the HJT scan and Malwarebytes' Anti-Malware scan.I will attach the files. Please tell me what to do.

Thank you.

P.S. I see I can't upload the HJT file, therefore it will be only the other one uploaded.

Attached Files

•  mbam_log_2009_09_01__20_19_18_.txt   1.13KB   190 downloads

[Advertisements]

Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out. Let's get started:

Please go to the GMER Rootkit Scanner Download Site.

• Click on the Download EXE button.
• The file you are downloading will have a random name in order to circumvent the attempts of malware to block it from running.
• Take note of the name of the file (please don't change it), and then save it directly to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click on the file you downloaded (Vista users please right-click it and select Run as Administrator). The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure that the "Show all" box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity, don't worry.
• Click Ok.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it to a location where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Then:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to svchost. This name is important and must be exactly as I have given it to you here. Once you have changed the name, save the renamed file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave

[Transience]

Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out. Let's get started:

Please go to the GMER Rootkit Scanner Download Site.

• Click on the Download EXE button.
• The file you are downloading will have a random name in order to circumvent the attempts of malware to block it from running.
• Take note of the name of the file (please don't change it), and then save it directly to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click on the file you downloaded (Vista users please right-click it and select Run as Administrator). The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure that the "Show all" box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity, don't worry.
• Click Ok.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it to a location where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Then:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to svchost. This name is important and must be exactly as I have given it to you here. Once you have changed the name, save the renamed file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave

[bebanito]

Here it is the gmer.txt file. I'll be back later with the combofix file.

Thanks.

Attached Files

•  gmer.txt   24.07KB   267 downloads

[Transience]

Alright I will await the CF log take your time

[bebanito]

This is the combofix.log file

Attached Files

•  combofix.txt   21.16KB   176 downloads

[Transience]

Alright looking OK, in the future no need to attach logs just post them as plain text they're easier to read that way. Let's run some final checks.

First we'll clean out your unnecessary temp files to speed up the scans:

1. TFC

• Please download TFC to your desktop.
• Save any work, then close all open windows.
• Double-click TFC to run it, and allow the process to complete, which should not take more than a couple minutes.
• You may or may not be prompted to reboot, if you are click "Yes" and allow the computer to reboot.
• Close TFC when it has completed.

2. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here.

Doubleclick (Vista users please right-click Run as Administrator) on mbam-setup.exe to install the program.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full Scan, then click Scan.
• The scan is different from the quick scan and will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
• Copy & Paste the entire report in your next reply.

3. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts. A log will appear (JavaRa.log), DO NOT post this log, I have no need for it.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Scan

• Follow this link to the Kaspersky WebScanner
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

So post back with the logs from MBAM and Kaspersky when you have them and give me an update on how the PC is running, and we should have you on your way .

- Dave

[bebanito]

There they are the 2 scans log files.
PC still kinda slow, a little bit improved though...
I still can't see the log file from SuperAntispyware even if it says it was saved. I can't find the log file in SuperAntispyware folder...

Thank you.

KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, September 5, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, September 05, 2009 17:45:27
Records in database: 2749832
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 58709
Threats found: 7
Infected objects found: 12
Suspicious objects found: 4
Scan duration: 02:48:16


File name / Threat / Threats count
C:\System Volume Information\_restore{79C97B00-9CC9-40C0-8DE3-3A82FC4E84C4}\RP203\A0050836.msi Infected: Trojan-Dropper.Win32.Agent.asal 1
C:\WINDOWS\Installer\1a4ce0.msi Infected: Trojan-Dropper.Win32.Agent.asal 1
C:\WINDOWS\Installer\64570b.msi Suspicious: Trojan-Downloader.JS.gen 2
C:\WINDOWS\Installer\645712.msi Suspicious: Trojan-Downloader.JS.gen 2
F:\diverse programe\Password.Cracking\aw2000passwd\AW2000PR.ZIP Infected: not-a-virus:PSWTool.Win32.OEPass.ag 1
F:\diverse programe\Password.Cracking\aw2000passwd\SETUP.EXE Infected: not-a-virus:PSWTool.Win32.OEPass.ag 1
F:\diverse programe\botu lu beba\winmech.exe Infected: Backdoor.Win32.Mechbot.a 1
F:\diverse programe\dvd rip.exe Infected: not-a-virus:AdWare.Win32.NavExcel 4
F:\diverse programe\dvd rip.exe Infected: not-a-virus:AdWare.Win32.HelpExpress 1
F:\diverse programe\omsetup.exe Infected: not-a-virus:AdWare.Win32.AdvancedSearchBar 2

Selected area has been scanned.


Malwarebytes' Anti-Malware 1.40
Database version: 2744
Windows 5.1.2600 Service Pack 3

9/5/2009 1:15:37 PM
mbam-log-2009-09-05 (13-15-37).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 174240
Time elapsed: 46 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\notepad.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

P.S. Apologize for attaching the files instead of just posting them, due to forgetting what you asked me. Was in a hurry to post the results, therefore the necessity to edit the post...

Edited by bebanito, 05 September 2009 - 07:21 PM.

[Transience]

Glad things are doing a little better, those logs look ok, few remains to take care of quickly. Before running this fix, please insert whatever removable media the files listed below are located on into your F: drive so that they can be removed.

1. Run a ComboFix script

• Copy the entire contents of the code box below to notepad (Start > Programs > Accessories > Notepad).
• Click on File > Save and name the file CFScript.txt. This name is important and must not be changed.
• Change the Save as Type to All Files.
• Save it directly on your desktop.

KillAll::

File::
C:\WINDOWS\Installer\1a4ce0.msi
C:\WINDOWS\Installer\64570b.msi
C:\WINDOWS\Installer\645712.msi
F:\diverse programe\Password.Cracking\aw2000passwd\AW2000PR.ZIP
F:\diverse programe\Password.Cracking\aw2000passwd\SETUP.EXE
F:\diverse programe\botu lu beba\winmech.exe
F:\diverse programe\dvd rip.exe
F:\diverse programe\omsetup.exe

SysRst::

Note: If you are not the topic starter, DO NOT download or run this script as it could cause irreversible damage to your computer.

Please note that the same procedure applies to running ComboFix this time as before - disable your protection programs beforehand, close all other programs, don't interrupt it for any reason etc.



Once the script is saved, refering to the picture above, drag CFScript.txt into ComboFix.exe. This will cause ComboFix to start again. Allow it to complete running, following any prompts. Once the program has completed the log should appear automatically, if it doesn't it can be found at C:\ComboFix.txt. Please post the contents of that log in your next reply.

Cheers,
Dave

[bebanito]

I apologize but before I read your post I took the liberty and deleted the files from C: founded infected by Kaspersky's scan. I did insert the cd in the drive though, but it looks that Combofix did not deleted the files... And if I run my Avast anti virus it says it founds a trojan, but when I try to delete or quarantine the file it says the action is not available, or something like that... If you need more info about this I will run the scan again and try to screen capture the window from my anti virus.

Thank you.

P.S. tried to manually delete files on drive F: but it says they are read-only files and cannot delete them. Don't know if this helps...

Attached Files

•  combofix2.txt   18.6KB   228 downloads

Edited by bebanito, 06 September 2009 - 08:42 AM.

[Transience]

I apologize but before I read your post I took the liberty and deleted the files from C: founded infected by Kaspersky's scan

That's fine, no problem.

Is the CD that those files are located on critical to you? What is it used for?

Also what file does Avast alert on? If you can get me the filename or a screen capture of the detection that would be helpful.

- Dave

[bebanito]

I apologize but before I read your post I took the liberty and deleted the files from C: founded infected by Kaspersky's scan

That's fine, no problem.

Is the CD that those files are located on critical to you? What is it used for?

Also what file does Avast alert on? If you can get me the filename or a screen capture of the detection that would be helpful.

- Dave

No, that CD is just a backup for some programs I have, but it is not critical to me.
I attached here a screen capture of the alert from Avast. What is weird is that if I run a full scan(which I did 2-3 times), nothing pops-up, but when the quick scan is scheduled to run this comes up (screenshot1) and when I try to delete or quarantine the file it comes up this (screenshot2).

Much obliged.

Attached Thumbnails

• 
• 

[Transience]

Not to worry it is alerting on a file in the system restore cache, which is harmless unless you perform a restore. We'll get rid of your old restore points and set a fresh clean one in a minute.

Your logs are clean! Congratulations

We have a couple last things to take care of and then you're good to go.

Uninstall ComboFix from your computer:

• Click on Start > Run
• Type Combofix /u in the run box and click Ok. Note the space between the x and the /u, it needs to be there.
  

Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.

Please download OTC to your desktop.

• Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
• After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Here are some tips to reduce the potential for malware infection in the future; I strongly that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, and if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're still clean. Once a week works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

If you don't have a firewall, some great free options you can test out are: Online Armor, Outpost, and Sunbelt. I'd highly recommend that you install one of those. If you do decide to use a 3rd party firewall program, please be sure to disable the Windows firewall as per these instructions so they don't conflict:

• Please click on Start -> Control Panel
• Double click Windows Firewall
• Click Change Settings
• Choose Off to disable Windows Firewall.

Finally, for a great tutorial on how to get the best protection out of your firewall, take a look at this guide.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives: Firefox, Opera, and Google Chrome. All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones: Green to go, Yellow for caution, and Red to stop. Available for Firefox and Internet Explorer.

NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing. Available for Firefox only.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article.

Exercise common sense

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to look before you leap. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in the vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Keep up on Windows updates

Along with keeping all of the security programs that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and help to keep you safe. Typically the windows update icon will appear in your taskbar when new updates are available, whenever you see it you should open the menu up and install the updates that are available. Although it may be an annoyance, that little bit of extra time it takes to stay updated is very well worth it instead of getting infected from an exploit and having to clean your PC again.

Slow computer?

If your computer begins to slow down again in the future for no particular reason, your first step should not be to come back to the malware forum. As your computer ages and is used, its parts wear, files and programs accumulate, and its performance speed can decrease. To restore your computer's performance to its best possible level, follow the steps in this guide written by tech expert Artellos.

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Dave

[bebanito]

Best of luck to you too, the pleasure of working with you is also mine!
Thank you again for your step-by-step guidance...
Promise to take your advices seriously. One more question: I am using the ZoneAlarm firewall, is that OK, or I have to get one you've recommended?

[Transience]

Zone Alarm should work fine for you, it's a good firewall. It's been my pleasure to work with you, good luck!

[Transience]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.