[m0le]

Okay, then that's no problem.

The SAS scan is flagging a copy of the malware which is found in your system restore folder.

System restore is a process whereby you can reset the PC to an earlier time which often removes infection. In this case if you were to use that process it would only reinfect you. The folder's contents are inactive at the moment so as we can now say that you are clean we will clear up the mess and with it the system restore folder will be emptied.

Uninstall ComboFix

Remove Combofix now that we're done with it.

• Disable any realtime antivirus or antispyware programs.
• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
• Please follow the prompts to uninstall Combofix.
• You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything associated with it.


OTC Clean-Up

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

• Download OTC by OldTimer and save it to your desktop.
• Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
• Then Click the big button.
• You will get a prompt saying "Being Cleanup Process". Please select Yes.
• Restart your computer when prompted.

These processes will set a new system restore point and the SAS scan should no longer come up with that file.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it Suzi1951, happy surfing!

Cheers.

m0le

[Advertisements]

Yikes! I got on the computer this morning and my PC Tools Spyware Doctor says I have 23 infections. It says:

Trojan_Downloader.MURLO (22 infections)

Trojan.Generic (1 infection)

Should I have Spyware Doctor attempt to remove them? When I went to bed last night everything was fine. My husband said he got on the computer and was looking at EBay, Craigslist and some truck magazine sites. I suspect something's happening when he's on Craigslist. Do you think that's possible?

I haven't removed ComboFix or any of the programs we've installed during this process, yet. Do I need to run anything?

Edited by Suzi1951, 21 August 2010 - 07:47 AM.

[Suzi1951]

Yikes! I got on the computer this morning and my PC Tools Spyware Doctor says I have 23 infections. It says:

Trojan_Downloader.MURLO (22 infections)

Trojan.Generic (1 infection)

Should I have Spyware Doctor attempt to remove them? When I went to bed last night everything was fine. My husband said he got on the computer and was looking at EBay, Craigslist and some truck magazine sites. I suspect something's happening when he's on Craigslist. Do you think that's possible?

I haven't removed ComboFix or any of the programs we've installed during this process, yet. Do I need to run anything?

Edited by Suzi1951, 21 August 2010 - 07:47 AM.

[m0le]

Run MBAM which targets this malware.

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then run SAS again and post the two logs. Thanks

[Suzi1951]

Here are the two logs from Malwarebytes. They don't seem to show anything malicious, that I can see. The PC Tools Spyware Doctor must have contained the Trojans. I went ahead and had that program remove the infections. There must be something that's causing my computer to be vulnerable to attack. Perhaps when I go to Secunia Software Inspector, as you suggested, I can find out what it is. By the way, do you have a favorite antivirus program? I'm wondering if I should try something else.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4459

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/21/2010 7:53:43 PM
mbam-log-2010-08-21 (19-53-43).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 264867
Time elapsed: 2 hour(s), 26 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4459

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/21/2010 10:55:09 PM
mbam-log-2010-08-21 (22-55-09).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 256973
Time elapsed: 2 hour(s), 38 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Suzi1951, 22 August 2010 - 06:32 AM.

[m0le]

Let's run a quicker check on the security on your PC

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

By the way, my personal preferences are Avast, Superantispyware with MBAM as a quick checker.

[Suzi1951]

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 15
Out of date Java installed!
Adobe Flash Player 10.1.53.64
Adobe Reader 9.2
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
ThreatFire TFService.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

[m0le]

You should update both Java and Adobe from their websites - Java is now 6.21 and Adobe is, I think, 9.3.3 now.

Secunia should still be employed, also make sure all your security programs are kept updated on a weekly basis and you are as protected as you can be. It is also important to note that once certain trojans get through your defences then only a complete reformat and reinstall can plug that vulnerability.

Any more questions, suzi1951?

[Suzi1951]

I will update those programs. Did I have the kind of Trojan that requires a complete reformat and re-installation? If so, how do I do that? If all is well, should I now do the OTC Clean-Up uninstalling of ComboFix that you suggested earlier?

[m0le]

Did I have the kind of Trojan that requires a complete reformat and re-installation? If so, how do I do that? If all is well, should I now do the OTC Clean-Up uninstalling of ComboFix that you suggested earlier?

No you didn't


and

Yes, you can. I was unaware that you hadn't completed the steps. It now looks likely that the new infections which Spyware Doctor found were quarantined items from OTL and Combofix. Both their folders would have been removed in the clear up...

[Suzi1951]

I just tried to uninstall ComboFix and I got an error box that said that something was missing or wrong with ComboFix and there may be a virus. Before I could copy the message, it disappeared. I tried to open ComboFix and it doesn't appear to be on the system. Also, I ran OTC and when it rebooted everything seems to still be there except the OTC program. I'm sorry I keep having issues, I certainly appreciate your patience!

Edited by Suzi1951, 22 August 2010 - 10:13 AM.

[m0le]

Delete the OTC program. You can ignore the notice about Combofix, it didn't uninstall correctly (hence the confusing message) but OTC did clear it off.

[Suzi1951]

I couldn't open Adobe to update it, so I tried to re-download it. I couldn't get it at first because apparently Firefox prevented it. I finally got it to download and it showed on my desktop, but I can't open it. Also, I can't find Java on my system. Update: I did manage to update Java. I believe that Adobe was updated, as well. When I click on the Adobe icon on my desktop, it doesn't open up. Everything else seems o.k.

Edited by Suzi1951, 22 August 2010 - 11:36 AM.

[m0le]

That's great news.

I will be away for five days, if you have any questions feel free to post them here and I will reply when I get back.

Otherwise, you're ready to surf again!

[Suzi1951]

I think everything's o.k. I went to Secunia and updated everything. I really want to thank you for all of your help. You are so kind to give of your time and expertise. I really appreciate it. Best wishes to you.

[m0le]

Thank you for the kind words, Suzi